Using NUC as WLAN Router

· klm's blog

Original post is here: eklausmeier.goip.de

I had already written about setting up an Odroid as IP router: Using Odroid as IP router.

Today I powered down my second Odroid, which I had previously used as WLAN router. There was nothing wrong with the Odroid. It just drew 7W and the NUC was already running next to the Odroid. So there was no real reason for another machine. What is described here applies to any PC, it is not specific to an Intel NUC.

Here are the steps for the setup on Arch Linux.

1. Installing required WLAN driver. I had to install rtl8812au-dkms-git from AUR.

2. Set IP addresses. The WLAN card has to be set to a fixed IP address. I use systemd network for this. The first two files set the good old network names based on the MAC.

 1/etc/systemd/network: cat 00-eth0.link
 2[Match]
 3MACAddress=c0:3f:d5:61:e7:25
 4
 5[Link]
 6Name=eth0
 7
 8/etc/systemd/network: cat 00-wg0.link
 9[Match]
10MACAddress=24:05:0f:f6:f7:2d
11
12[Link]
13Name=wg0

Now we set the actual IP addresses.

 1/etc/systemd/network: cat eth0.network
 2[Match]
 3Name=eth0
 4
 5[Network]
 6Address=192.168.178.24/24
 7Gateway=192.168.178.1
 8DNS=192.168.178.1 8.8.8.8 1.1.1.1
 9
10/etc/systemd/network: cat wg0.network
11[Match]
12Name=wg0
13
14[Network]
15#DHCP=yes
16Address=192.168.4.1/24
17Gateway=192.168.178.1
18DNS=192.168.178.1

3. Installing dnsmasq. Install dnsmasq. The dnsmasq configuration is as follows:

 1dhcp-range=192.168.4.51,192.168.4.99,255.255.255.0,12h
 2
 3dhcp-host=e8:d8:d1:02:7c:5e,hp3830,192.168.4.16,12h
 4dhcp-host=94:65:2d:7a:c6:36,five,192.168.4.118,12h
 5dhcp-host=8c:83:e1:1c:25:d2,samsung,192.168.4.119,12h
 6dhcp-host=52:d4:94:59:d6:ce,tablet,192.168.4.120,12h
 7
 8address=/ads.t-online.de/127.0.0.1
 9address=/adtech.de/127.0.0.1
10address=/doubleclick.net/127.0.0.1
11address=/adclick.g.doubleclick.net/127.0.0.1

It sets the IP range, fixes IP address for some devices so that these special devices get fixed IP addresses, maps some annoying websites to localhost.

4. Checking forwarding. A router must be able to forward IP packets from one netword to another. You must have net.ipv4.ip_forward set via sysctl.

1/etc/sysctl.d: cat 10-network.conf
2# Enable IP forwarding
3net.ipv4.ip_forward=1

4. Install access point. Install hostapd. Configuration is as below:

 1# Taken from https://wiki.archlinux.org/index.php/Software_access_point
 2# klm, 26-Aug-2018
 3
 4interface=wg0
 5#bridge=br0
 6
 7# SSID to be used in IEEE 802.11 management frames
 8ssid=<Your ESSID>
 9# Driver interface type (hostap/wired/none/nl80211/bsd)
10driver=nl80211
11# Country code (ISO/IEC 3166-1)
12country_code=de
13
14# Enable IEEE 802.11d. This advertises the country_code and the set of allowed
15# channels and transmit power levels based on the regulatory limits. The
16# country_code setting must be configured with the correct country for
17# IEEE 802.11d functions.
18# (default: 0 = disabled)
19ieee80211d=1
20
21# Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz),
22# g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used
23# with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this
24# needs to be set to hw_mode=a. When using ACS (see channel parameter), a
25# special value "any" can be used to indicate that any support band can be used.
26# This special case is currently supported only with drivers with which
27# offloaded ACS is used.
28# Default: IEEE 802.11b
29hw_mode=g
30#new: hw_mode=a
31
32
33# Channel number
34channel=13
35#new: channel=48
36# Maximum number of stations allowed
37max_num_sta=15
38
39# Bit field: bit0 = WPA, bit1 = WPA2
40wpa=2
41# Bit field: 1=wpa, 2=wep, 3=both
42auth_algs=1
43
44# Set of accepted cipher suites
45wpa_pairwise=CCMP
46rsn_pairwise=CCMP
47# Set of accepted key management algorithms
48#wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
49wpa_key_mgmt=WPA-PSK
50wpa_passphrase=<Your WLAN password>
51
52# hostapd event logger configuration
53logger_stdout=-1
54logger_stdout_level=2
55
56# ieee80211n: Whether IEEE 802.11n (HT) is enabled
57# 0 = disabled (default)
58# 1 = enabled
59# Note: You will also need to enable WMM for full HT functionality.
60# Note: hw_mode=g (2.4 GHz) and hw_mode=a (5 GHz) is used to specify the band.
61ieee80211d=1   # Advertise allowed channels and power
62ieee80211n=1
63ieee80211ac=1

