# Gentoo wifi hotspot -> "destination host unreachable"

## Jimini

Hey there,

during the last days, I tried to set up a Gentoo based wifi hotspot using hostapd, dhcpd, iptables and two wifi USB adapters (TP-Link TL-WN821N). I set up hostapd and dhcpd, since I was able to connect to the wireless network. The client gets its IP address, but it is not able to ping / reach anything inside or outside my local net ("Destination Host unreachable"). Since iptables does not log any drops or rejects, I have no idea what could be the reason for this behavior.

This is my config:

hostapd (2.0):

```
interface=wlp0s29u1u1

bridge=br0

driver=nl80211

logger_syslog=-1

logger_syslog_level=0

logger_stdout=-1

logger_stdout_level=2

dump_file=/tmp/hostapd.dump

ctrl_interface=/var/run/hostapd

ctrl_interface_group=0

ssid=Test-AP

utf8_ssid=1

country_code=DE

ieee80211d=1

hw_mode=g

channel=6

beacon_int=100

dtim_period=2

max_num_sta=255

rts_threshold=2347

fragm_threshold=2346

macaddr_acl=0

auth_algs=1

ignore_broadcast_ssid=0

wmm_enabled=1

wmm_ac_bk_cwmin=4

wmm_ac_bk_cwmax=10

wmm_ac_bk_aifs=7

wmm_ac_bk_txop_limit=0

wmm_ac_bk_acm=0

wmm_ac_be_aifs=3

wmm_ac_be_cwmin=4

wmm_ac_be_cwmax=10

wmm_ac_be_txop_limit=0

wmm_ac_be_acm=0

wmm_ac_vi_aifs=2

wmm_ac_vi_cwmin=3

wmm_ac_vi_cwmax=4

wmm_ac_vi_txop_limit=94

wmm_ac_vi_acm=0

wmm_ac_vo_aifs=2

wmm_ac_vo_cwmin=2

wmm_ac_vo_cwmax=3

wmm_ac_vo_txop_limit=47

wmm_ac_vo_acm=0

eapol_key_index_workaround=0

wpa=2

wpa_passphrase=secretsecretpassphrase

wpa_key_mgmt=WPA-PSK

wpa_pairwise=TKIP CCMP

rsn_pairwise=CCMP

wpa_group_rekey=600

wpa_gmk_rekey=86400

wpa_ptk_rekey=600

rsn_preauth=1

rsn_preauth_interfaces=wlp0s29u1u1

```

/etc/conf.d/net:

```
config_enp3s0="dhcp"

dhcp_enp3s0="release nodns"

config_enp1s0f0="10.0.0.1/24"

mode_wlp0s29u1u1="master"

modules_wlp0s29u1u1="!iwconfig !wpa_supplicant"

routes_wlp0s29u1u1="default via 10.0.0.1"

config_wlp0s29u1u2="10.0.1.61/24"

mode_wlp0s29u1u2="master"

modules_wlp0s29u1u2="!iwconfig !wpa_supplicant"

brctl_br0="stp br0 off"

bridge_br0="enp1s0f1 wlp0s29u1u1"

config_enp1s0f1="null"

config_wlp0s29u1u1="null"

config_br0="10.0.0.3/24"

```

dhcpd (4.2.5_p1):

```
subnet 10.0.0.0 netmask 255.255.255.0 {

        range 10.0.0.101 10.0.0.200;

        default-lease-time 259200;

        max-lease-time 518400;

        option subnet-mask 255.255.255.0;

        option broadcast-address 10.0.0.255;

        option routers 10.0.0.1;

        option domain-name-servers 10.0.0.1;

        allow unknown-clients;

}

```

iptables (1.4.16.3) (shortened):

```
#!/bin/sh

echo "1" > /proc/sys/net/ipv4/conf/all/arp_filter

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "0" > /proc/sys/net/ipv4/conf/all/log_martians

echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F

iptables -t nat -F

iptables -t mangle -F

lan="enp1s0f0"

wlan1="wlp0s29u1u1"

wlan2="wlp0s29u1u2"

wan="enp3s0"

intern=10.0.0.0/24

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

iptables -t nat -P PREROUTING ACCEPT

iptables -t nat -P POSTROUTING ACCEPT

iptables -t nat -P OUTPUT ACCEPT 

iptables -A FORWARD -s $intern -i $lan -o $wan -j ACCEPT

iptables -A FORWARD -s $intern -i $wlan1 -o $wan -j ACCEPT

iptables -A FORWARD -s $intern -i br0 -o $wan -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE

### DHCP

iptables -A INPUT -i br0 -p udp --sport 68 --dport 67 -m conntrack --ctstate NEW -j ACCEPT

iptables -A INPUT -i $lan -p udp --sport 68 --dport 67 -m conntrack --ctstate NEW -j ACCEPT

iptables -A INPUT -i $wlan1 -p udp --sport 68 -m conntrack --ctstate NEW -j ACCEPT

iptables -A INPUT -i $wan -p udp --dport 68 -j REJECT

iptables -A OUTPUT -o $lan -d $intern -p udp --dport 68 -m conntrack --ctstate NEW -j ACCEPT

### ICMP

iptables -A INPUT -p icmp -s $intern -m conntrack --ctstate NEW -j ACCEPT

iptables -A INPUT -p icmp ! -s $intern -j DROP

iptables -A OUTPUT -p icmp -j ACCEPT

iptables -A FORWARD -j LOG --log-prefix "REJECTED_FORWARD: " --log-level=5

iptables -A FORWARD -j REJECT

iptables -A OUTPUT -j LOG --log-prefix "REJECTED_OUTPUT: " --log-level=5

iptables -A OUTPUT -j REJECT

iptables -A INPUT -i $wan -j REJECT

iptables -A INPUT -j LOG --log-prefix "REJECTED_INPUT: " --log-level=5

iptables -A INPUT -j REJECT

