5th June 2021

Using NUC as WLAN Router

I had already written about setting up an Odroid as IP router: Using Odroid as IP router.

Today I powered down my second Odroid, which I had previously used as WLAN router. There was nothing wrong with the Odroid. It just drew 7W and the NUC was already running next to the Odroid. So there was no real reason for another machine. What is described here applies to any PC, it is not specific to an Intel NUC.

Here are the steps for the setup on Arch Linux.

1. Installing required WLAN driver. I had to install rtl8812au-dkms-git from AUR.

2. Set IP addresses. The WLAN card has to be set to a fixed IP address. I use systemd network for this. The first two files set the good old network names based on the MAC.

/etc/systemd/network: cat 00-eth0.link 
[Match]
MACAddress=c0:3f:d5:61:e7:25

[Link]
Name=eth0

/etc/systemd/network: cat 00-wg0.link 
[Match]
MACAddress=24:05:0f:f6:f7:2d

[Link]
Name=wg0

Now we set the actual IP addresses.

/etc/systemd/network: cat eth0.network 
[Match]
Name=eth0

[Network]
Address=192.168.178.24/24
Gateway=192.168.178.1
DNS=192.168.178.1 8.8.8.8 1.1.1.1

/etc/systemd/network: cat wg0.network 
[Match]
Name=wg0

[Network]
#DHCP=yes
Address=192.168.4.1/24
Gateway=192.168.178.1
DNS=192.168.178.1

3. Installing dnsmasq. Install dnsmasq. The dnsmasq configuration is as follows:

dhcp-range=192.168.4.51,192.168.4.99,255.255.255.0,12h

dhcp-host=e8:d8:d1:02:7c:5e,hp3830,192.168.4.16,12h
dhcp-host=94:65:2d:7a:c6:36,five,192.168.4.118,12h
dhcp-host=8c:83:e1:1c:25:d2,samsung,192.168.4.119,12h
dhcp-host=52:d4:94:59:d6:ce,tablet,192.168.4.120,12h

address=/ads.t-online.de/127.0.0.1
address=/adtech.de/127.0.0.1
address=/doubleclick.net/127.0.0.1
address=/adclick.g.doubleclick.net/127.0.0.1

It sets the IP range, fixes IP address for some devices so that these special devices get fixed IP addresses, maps some annoying web-site to localhost.

4. Checking forwarding. A router must be able to forward IP packets from one netword to another. You must have net.ipv4.ip_forward set via sysctl.

/etc/sysctl.d: cat 10-network.conf 
# Enable IP forwarding
net.ipv4.ip_forward=1

4. Install access point. Install hostapd. Configuration is as below:

# Taken from https://wiki.archlinux.org/index.php/Software_access_point
# klm, 26-Aug-2018

interface=wg0
#bridge=br0

# SSID to be used in IEEE 802.11 management frames
ssid=<Your ESSID>
# Driver interface type (hostap/wired/none/nl80211/bsd)
driver=nl80211
# Country code (ISO/IEC 3166-1)
country_code=de

# Enable IEEE 802.11d. This advertises the country_code and the set of allowed
# channels and transmit power levels based on the regulatory limits. The
# country_code setting must be configured with the correct country for
# IEEE 802.11d functions.
# (default: 0 = disabled)
ieee80211d=1

# Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz),
# g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used
# with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this
# needs to be set to hw_mode=a. When using ACS (see channel parameter), a
# special value "any" can be used to indicate that any support band can be used.
# This special case is currently supported only with drivers with which
# offloaded ACS is used.
# Default: IEEE 802.11b
hw_mode=g
#new: hw_mode=a


# Channel number
channel=13
#new: channel=48
# Maximum number of stations allowed
max_num_sta=15

# Bit field: bit0 = WPA, bit1 = WPA2
wpa=2
# Bit field: 1=wpa, 2=wep, 3=both
auth_algs=1

# Set of accepted cipher suites
wpa_pairwise=CCMP
rsn_pairwise=CCMP
# Set of accepted key management algorithms
#wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
wpa_key_mgmt=WPA-PSK
wpa_passphrase=<Your WLAN password>

# hostapd event logger configuration
logger_stdout=-1
logger_stdout_level=2

# ieee80211n: Whether IEEE 802.11n (HT) is enabled
# 0 = disabled (default)
# 1 = enabled
# Note: You will also need to enable WMM for full HT functionality.
# Note: hw_mode=g (2.4 GHz) and hw_mode=a (5 GHz) is used to specify the band.
ieee80211d=1   # Advertise allowed channels and power
ieee80211n=1
ieee80211ac=1

Enable hostapd service via

systemctl enable hostapd
systemctl start hostapd

Checking WiFi can be done like so:

$ iwlist wg0 scan                                                                                              
wg0       Scan completed :                                                                                                                 
          Cell 01 - Address: 34:31:C4:64:E5:91                                                                                             
                    ESSID:"Turk Telekom"                                                                                                   
                    Protocol:IEEE 802.11bgn                                                                                                
                    Mode:Master                                                                                                            
                    Frequency:2.412 GHz (Channel 1)                                                                                        
                    Encryption key:on                                                                                                      
                    Bit Rates:144 Mb/s                                                                                                     
                    Extra:rsn_ie=30140100000fac040100000fac040100000fac020000                                                              
                    IE: IEEE 802.11i/WPA2 Version 1                                                                                        
                        Group Cipher : CCMP                                                                                                
                        Pairwise Ciphers (1) : CCMP                                                                                        
                        Authentication Suites (1) : PSK                                                                                    
                    IE: Unknown: DD6F0050F204104A0001101044000102103B000103104700102C5A66C569964D595C0E3431C464E5911021000341564D1023000446
426F78102400043030303010420004303030301054000800060050F20400011011000446426F78100800020280103C0001031049000600372A000120                   
                    Quality=84/100  Signal level=10/100  
                    Extra:fm=0003
          Cell 02 - Address: 94:4A:0C:7E:1D:CB
                    ESSID:"WLAN-296708"
                    Protocol:IEEE 802.11bgn
                    Mode:Master
                    Frequency:2.412 GHz (Channel 1)
                    Encryption key:on
                    Bit Rates:144 Mb/s
                    Extra:rsn_ie=30140100000fac040100000fac040100000fac020c00
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : CCMP
                        Pairwise Ciphers (1) : CCMP
                        Authentication Suites (1) : PSK
                    IE: Unknown: DD800050F204104A0001101044000102103B000103104700102A5E35610C22E96D12CB27C8D718E0611021000842726F6164636F6D
1023000842726F6164636F6D1024000631323334353610420004313233341054000800060050F20400011011000A42726F6164636F6D4150100800020106103C00010110490
00600372A000120
                    Quality=100/100  Signal level=8/100  
                    Extra:fm=0003
. . .

5. Activate NAT/Masquerading. Up to this point your smartphones and tablets can communicate with all other PCs in your network. But they cannot make any connections to the "real" internet. To activate this you must have iptables installed. Configuration of iptables in /etc/iptables/iptables.conf is thus:

*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

Very likely you want to single out some wireless devices which you want to connect to. Therefore you would add to the above nat table:

-A PREROUTING -i eth0 -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.4.118:2223
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2224 -j DNAT --to-destination 192.168.4.119:2224
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2225 -j DNAT --to-destination 192.168.4.120:2225
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2226 -j DNAT --to-destination 192.168.4.146:2226