How to build a routed wifi network using Raspberry Pi

To build a routed wifi network using Raspberry Pi we will use hostapd and dnsmasq software. In this example, our home network is 17.0.9.0/24 and the new network we will use for wifi is 1.1.1.0/24. Please note that throughput on the Raspberry Pi wifi interface is limited and you should not expect speeds higher than 25-30Mbps.

Install Raspberry Pi OS Lite 32bit or 64bit distro if you are using a Raspberry Pi 4. Once the OS is installed, log-in and make sure you change the root password, delete the RPi default user and create another basic user:

# sudo -s
# passwd

Once root password changed, log-off and re-login as root, create another user (in this example username is electra):

# adduser electra

Now delete the RPi default user:

# userdel -r pi

You can either add user electra to the sudoers list, or you can use su command to change to root every time you want to execute an elevated command on your router.

Now, run the following command to upgrade and/or update your installation:

# apt-get update
# apt-get full-upgrade

Once the upgrade/update is finished, install the following software:

# apt-get install -y vim aptitude locate netfilter-persistent hostapd dnsmasq

Once the software is installed, we need to enable hostapd service at startup:

# systemctl unmask hostpad
# systemctl enable hostapd

Now, we will assign a static IP address to the wireless interface on the Raspberry Pi:

# vim /etc/dhcpcd.conf

At the end of the file add the following lines:

interface wlan0
  static ip_address=1.1.1.254/24
  nohook wpa_supplicant

The next step is to enable routing and IP masquerading. Create routed-ap.conf file:

# vim /etc/sysctl.d/routed-ap.conf

And paste the following line in the file:

net.ipv4.ip_forward=1

This will enable clients from the new wifi network to reach the main network as well as the Internet. Your Internet gateway will see all traffic from the new network as the traffic from the Raspberry Pi. In this case, the Raspberry Pi will substitute IP with its own IP address and send the traffic to the Internet gateway. Return traffic is again accepted by the Raspberry Pi that substitutes the IP address and sends the traffic back to the original client.

Add the following firewall rule to enable the aforementioned functionality:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Save the new rule as persistent:

# netfilter-persistent save

The next step is to configure DHCP and DNS for the new network. Rename the existing dnsmasq.conf file and create a new one:

# mv /etc/dnsmasq.conf /etc/dnsmasq.conf.1
# vim /etc/dnsmasq.conf

And paste the following configuration:

interface=wlan0. # Listening interface
dhcp-range=1.1.1.1,1.1.1.250,255.255.255.0,24h  # DHCP Pool
domain=sefnet.w. # Local wireless domain
address=/gw.sefnet.w/1.1.1.254. #Alias for this router

Save and exit the file.

Check if the wifi interface is operational:

# rfkill

If you can see wlan unblocked under both SOFT and HARD, go to the next step, otherwise, use the following command to unblock the wifi interface:

# rfkill unblock wlan

Configure access point software, create a configuration file hostpad.conf for the hostapd:

#vim /etc/hostapd/hostapd.conf

And paste the following configuration:

country_code=DK
interface=wlan0
ssid=SEFNET-NET9
hw_mode=a
channel=48
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=1cbe991a14
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Please remember to adjust the following values: 

  1. country_code= (county code in ISO3166-1 format, use this list to identify your country code if you do not know it)
  2. ssid= (this will be your wifi network name)
  3. hw_mode= (a=IEEE 802.11a – 5GHz, b=iEEE 802.11b – 2,4GHz and g=IEEE 802.11g – 2,4GHz)
  4. channel= (you need to adjust the channel number according to the wifi network standard. Use this list to find the channel you will use)
  5. wpa_passphrase= (in this example I have converted a decimal number 123456789012 to a hexadecimal value)

Save and exit the file.

Reboot Raspberry Pi, connect to the new wifi access point, confirm that you have an IP address and that you can access the necessary resources.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.