[arch-general] hostapd + ap_isolate

Erich Eckner arch at eckner.net
Sun Oct 24 08:11:47 UTC 2021

Hash: SHA256

On Sat, 23 Oct 2021, Uwe Sauter wrote:

>>> From my experience, tcpdump connects to the interface and you will see
>>> all traffic regardless of firewall settings, given you have the
>>> permissions.
>>> In your case I'd first verify that layer 2 is working correctly (layer
>>> 2 is ethernet or wifi). So I'd use the utilities provided by
>>> "wpa_supplicant" or "iw" to see if the "hardware connection" is
>>> working as expected.
>>> If your wifi card didn't connect on layer 2 it has no reasons to
>>> configure layer 3 (IP, IPv6) and above.
>> Well, layer 2 works, if it is needed for connections between the client
>> and the access point.
>> Layer 2 should already see mac addresses, right? Can you point me to a
>> command, which scans on layer 2 for all macs? I seem to only find how to
>> see the available access points (which works as expected) and using nmap
>> to ping around - which fails as expected :-/
>> Do you know any command to query the interface regarding routing
>> information (similar to what `ip route` does on layer 3 for the whole
>> machine)?
> On layer 2 there is no routing. That's the reason why you need to configure a 
> default route and possibly static routes.
> Unfortunately I'm not very experienced in debugging wifi but I'd probably 
> start to investigate using some sniffer, e.g. Kismet [1] (not a 
> recommendation, just the first reasonable search result).
> One hunch though: was there any update to hostapd that might have enabled 
> WPA3? This might be the totally wrong direction but I've read on multiple 
> occasions that old hardware (e.g. Android tablets from 2012) and WPA3-enabled 
> APs don't work well together.

There's nothing wpa3-specific in the hostapd.conf, but I faintly remember 
considering to enable wpa3, but probably never actually did - and 
definitely not in the time range, when the inter-client communication 
broke. Just to be sure, I added "wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256" 
(e.g. no "SAE", there) to /etc/hostapd.conf without success.

What I now did to make things just work, is: removing routes for on wlan0 of the clients and adding a route for only - so now packages use the default route "via" and traverse the access point at this address (which is 
also the router) and get routed on layer 3 there to the right target. 
(packets will be subject to firewall rules on the router, which is not a 

Does someone have any suggestions on how to publish this route via dhcp? 
Currently, it looks to me, like the " dev wlan0" route is 
automatically added due to the subnet mask of "" - and I 
probably cannot change the latter, as the dhcp server actually should 
server this very subnet on wifi.

The dynamic part of the dhcpd.conf looks like:
- ---8<---8<---8<---8<---
subnet netmask {
   option broadcast-address;
   option routers;
   option rfc3442 24, 192, 168, 0, 192, 168, 1, 13, 0, 192, 168, 1, 13;
- --->8--->8--->8--->8---

and the pseudo-static part looks like:
- ---8<---8<---8<---8<---
host raspi0 {
   hardware ethernet de:ad:be:ef:42:42;
   option routers;
   option rfc3442 24, 192, 168, 0, 192, 168, 1, 13, 0, 192, 168, 1, 13;
- --->8--->8--->8--->8---

> Regards,
> 	Uwe




More information about the arch-general mailing list