I am attempting to set up a hotspot on an Ubuntu 22.04 based embedded device. I am having issues getting the hotspot to connect clients to the internet. I spent a lot of time trying to get the nmcli hotspot setup to work, but it never did so I'm configuring things manually.
On the embedded device, I have a wifi card on interface wlan0 and a separate cellular modem on interface wwan0. Using hostapd, I have successfully created a hotspot on wlan0 that I can connect to with my Macbook. I am using dnsmasq on the embedded device to provide DHCP to the hotspot and DNS to the whole local system. Eventually I want to use ufw for a firewall, but for the moment I have disabled ufw and I'm manually setting routing rules with iptables.
wlan0 has a static ip address 10.42.0.1
My /etc/hostapd/hostapd.conf contains the following:
interface=wlan0
driver=nl80211
ssid=testHotspot
hw_mode=g
channel=6
wmm_enabled=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=testpass
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
My /etc/dnsmasq.conf file contains the following:
port=53
listen-address=127.0.0.1
listen-address=10.42.0.1
bind-dynamic
dhcp-range=10.42.0.40,10.42.0.200,255.255.255.0,24h
dhcp-option=3,10.42.0.1 #default gateway
dhcp-option=6,10.42.0.1 #tell clients to look to us for dns
dhcp-authoritative
server=8.8.8.8@wwan0
server=8.8.4.4@wwan0
no-resolv
no-poll
no-hosts
log-debug
log-queries
log-dhcp
Ideally my dnsmasq setup would cache DNS results and forward everything it doesn't have cached out to DNS servers on the cellular connection. I disabled the system services systemd-resolved and ics-dhcp-server because I wanted to handle all of my DNS configuration in one spot with dnsmasq but happy to reenable those if they'll help get this accomplished. lsof -i :53 returns:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 3726 dnsmasq 6u IPv4 69863 0t0 UDP 10.42.0.1:domain
dnsmasq 3726 dnsmasq 7u IPv4 69864 0t0 TCP 10.42.0.1:domain (LISTEN)
dnsmasq 3726 dnsmasq 8u IPv4 69865 0t0 UDP localhost:domain
dnsmasq 3726 dnsmasq 9u IPv4 69866 0t0 TCP localhost:domain (LISTEN)
I have been using a script to try to figure out my iptables rules. Currently I'm running the script every time I reboot. I will persist the rules (or better yet get them into ufw) once I've got things settled. I patched these together from a variety of sources so there are probably some issues here. Stackoverflow refuses to let me post either the script that I'm using or the output of iptables -L -v -n, but I have default policies for INPUT, FORWARD, and OUTPUT set to ACCEPT and then a few rules that I don't believe are working to try and specifically open up ports 53, 67, and 68.
I also have a MASQUERADE rule set up that doesn't seem to be working.
On the topic of forwarding, I do have both net.ipv4.ip_forward=1 and net.ipv6.conf.all.forwarding=1 in /etc/sysctl.conf.
The cellular connection is managed through NetworkManager. The connection profile is under /etc/NetworkManager/system-connections/t-mobile and contains the following:
[connection]
id=t-mobile
uuid=<uuid placeholder>
type=gsm
interface-name=cdc-wdm0
timestamp=1741621543
[gsm]
apn=iot.T-mobile.com
number=*99#
[ipv4]
method=auto
[ipv6]
addr-gen-mode=stable-privacy
method=auto
I got rid of the dnsmasq plugin in NetworkManager in favor of my system instance of dnsmasq. My /etc/NetworkManager/NetworkManager.conf contains the following:
[main]
plugins=ifupdown,keyfile
[ifupdown]
managed=true
[device]
wifi.scan-rand-mac-address=no
wifi.backend=wpa_supplicant
[keyfile]
unmanaged-devices=interface-name:wlan0
I have tried several combinations of iptables commands and dnsmasq configs. What I'm observing with my current setup is that when I connect to the hotspot, the DNS requests will be picked up and forwarded but not replied to. I thought this meant that my iptables rules weren't allowing DNS back in so I tried quite a few different rules to open those ports and haven't been able to get any to work. Running journalctl --unit dnsmasq -f while I'm connected shows queries and forwards, but no replies, but the output looks like spam to stack overflow.
A really interesting twist to this whole thing is that if I have my MacBook plugged in to an ethernet connection when I connect it to the hotspot, then the MacBook will route its DNS requests out of the ethernet port and I can successfully get through to the internet through the hotspot. In that setup, the MacBook gets the IP address 10.42.0.107 from the hotspot and when I run ping -S 10.42.0.107 google.com it's successful. I can see those ping requests moving through the cellular connection on the embedded device using tcpdump -nn -i wwan0. The second I unplug the ethernet from the MacBook, it begins to route DNS through the hotspot, and I lose my ability to ping the internet from both the macbook and the embedded device.
I thought that might point to an issue with my routes, but the routes don't change at any point through that entire process, and they seem correct to me. Running route -n gives:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 <cellular ip> 0.0.0.0 UG 700 0 0 wwan0
0.0.0.0 192.168.55.100 0.0.0.0 UG 32766 0 0 l4tbr0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 wg0
10.42.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
<cellular ip> 0.0.0.0 255.255.255.248 U 700 0 0 wwan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 l4tbr0
192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 l4tbr0
What am I doing wrong here? Thanks in advance!