```

And finally the log entries, when a client connects:

```
May  6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e IEEE 802.11: authenticated

May  6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e IEEE 802.11: associated (aid 1)

May  6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e RADIUS: starting accounting session 51873C85-00000001

May  6 19:13:50 Aleph hostapd: wlp0s29u1u1: STA 00:0e:35:51:db:5e WPA: pairwise key handshake completed (RSN)

May  6 19:13:50 Aleph dhcpd: DHCPDISCOVER from 00:0e:35:51:db:5e (Nyx) via br0

May  6 19:13:51 Aleph dhcpd: DHCPOFFER on 10.0.0.101 to 00:0e:35:51:db:5e (Nyx) via br0

May  6 19:13:52 Aleph dhcpd: Wrote 3 leases to leases file.

May  6 19:13:52 Aleph dhcpd: DHCPREQUEST for 10.0.0.101 (10.0.0.3) from 00:0e:35:51:db:5e (Nyx) via br0

May  6 19:13:52 Aleph dhcpd: DHCPACK on 10.0.0.101 to 00:0e:35:51:db:5e (Nyx) via br0
```

Any help would be REALLY appreciated.

Best regards,

Jimini

----------

## Aiken

1st thing, as you are using udev names (wlp0s29u1u1) for the interfaces instead of kernel names (wlan0) you will have to keep in mind that something as simple as moving the usb wifi adaptors to different usb ports will break hostapd and your script as udev will give your wifi adaptors new names if you move them to different usb ports. 

Have not worked out what the 2nd wifi adaptor with your setup is for. I have 2 always on machines acting as access points. On the machine with a static ip it's /etc/conf/net is

```

config_eth0="null"

config_eth1="null"

bridge_br0="eth0 eth1"

config_br0="172.16.31.1/24"

routes_br0="default via 172.16.31.254"

depend_br0() {

   need net.eth0 net.eth1

}

```

Hostapd adds wlan0 to the bridge when it starts so I do nothing about configuring wlan0. The router is separate and it handles the firewall rules. As hostapd adds wlan0 to the bridge this is enough for client machines to connect to the access point and have access to the network.

A 3rd access point I sometimes start is for when I want to use my eeepc as an ap with my phone acting as a 3g modem. If I want to change from desktop type use to access point I use this script.

```

#!/bin/bash

/etc/init.d/xdm stop

/etc/init.d/wicd stop

modprobe ath5k

rfkill unblock all

killall wpa_supplicant

while [ 4 -lt 5 ]

do

   ifconfig wlan0 0.0.0.0 up

   if [ "$?" == "0" ]

   then

      break

   fi

   sleep 1

done

#echo nameserver 127.0.0.1 > /etc/resolv.conf

ifconfig wlan0 10.45.0.1/24

/etc/init.d/hostapd -D start

/etc/init.d/sshd -D start

/etc/init.d/dhcpd -D start

/etc/init.d/named -D start

sysctl net.ipv4.ip_forward=1

iptables -F

iptables -X

iptables -F -t nat

iptables -X -t nat

iptables -t nat -F POSTROUTING

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A INPUT -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i ppp0 -j DROP

iptables -A FORWARD -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i ppp0 -j DROP

./wvdial

```

This kills kde and the current networking then starts up just what services I want giving me an access point with a simple firewall. I suggest starting with something simpler than what you have and once that is working then add to it.

Still not sure what your 2nd wifi adaptor is for but something that can sometimes be useful is use 1 wifi adaptor to connect to an existing access point and start hostapd on the other. Have done that a few times with the eeepc to temporarily extend the wireless range. That eeepc also spends time providing a wireless link back to the main network for an isolated wired network.

----------

## Jimini

Aiken,

thank you for your reply.

1) The router normally works completely "untouched" - so it runs 24/7 without any interaction. Regarding this, it should be no problem how I name the adapters.

2) At the moment, the second adapter is not in use. It is plugged in, but I don't use it. In the future, I would like to create a second wireless network with this adapter.

If I get you right, it looks as if you leave the wifi adapters completely unconfigured, right? So you bridge eth0 and eth1 and add wlan0 to this bridge afterwards via hostapd?