Enable hostapd service via

1systemctl enable hostapd
2systemctl start hostapd

Checking WiFi can be done like so:

 1$ iwlist wg0 scan
 2wg0       Scan completed :
 3          Cell 01 - Address: 34:31:C4:64:E5:91
 4                    ESSID:"Turk Telekom"
 5                    Protocol:IEEE 802.11bgn
 6                    Mode:Master
 7                    Frequency:2.412 GHz (Channel 1)
 8                    Encryption key:on
 9                    Bit Rates:144 Mb/s
10                    Extra:rsn_ie=30140100000fac040100000fac040100000fac020000
11                    IE: IEEE 802.11i/WPA2 Version 1
12                        Group Cipher : CCMP
13                        Pairwise Ciphers (1) : CCMP
14                        Authentication Suites (1) : PSK
15                    IE: Unknown: DD6F0050F204104A0001101044000102103B000103104700102C5A66C569964D595C0E3431C464E5911021000341564D1023000446
16426F78102400043030303010420004303030301054000800060050F20400011011000446426F78100800020280103C0001031049000600372A000120
17                    Quality=84/100  Signal level=10/100
18                    Extra:fm=0003
19          Cell 02 - Address: 94:4A:0C:7E:1D:CB
20                    ESSID:"WLAN-296708"
21                    Protocol:IEEE 802.11bgn
22                    Mode:Master
23                    Frequency:2.412 GHz (Channel 1)
24                    Encryption key:on
25                    Bit Rates:144 Mb/s
26                    Extra:rsn_ie=30140100000fac040100000fac040100000fac020c00
27                    IE: IEEE 802.11i/WPA2 Version 1
28                        Group Cipher : CCMP
29                        Pairwise Ciphers (1) : CCMP
30                        Authentication Suites (1) : PSK
31                    IE: Unknown: DD800050F204104A0001101044000102103B000103104700102A5E35610C22E96D12CB27C8D718E0611021000842726F6164636F6D
321023000842726F6164636F6D1024000631323334353610420004313233341054000800060050F20400011011000A42726F6164636F6D4150100800020106103C00010110490
3300600372A000120
34                    Quality=100/100  Signal level=8/100
35                    Extra:fm=0003
36. . .

5. Activate NAT/Masquerading. Up to this point your smartphones and tablets can communicate with all other PCs in your network. But they cannot make any connections to the "real" internet. To activate this you must have iptables installed. Configuration of iptables in /etc/iptables/iptables.conf is thus:

1*nat
2-A POSTROUTING -o eth0 -j MASQUERADE
3COMMIT

Very likely you want to single out some wireless devices which you want to connect to. Therefore you would add to the above nat table:

1-A PREROUTING -i eth0 -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.4.118:2223
2-A PREROUTING -i eth0 -p tcp -m tcp --dport 2224 -j DNAT --to-destination 192.168.4.119:2224
3-A PREROUTING -i eth0 -p tcp -m tcp --dport 2225 -j DNAT --to-destination 192.168.4.120:2225
4-A PREROUTING -i eth0 -p tcp -m tcp --dport 2226 -j DNAT --to-destination 192.168.4.146:2226
#iptables #nuc #router #firewall #sysctl #NAT