2

I followed the official guide (from the Raspberry Pi people) for setting up a Pi as a WiFi access point.

It says:

With this network configuration, wireless clients can all communicate with each other through the Raspberry Pi router. However, clients on the wireless network cannot directly interact with clients on the wired network other than the Raspberry Pi; wireless clients exist in a private network separate from the network that serves wired clients.

From the linked guide, section "Enable Hotspot", it told me to execute sudo nmcli device wifi hotspot ssid $SSID to enable the hotspot/AP.
Then disable it: sudo nmcli device disconnect wlan0.
Change a connection parameter just for compatibility's sake and to make things easier on the client devices: sudo nmcli connection modify $UUID remove wifi-sec which disables encryption and authentication to the hotspot/AP.
Then bring it back up: sudo nmcli connection up Hotspot

This is all I did before testing with my phone. (and asking this question to see if anybody had any leads) Pi runs Raspberry Pi OS/Raspbian (whatever they're calling it now) specifically the one based on Debian 12/Bookworm. I updated everything to the latest version early this morning.

Output of uname -a: Linux raspberrypi 6.6.51+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.51-1+rpt3 (2024-10-08) aarch64 GNU/Linux

The point is to have a WLAN for really old stuff with no way for data to enter or leave from an external network. That's all there is to it. Under no circumstances should internet connection sharing or bridging be enabled, according to the the guide, but testing reveals that it is enabled and there is no way to disable it. The reason for this is to keep said really old stuff safe from possible compromise from the internet. There's a reason everybody tells you not connect something running Windows 95 to the modern internet at all.

The default NetworkManager hotspot connection profile has ipv4.method=shared in it, which means it will forward outgoing requests to the internet. AFAICT this is a cross-distro issue. I tried changing this to ipv4.method=manual, mucking about with dnsmasq and other things trying to get NetworkManager to play nice with it, but was not successful.

Ideally, I'm looking for a known working connection profile and other information (depencies etc) I need to make NetworkManager create a plain AP with nothing else to it.

demonstrably_false
  • 31
  • 6

2 Answers2

1

It turns out the solution was much simpler than I anticipated. Basically you need dnsmasq in order to manually control the hotspot DHCP server with NetworkManager and there's no way around it.

Stop NetworkManager and explicitly install dnsmasq:

sudo apt install dnsmasq

By default Raspian includes a "dnsmasq-base" package whose systemd unit is masked out, and neither does it seem to include all the features of the full package.

Next configure dnsmasq by slipping something like this at the start of /etc/dnsmasq.conf:

listen-address=192.168.0.1
no-hosts
dhcp-range=192.168.0.2,192.168.0.240,12h

(I think the 12h sets the lease time to 12 hours?)
Save the file and restart dnsmasq, or start it if not already running.

Create the hotspot/AP connection profile and bring it down:

sudo nmcli dev wifi hotspot ssid testap
sudo nmcli con down Hotspot

Modify the profile so we have the right settings for my use case:

sudo nmcli con modify Hotspot remove wifi-sec
sudo nmcli con modify Hotspot ipv4.method manual ipv4.addresses 192.168.0.1/24

Then we bring it back up:

sudo nmcli con up Hotspot

Resulting connection profile at /etc/NetworkManager/system-connections/Hotspot.nmconnection:

[connection]
id=Hotspot
uuid=11e2a14b-52d5-4fe6-82d0-4c3874ff52df
type=wifi
autoconnect=false
interface-name=wlan0
timestamp=1731713433

[wifi]
mode=ap
ssid=dummynet


[ipv4]
address1=192.168.0.1/24
method=manual


[ipv6]
addr-gen-mode=default
method=ignore

No connected device can call out to the rest of my LAN or the internet through Ethernet.

Making this persist between reboots is simple:

sudo nmcli con modify Hotspot connection.autoconnect 1

Then make sure both dnsmasq and NetworkManager's systemd units are enabled and everything should be good to go.

goldilocks
  • 60,325
  • 17
  • 117
  • 234
demonstrably_false
  • 31
  • 6
0

I use the following occasionally when travelling, and have connections (with a higher priority) for my regular networks.
Ethernet access is a separate connection using DHCP (on a different subnet).

/etc/NetworkManager/system-connections/Hotspot.nmconnection

[connection]
id=Hotspot
uuid=b85195c9-0f79-422f-a56e-eb3fdd146c01
type=wifi
interface-name=wlan0
timestamp=1718681933

[wifi]
band=bg
mode=ap
ssid=RaspberryPiNet


[wifi-security]
key-mgmt=wpa-psk
psk=XXXXXX


[ipv4]
address1=10.42.0.0/24,10.42.0.0
method=shared


[ipv6]
addr-gen-mode=stable-privacy
method=ignore


[proxy]

See How do I set up networking on Raspberry Pi OS - Bookworm

Milliways
  • 62,573
  • 32
  • 113
  • 225