[script] create_ap: Create a NATed or Bridged WiFi Access Point

Cz-David · 2015-01-29 22:09:23

I've compared a ping packet before I apply the prerouting mangle and after. And they are functionally identical, nothing that is not subject to change actually changes before and after. But before I apply the rule I get ICMP TTL exceeded in transit and afterwards I don't. I can not figure it out, what kind of protection does the router above me use?

OBLiQUE · 2015-01-30 09:51:46

To change the TTL of the packets that you sent you must use '-i wlan0' in your case. Now, with '-i eth0' you actually change the TTL of the received packets. In other words, if you use ping in your client (the computer that is connected to AP) you will always see something like:

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=78.3 ms

Probably your client have some firewall rule that blocks the packets with low TTL. Try to use another device without changing TTL and see if it works.
Also to check if your ISP block packets with low TTL try this:

ping -t 30 8.8.8.8

OBLiQUE · 2015-01-30 09:54:45

Or maybe your router change the TTL.. Run the following on your AP computer and give me the output:

ping -c 3 8.8.8.8

Cz-David · 2015-02-02 11:25:53

I thought about it some more, and it seems I figured it out. Every incoming packet to my internal IP has TTL set to 0. Therefore packets that have been routed trough me cannot be routed back and TTL exceeded is generated. By applying TTL 64 in prerouting I am allowing my tcpip stack to route it back to the sub network.

I wonder if this is a standard subnet blocking solution or someone had a clever idea...

utopyand · 2015-03-09 15:42:34

Weird idea: a proposal to incorporate this script in NetworkManager.

OBLiQUE · 2015-03-10 07:14:51

I think it will be more flexible if it will be rewritten inside NetworkManager with libnm, but this should be another project.
Personally I don't have the time to do it, so if someone wants to rewrite it for NM then he/she can take my ideas from create_ap.

Mr Green · 2015-03-15 18:32:35

Thought I would give create_ap another go, using the following hardware

Bus 002 Device 004: ID 7392:7811 Edimax Technology Co., Ltd EW-7811Un 802.11n Wireless Adapter [Realtek RTL8188CUS]

Passed this command

 sudo create_ap -n -g <ip_address> wlp0s29u1u5 ArchAP

Fired up lighttpd set server to bind to the my ip_address and I was able to connect and see my index.html.

Passed '-n' as I really do not need to share net connection

Amazing script thanks for sharing

Mr Green · 2015-03-17 08:09:23

Have got access point running but when I try to connect to it, connection drops out. Have got lighttpd running on my given ip address (not sure if that is correct) Not really sure how to get connected to access point in a simple way to test?

OBLiQUE · 2015-03-17 09:23:28

The simplest way is the one that you have in your previous post.
If you're using EW-7811Un then try again with Realtek drivers. I have a howto here: https://github.com/oblique/create_ap/bl … realtek.md
Also, can you give me the output of create_ap?

elav · 2015-03-24 17:24:36

Hey.. For a couple of days ago, my phone does not find the WiFi signal sent by create_ap .. When I run the command I get this:

sudo ./create_ap --hidden wlp2s0 enp1s0 SSID password                                                                    
Config dir: /tmp/create_ap.wlp2s0.conf.23mxJ3k1
PID: 7052
Network Manager found, set ap0 as unmanaged device... DONE
Creating a virtual WiFi interface... ap0 created.
Access Point's SSID is hidden!
Sharing Internet using method: nat
hostapd command-line interface: hostapd_cli -p /tmp/create_ap.wlp2s0.conf.23mxJ3k1/hostapd_ctrl
Configuration file: /tmp/create_ap.wlp2s0.conf.23mxJ3k1/hostapd.conf
sh: /usr/bin/ovs-vsctl: No such file or directory
Using interface ap0 with hwaddr 68:17:29:be:ff:6a and ssid "LenovoMI"
ap0: interface state UNINITIALIZED->ENABLED
ap0: AP-ENABLED

look this:

sh: /usr/bin/ovs-vsctl: No such file or directory

So, I installed openvswitch:

sudo pacman -S openvswitch

and then:

sudo ./create_ap --hidden wlp2s0 enp1s0 SSID password  
Config dir: /tmp/create_ap.wlp2s0.conf.6AREedJw
PID: 7305
Network Manager found, set ap0 as unmanaged device... DONE
Creating a virtual WiFi interface... ap0 created.
Access Point's SSID is hidden!
Sharing Internet using method: nat
hostapd command-line interface: hostapd_cli -p /tmp/create_ap.wlp2s0.conf.6AREedJw/hostapd_ctrl
Configuration file: /tmp/create_ap.wlp2s0.conf.6AREedJw/hostapd.conf
ovs-vsctl: unix:/run/openvswitch/db.sock: database connection failed (No such file or directory)
Using interface ap0 with hwaddr 68:17:29:be:ff:6a and ssid "LenovoMI"
ap0: interface state UNINITIALIZED->ENABLED
ap0: AP-ENABLED

Now say:

ovs-vsctl: unix:/run/openvswitch/db.sock: database connection failed (No such file or directory)

I try this:

sudo systemctl start ovsdb-server.service                   
sudo systemctl start ovs-vswitchd.service

and then:

sudo ./create_ap --hidden wlp2s0 enp1s0 SSID password  
Config dir: /tmp/create_ap.wlp2s0.conf.nB9R4DcL
PID: 7524
Network Manager found, set ap0 as unmanaged device... DONE
Creating a virtual WiFi interface... ap0 created.
Access Point's SSID is hidden!
Sharing Internet using method: nat
hostapd command-line interface: hostapd_cli -p /tmp/create_ap.wlp2s0.conf.nB9R4DcL/hostapd_ctrl
Configuration file: /tmp/create_ap.wlp2s0.conf.nB9R4DcL/hostapd.conf
ovs-vsctl: no interface named ap0
Using interface ap0 with hwaddr 68:17:29:be:ff:6a and ssid "LenovoMI"
ap0: interface state UNINITIALIZED->ENABLED
ap0: AP-ENABLED

ovs-vsctl: no interface named ap0

And don't work.. Help!

