About

I was out of access points with external antennas, so I tried to use a Raspberry Pi 3 with an USB-Wifi-Stick as an access point.

Setup

• Download the latest OS for your Pi: https://www.raspberrypi.com/software/
• Insert your SD-Card while watching dmesg -w or use fdisk -l to find your device. In my case it's /dev/sda
• Copy the image to the SD-card: dd if=2024-03-15-raspios-bookworm-arm64-lite.img of=/dev/sda bs=1M
• Insert into the pi, power it up
• Complete basic setup: Choose keyboard layout, create user, enable sshd a.s.o. (raspi-config)
• apt-get update && apt-get upgrade
• apt-get install hostapd dnsutils traceroute bridge-utils dhcp-helper
  • hostapd: A daemon that sets up your WiFi as a access point, so anyone can join. Please note, that this means WiFi only. No DHCP, and therefore no DNS.
  • bridge-utils: These provide the bridging you need to "connect" the ethernet and WiFi interfaces.
  • dhcp-helper: DHCP uses a broadcast to the network (address) to reach the DHCP-server. Since broadcasts stay in the broadcast-domain with a TTL of 1, they won't get bridged. This is where dhcp-helper comes in. It forwards the broadcasts in all other nets (except the one specified with -b, obviously because there is the dhcp-server...).
  • dnsutils: Just to do a nslookup from time to time. You can test your DNS-setup as well as lookup with nslookup^[1]
  • traceroute: Might come in handy if you have networking problems (and you WILL have :) )

Connecting WiFi-Stick

First try connecting the stick

dmesg -w should show something like this:

[  132.306961] usb 1-1.2: new high-speed USB device number 6 using dwc_otg
[  132.407915] usb 1-1.2: New USB device found, idVendor=0bda, idProduct=8812, bcdDevice= 0.00
[  132.407939] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  132.407948] usb 1-1.2: Product: 802.11n NIC
[  132.407954] usb 1-1.2: Manufacturer: Realtek
[  132.407960] usb 1-1.2: SerialNumber: 123456

lsusb | grep WLAN should show something like this:

Bus 001 Device 008: ID 0bda:8812 Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter

You might want to check apt-get install firmware-realtek (depends on device model)

Realtek 8812 model

I seem to have a Realtek 8812-knockoff, so they pointed me to https://github.com/aircrack-ng/rtl8812au

# apt-get install git dkms
$ mkdir dev &6 cd dev
$ git clone -b v5.6.4.2 https://github.com/aircrack-ng/rtl8812au.git
$ cd rtl*
# make dkms_install
mkdir: created directory '/usr/src/8812au-5.6.4.2_35491.20191025'
cp -r * /usr/src/8812au-5.6.4.2_35491.20191025
dkms add -m 8812au -v 5.6.4.2_35491.20191025
Creating symlink /var/lib/dkms/8812au/5.6.4.2_35491.20191025/source -> /usr/src/8812au-5.6.4.2_35491.20191025
dkms build -m 8812au -v 5.6.4.2_35491.20191025
Sign command: /lib/modules/6.6.20+rpt-rpi-v8/build/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub
Certificate or key are missing, generating self signed certificate for MOK...

Building module:
Cleaning build area...
'make' -j4 KVER=6.6.20+rpt-rpi-v8 KSRC=/lib/modules/6.6.20+rpt-rpi-v8/build.......................................................................................................................................................................................................................
Signing module /var/lib/dkms/8812au/5.6.4.2_35491.20191025/build/88XXau.ko
Cleaning build area...
dkms install -m 8812au -v 5.6.4.2_35491.20191025

88XXau.ko.xz:
Running module version sanity check.
- Original module
 - No original module exists within this kernel
- Installation
 - Installing to /lib/modules/6.6.20+rpt-rpi-v8/updates/dkms/
depmod.....
dkms status -m 8812au
8812au/5.6.4.2_35491.20191025, 6.6.20+rpt-rpi-v8, aarch64: installed

Connect the Stick (again)

[ 1239.507525] usb 1-1.2: new high-speed USB device number 6 using dwc_otg
[ 1239.608748] usb 1-1.2: New USB device found, idVendor=0bda, idProduct=8812, bcdDevice= 0.00
[ 1239.608781] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 1239.608797] usb 1-1.2: Product: 802.11n NIC
[ 1239.608809] usb 1-1.2: Manufacturer: Realtek
[ 1239.608820] usb 1-1.2: SerialNumber: 123456
[ 1240.283354] 88XXau: loading out-of-tree module taints kernel.
[ 1240.530118] usb 1-1.2: 88XXau 24:05:0f:f7:30:99 hw_info[d7]
[ 1240.534494] usbcore: registered new interface driver rtl88XXau

The last three lines are new.

ip addr is now showing the new interface:

4: wlan1: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2312 qdisc mq state DORMANT group default qlen 1000
   link/ether 24:05:0f:f7:30:99 brd ff:ff:ff:ff:ff:ff

Enable IP-Forwarding

vi /etc/sysctl.conf

and set

net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1

Explanation: Disable IPv6 (to KISS) and enable forwarding for IPv4^[2].

