Installing an AP on our new Server
We left it here last week. Now let’s create a Wifi Access Point on our new Ubuntu server. I had never done that (I was just certain it could be done), so I had to Google it a bit, and I landed on the pair:
hostapd & dnsmasq
Note to the reader, there seems to be other options… Now, at this point, it works. Well, more or less.
Just for the fun of explaining how painful things have been with setting this up (it took me a good 5h in total only to get to the current results on this one topic – maybe more -, and I still have issues!), this post is a bit long and not at all related to Data science or R, I’m afraid. Also, I’ll skip the details for a basic functional dnsmasq config, as it was a breeze compared to hostapd configuration.
First I faced the mess of Ubuntu (20.04) and the different network managers: NetPlan, NetworkManager & systemd-networkd…
You have to understand, I did work and play a lot with Linux… Back in 2000-2005. And I loved it. (So this post is really about the fun I’ve had with this particular setup). It’s just, I guess I’m a bit “rusty”. So all this “NetPlan” was bothering at first. I remember the good ol’ days where one would edit /etc/network/interfaces and the likes directly, no yaml files or anything, and you had one way to manage your network interfaces…
So it seems NetPlan is mostly an abstraction layer, and NetworkManager & systemd-networkd are actually doing the low-level work.
After some reading, it seems NetworkManager is preferred with GUI. I don’t have that, so I’ll go on and disable that option. The relevant trick to solve issues with my different network managers I found here:
Source: https://wiki.archlinux.org/index.php/software_access_point
/etc/NetworkManager/NetworkManager.conf.d/unmanaged.conf
[keyfile] unmanaged-devices=mac:hwaddr
Useful references to understand a bit better what’s happening:
Still on the network configuration front, I’ll disable IPv6.
sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1
To confirm:
ip address show
Good. Let’s see, at this point we’re here:
/etc/netplan/00-installer-config.yaml
network: ethernets: enp2s0: dhcp4: true addresses: [] wlo2: dhcp4: false addresses: - 10.0.1.10/24 version: 2
/etc/network/interfaces
auto lo iface lo inet loopback auto enp2s0 iface enp2s0 inet dhcp auto wlo2 iface wlo2 inet static address 10.0.1.10 netmask 255.255.255.0 gateway 10.0.1.10 dns-nameservers 8.8.8.8 wireless-mode Master
hostapd configurations (the last version, updated after quite a few tests…):
interface=wlo2 driver=nl80211 ieee80211d=1 #macddr_acl=0 auth_algs=1 #ignore_broadcast_ssid=0 ssid=<EDITED> wpa=2 wpa_passphrase=<EDITED> wpa_key_mgmt=WPA-PSK #wpa_pairwise=TKIP rsn_pairwise=CCMP # Client isolation can be used to prevent low-level bridging of frames between # associated stations in the BSS. By default, this bridging is allowed. ap_isolate=1 # Optionally, WPA PSKs can be read from a separate text file (containing list # of (PSK,MAC address) pairs. This allows more than one PSK to be configured. # Use absolute path name to make sure that the files can be read on SIGHUP # configuration reloads. #wpa_psk_file=/etc/hostapd.wpa_psk # Speed related options hw_mode=g country_code=ES ieee80211n=1 wme_enabled=1 channel=6 ht_capab=[LDPC][HT40+][SHORT-GI-20][SHORT-GI-40][RX-STBC1][DSSS_CCK-40][MAX-AMSDU-7935] # Extended Key ID support for Individually Addressed frames # # Extended Key ID allows to rekey PTK keys without the impacts the "normal" # PTK rekeying with only a single Key ID 0 has. It can only be used when the # driver supports it and RSN/WPA2 is used with a CCMP/GCMP pairwise cipher. # 0 = force off, i.e., use only Key ID 0 (default) # 1 = enable and use Extended Key ID support when possible # 2 = identical to 1 but start with Key ID 1 when possible #extended_key_id=1 # If set non-zero, require stations to perform scans of overlapping # channels to test for stations which would be affected by 40 MHz traffic. # This parameter sets the interval in seconds between these scans. Setting this # to non-zero allows 2.4 GHz band AP to move dynamically to a 40 MHz channel if # no co-existence issues with neighboring devices are found. obss_interval=0
dnsmasq configurations:
interface=wlo2 dhcp-range=10.0.1.1,10.0.1.9,255.255.255.0,12h dhcp-host=<EDITED>,10.0.1.2 no-hosts addn-hosts=/etc/hosts.dnsmasq log-dhcp log-queries
I added the following options to the dnsmasq config, so that I would see what the “users” (my devices) request. I can check that easily later-on:
tail -f /var/log/syslog | grep dnsmasq
(That’s actually great: I’ll set up some script some day (in R of course) to look into these… But that’ll come later with a syslog-NG or something in Docker… Patience, I really don’t have time to go any faster ;)).