Best regards,

Jimini

----------

## Aiken

With the machines that act as access points I leave the wifi unconfigured. Hostapd configures and adds wlan0 to br0 for me. Based on your 1st post you already have the appropriate line in hostapd.conf "bridge=br0". I have the net.br0 -> net.lo sym link and net.br0 in /etc/runlevels/default

When setting up an access point the only machine I do anything with wlan0 is the eeepc with the above script and that is only because wlan0 will be stand alone and not part of a bridge.

Also have a look at the ieee80211n=1 option to enable N speeds. I think by default the max is 802.11g without that option.

The problem is not how you name the adaptors. The problem is if the adaptors get moved to other usb slots then udev will rename them for you.

----------

## jamapii

It seems to me the line

routes_wlp0s29u1u1="default via 10.0.0.1" 

should not be there.

----------

## Jimini

Aiken and jamapii, thank you for your replies which helped me to get back on the track.

I changed my net-config as follows:

```
config_enp3s0="dhcp"

dhcp_enp3s0="release nodns"

mode_wlp0s29u1u1="master"

modules_wlp0s29u1u1="!iwconfig !wpa_supplicant"

config_wlp0s29u1u2="10.0.1.61/24"

mode_wlp0s29u1u2="master"

modules_wlp0s29u1u2="!iwconfig !wpa_supplicant"

brctl_br0="stp br0 off"

bridge_br0="enp1s0f0 wlp0s29u1u1"

config_enp1s0f0="null"

config_wlp0s29u1u1="null"

config_br0="10.0.0.1/24"

routes_br0="default via 10.0.0.1"

rc_net_br0_need="net.enp1s0f0 net.wlp0s29u1u1 hostapd"
```

And everything works!

Now the only problem is, that syslog-ng refuses to start during the boot process - any idea?

Best regards,

Jimini

----------

## khayyam

 *Jimini wrote:*   

> Now the only problem is, that syslog-ng refuses to start during the boot process - any idea?

 

Jimini ... syslog-ng has a conditional for 'need net':

```
depend() {

   # Make networking dependency conditional on configuration

   case $(sed 's/#.*//' /etc/syslog-ng/syslog-ng.conf) in

      *source*tcp*|*source*udp*|*destination*tcp*|*destination*udp*)

         need net

         use stunnel ;;

   esac
```

Its possible you have have such a configuration and so 'need net' (which your new setup isn't providing). You could try the following:

/etc/rc.conf

```
rc_depend_strict="NO"

rc_syslog_ng_need="!net"
```

There are possibly other reasons why it might not start but the above would seem the most obvious.

best ... khay

----------

## Jimini

khayyam, of course you are right. Thank you for your hint!

Now I would like to add another wireless network using the second wifi adapter. The configuration is similar to the first one, and I can join this second network without problems. But again, the client can not reach anything - as described in my first posting in this thread.

My config:

```
config_enp3s0="dhcp"

dhcp_enp3s0="release nodns"

config_enp1s0f0="null"

config_enp1s0f1="null"

config_wlp0s29u1u1="null"

mode_wlp0s29u1u1="master"

modules_wlp0s29u1u1="!iwconfig !wpa_supplicant"

config_wlp0s29u1u2="null"

mode_wlp0s29u1u2="master"

modules_wlp0s29u1u2="!iwconfig !wpa_supplicant"

brctl_br0="stp br0 off"

bridge_br0="enp1s0f0 wlp0s29u1u1"

config_br0="10.0.0.1/24"

routes_br0="default via 10.0.0.1"

rc_net_br0_need="net.enp1s0f0 net.wlp0s29u1u1"

brctl_br1="stp br1 off"

bridge_br1="enp1s0f1 wlp0s29u1u2"

config_br1="10.0.0.3/24"

routes_br1="default via 10.0.0.1"

rc_net_br1_need="net.enp1s0f1 net.wlp0s29u1u2"
```

```

Aleph jimini # tcpdump -i br1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on br1, link-type EN10MB (Ethernet), capture size 65535 bytes

13:30:51.439339 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28

13:30:52.439449 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28

13:30:53.456933 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28

13:30:54.455540 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28

13:30:55.455525 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28

13:30:58.472231 ARP, Request who-has 10.0.0.3 tell 10.0.0.101, length 28

[...]
```

I am convinced, that it is only a very little mistake that I made, but I simply can't find it.

Best regards,

Jimini

----------

## Jimini

Okay, I could solve the problem partially by myself - I simply connected the second NIC to the switch, which connects the router with my network.

```

                      NIC2 (enp1s0f0)---br0---WLAN1 (wlp0s29u1u1)

                         |                                     |     

WAN---NIC1---Router--------------------------

                         |                                     |

                      NIC3 (enp1s0f1)---br1---WLAN2 (wlp0s29u1u2)

```

Now it the systems, which connect to WLAN2, can ping local systems, too. But shouldn't that be possible without a physical connection between NIC3 and the switch? At the moment, the clients in WLAN2 can not reach anything outside my network, I'm still trying to figure out why.

Best regards,

Jimini

----------