Tell dhcpd to ignore our devices

vi /etc/dhcpcd.conf

and set something like this:

nohook wpa_supplicant
denyinterfaces wlan1

Explanation: I omit /etc/wpa_supplicant/wpa_supplicant.conf for wlan0. It is essential that there remains only one layer3-active (meaning using IP) interface, and that is br0. Otherwise you get a routing mess. Since br0 and eth0 are not omitted (denied), they get IPAs from the DHCP-Server. That's necessary for br0, and not for eth0 (but when I omitted eth0, the bridge didn't come up. So I removed the IPA later (see below).

Setup DHCP-Forwarding

vi /etc/default/dhcp-helper

and set:

DHCPHELPER_OPTS="-b eth0"

Explanation: dhcp-helper will now forward all DHCP-related broadcasts to this interface (and none coming from there to the other interfaces).

mDNS-Forwarding

vi /etc/avahi/avahi-daemon.conf

and set:

[reflector]
enable-reflector=yes

Explanation: Enable mDNS relaying.

Check Bridge

As mentioned before, the br0-device is only tied to wlan0, so we must take care of this. You might want to do this with a script in /etc/network/if-up.d/ like (WORK-IN-PROGRESS!):
# only do it, if necessary
/sbin/brctl show | /bin/grep eth0 && exit 0
/bin/sleep 1
 
# Remove IPA from eth0
ip addr flush dev eth0

Notes

Since you use a DHCP server and you manually set IPAs, you might want to reserve those IPAs in your DHCP-server configuration. This might become handy:

systemd-resolve --status

Displays your DNS-setup

nslookup www.wurst-wasser.net

Displays queried servers and queries (really!)

brctl showstp br0

Shows forwarding state

brctl showmacs br0

Shows all MACs displays something like arp -a does, the MACs of the machines using the bridge.

Enable and Configure Access Point

vi /etc/hostapd/hostapd.conf

and set something like this:

interface=wlan1
driver=nl80211
bridge=br0
hw_mode=g
channel=7
ieee80211n=1
wmm_enabled=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ssid=HMSCamdenLock
wpa_passphrase=42_42_42_42
country_code=DE
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

Enable it

vi /etc/default/hostapd

…and comment this and set path:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

# systemctl unmask hostapd
Removed "/etc/systemd/system/hostapd.service".
# systemctl start hostapd

If the SSID is not broadcasted

enableBridge.sh

The bridge itself is setup by hostapd. But it is only linked to the WiFi-Interface. So this script is launched after hostapd:

#!/bin/bash
DEVWIFI="wlan1"
DEVETH="eth0"
DEVBR="br0" # generated by hostapd

# 0: Check whether hostapd is running yet
/usr/sbin/service hostapd status | /bin/grep "Active:" | /bin/grep running > /dev/null 2>&1
if [ "$?" -ne 0 ]; then
  logger "hostapd is (not yet) running. Exiting."
  exit 0
fi

# 1: give the Bridge an IPA
/sbin/ifconfig $DEVBR | /bin/grep inet | /bin/grep 10.178 > /dev/null 2>&1
if [ "$?" -ne 0 ]; then
  /sbin/ifconfig br0 10.178.111.242 netmask 255.255.255.0
  /sbin/route add default gw 10.178.111.1
  logger "Added $DEVBR IPA."
fi

# 2: remove ethernet's IPA
/sbin/ifconfig $DEVETH | /bin/grep inet | /bin/grep 10.178 > /dev/null 2>&1
if [ "$?" -eq 0 ]; then
    /sbin/ip addr flush dev $DEVETH
    logger "Flushed $DEVETH IPA."
fi

# 3: Add Ethernet to bridge
/sbin/brctl show $DEVBR | /bin/grep $DEVETH > /dev/null 2>&1
if [ "$?" -ne 0 ]; then
 # do it
 echo "Adding ethernet to the bridge..." | logger
 /sbin/brctl addif $DEVBR $DEVETH
 /bin/sleep 1
fi

This is how it should look like

root@pi36:/home/pi# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether b8:27:eb:5e:d7:c9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::31a8:a549:932:d9fb/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether b8:27:eb:0b:82:9c brd ff:ff:ff:ff:ff:ff
4: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2312 qdisc mq master br0 state UP group default qlen 1000
    link/ether 24:05:0f:f7:30:99 brd ff:ff:ff:ff:ff:ff
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 24:05:0f:f7:30:99 brd ff:ff:ff:ff:ff:ff
    inet 10.178.111.242/24 brd 10.178.111.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 2a00:6020:4c14:fa00:2605:fff:fef7:3099/64 scope global dynamic mngtmpaddr 
       valid_lft 2714sec preferred_lft 2714sec
    inet6 fe80::2605:fff:fef7:3099/64 scope link 
       valid_lft forever preferred_lft forever
root@pi36:/home/pi# brctl show br0
bridge name     bridge id               STP enabled     interfaces
br0             8000.24050ff73099       no              eth0
                                                        wlan1
root@pi36:/home/pi#

Tweaks

- https://www.thingiverse.com/thing:19548