OBLiQUE · 2015-03-24 18:04:23

It looks like in hostapd 2.4 they use openvswitch to do some things. I will investigate it this week. For a workaround you can downgrade hostapd to 2.3.

elav · 2015-03-24 18:07:22

OBLiQUE wrote:

It looks like in hostapd 2.4 they use openvswitch to do some things. I will investigate it this week. For a workaround you can downgrade hostapd to 2.3.

Thanks.. I waiting!

OBLiQUE · 2015-03-24 20:18:39

I found that openvswitch support is not added on the official hostapd code, but it's a custom patch on Arch's hostapd. If you remove openvswitch (and just ignore the error), hostapd will behave normally as before.
If you remove openvswitch but you still have some problems, then it's probably something else.

elav · 2015-03-24 20:36:05

I removed openvswitch and nothing happens.. it's probably something else

OBLiQUE · 2015-03-24 20:41:48

Try to change channel, maybe is interfering with other AP. Also, try it without --hidden.

elav · 2015-03-24 20:44:39

without --hidden it's works!!

OBLiQUE · 2015-03-24 20:48:05

The --hidden hides the name of the AP and the client must know about it. Did you want to use this feature or you use it by mistake?

elav · 2015-03-24 20:49:07

I want to use it ..

OBLiQUE · 2015-03-24 21:04:29

Some clients (for example android) they don't show access points with hidden SSID.
What you have to do is to add manually the wifi AP, choose that type of encryption that it has, type the passphrase and then connect to them manually because the client can not detect them.

This is the normal behavior if you want to use --hidden option.
If you have any trouble on configuring your client, then just google how you can add a hidden wifi on it.

If you want to make your life simpler, then don't use --hidden..

batzi2014 · 2015-03-31 05:05:30

hello,

i have some trouble connecting to a pptp server through create_ap in nated mode.
anyone has an idea ?

Thanks

Last edited by batzi2014 (2015-03-31 05:34:14)

OBLiQUE · 2015-03-31 06:24:05

If you don't use create_ap, does it connects successfully? Do you have firewall? Also, check your PPTP configuration.

batzi2014 · 2015-03-31 06:33:35

thanks for the fast reply. Yes it definitly works i connect (wlan) to my modem router directly. But using my homeserver with your script - it doesnt connect.

So just to be sure - VPN (pptp) is working without problems with your script?

Thanks

update: connecting through create_ap
PPTP port-mapping for en0 inconsistent. is Connected: 1, Previous interface: 4, Current interface 0

update2:
create_ap offers me a network 192.168.12.1/24 and my network is 192.168.100.1/24. iam able when connected to 12.1 to access all componentes on 100.1 and the outside world. but only vpn is struggeling.

Last edited by batzi2014 (2015-03-31 06:56:03)

OBLiQUE · 2015-03-31 06:49:01

I never tried it but I don't think my script is the problem. It's probably something in the PPTP configuration or a firewall rule.
Connect to PPTP without using create_ap and give me the output of:

iptables -S
iptables -t nat -S

Then run create_ap and run the above commands again (on the computer that create_ap runs).

batzi2014 · 2015-03-31 07:48:51

Hi

without create_ap
iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN

iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

with create_ap
iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -d 192.168.100.0/24 -i p4p1 -j ACCEPT
-A FORWARD -s 192.168.100.0/24 -i ap0 -j ACCEPT
-A fail2ban-ssh -j RETURN

iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o p4p1 -j MASQUERADE

thanks for your help

Last edited by batzi2014 (2015-03-31 09:17:20)

b4nst0n · 2015-03-31 14:08:56

system would random crash if using mentohust ( which supports china campus network authentication)
I don't know where to find error log cause it can't do anything while crashing.

EDIT:
Here is 2 ways to connect Internet. ( 2 different agency)
When I use DSL, it seems everything fine.
When I use mentohust, system would random crash and I don't know what is the trigger.

Last edited by b4nst0n (2015-03-31 14:14:49)

Arch Linux

#151 2015-01-29 22:09:23

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#152 2015-01-30 09:51:46

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#153 2015-01-30 09:54:45

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#154 2015-02-02 11:25:53

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#155 2015-03-09 15:42:34

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#156 2015-03-10 07:14:51

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#157 2015-03-15 18:32:35

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#158 2015-03-17 08:09:23

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#159 2015-03-17 09:23:28

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#160 2015-03-24 17:24:36

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#161 2015-03-24 18:04:23

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#162 2015-03-24 18:07:22

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#163 2015-03-24 20:18:39

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#164 2015-03-24 20:36:05

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#165 2015-03-24 20:41:48

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#166 2015-03-24 20:44:39

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#167 2015-03-24 20:48:05

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#168 2015-03-24 20:49:07

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#169 2015-03-24 21:04:29

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#170 2015-03-31 05:05:30

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#171 2015-03-31 06:24:05

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#172 2015-03-31 06:33:35

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#173 2015-03-31 06:49:01

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#174 2015-03-31 07:48:51

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#175 2015-03-31 14:08:56

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

Board footer