After only a few minutes of configuring this, well, I see there’ll be opportunity to get some value out of those logs…
Side note: Also, when writing the first draft of this post, I reviewed the iptables rules, and I can now tell, my girlfriend’s work laptop is looking for NetBios out there… But it doesn’t reach my own machines any more. So I have a (good enough) segmentation right now at home 🙂
Along the way, with some tweaking and playing, I had managed to have a “functional” AP, with its DHCP & DNS. But functional doesn’t mean great.
A few days passed
OK. I had been running everything personal over this new wifi for a week, and something was off… While discussing with an ex-colleague about it… He suggested I tried speedtest-cli (note to self: nice!)
Easy enough… Just apt-get install it. (Yes, I know, aptitude, and/or apt… Again, I’m a bit old school. But I get the work done! And this is my weekends and my (very few) hours of spare time we’re talking about… So a bit of empathy & patience, please :)).
So remember, the setup: My laptop (or some of my personal devices) is connected to the server over Wifi. The server then NATs incoming traffic on its wifi interface. The server is then connected to the Home router using a traditional cable. And the router to the ISP/Internet.
Well, from my laptop, a web-based Internet speed test gave me a whooping… 3.12 Mbps! (while connected to the new wifi). Absurdly slow. (It was, that was last Monday.) No wonder video-calls don’t work too good…
While from the server itself, I get upwards of 600 Mbps… (The Ethernet card is the one connecting to the Router and from there to the Internet)
Not good indeed… I definitely thought Netflix was sluggish this past week! (it did work though, kudos to them :))
But what is wrong? Clearly, something between the AP/WIFI-card/and the Ethernet is slowing things down. It doesn’t seem to be the server itself. Nor is it the router.
I knew from the first tests with hostapd that the wifi card seems to only accept 2.4GHz, which is not great, but… Not THAT bad… I’ll need to look further into this.
Situation point before we go on
At that point in time, I had a new wifi, but the AP didn’t come up upon reboot on its own, and the Wifi speed was depressing… While the server was not at all complaining about any load (CPU RAM & I/O not at all a concern).
Something was wrong, I just didn’t know what just yet.
“Follow the white rabbit”
Well, I just can’t accept it as is… Let’s try to dive further into the issue.
First: documentation. (RTFM, right?)
After browsing any number of web pages (curiously enough, most related to RaspBerry Pi enthusiasts) looking for explanations about hostapd more “advanced” configurations, at the end I became convinced that I needed to help “hostapd” understand the actual capabilities of my Wifi network card, as seen in “iw list” outputs. And I could do so with the ht_capab options (or so the experts out there were saying). That in turn led me to the following resource:
https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
Well, I should have read that first, really, that’d have saved me quite some time…
So once again, the machine itself: What network properties the WIFI card supports anyway?
The Key, in conjunction with the document referenced above, is to use the command to check capabilities:
iw list
Also (as it turns out) relevant: what’s all the fuss with country compatibility?
Well, if one tries to use a channel associated to “NO IR” in the corresponding country, things “won’t fly”. Something to do with radio frequencies not to be used “lightly”. We tend to forget: Airwaves are bought, licensed, reserved… I’ll admit, I didn’t think it through when I bought the miniPC, even knowing I’d want to setup an AP: I should have looked further into these things. Too little, too late, now.
Anyhow, when you try to use a reserved bandwidth, be it by your country regulations or by the wifi network card built-in limitations, you get this in the output (/var/log/hostapd.log), or something along those lines (it took me quite a few tests – and quite a bit of reading – before I understood the main issues in the logs, but eventually you learn enough to understand these logs…):
Channel 44 (primary) not allowed for AP mode, flags: 0x16073 NO-IR
Long story short
To summarize, Monday night, by editing the following settings to the indicated values, I got up to 21.55Mbps download speed and 19.55Mbps upload. Nowhere near where I’d like to be. But much better than 3Mbps:
# Speed related options hw_mode=g country_code=ES ieee80211n=1 channel=6 ht_capab=[LDPC][HT40+][SHORT-GI-20][SHORT-GI-40][RX-STBC1][DSSS_CCK-40][MAX-AMSDU-7935]
I’ll have to keep working on this at some (later) point. But as it is, albeit clearly imperfect (even, pretty bad, actually), I have a working Wifi setup and all my traffic goes through my server, which, after all, was the goal.
Appendix
As per why I can’ seem to use 5GHz/“ac” mode, well… On my Network Card, the following channels are identified (but most cannot be used), and it seems to clash with my country settings (ES, for Spain). Whatever the reason, I haven’t yet found a channel that Hostapd wouldn’t complain about, and so at least for the time being, it seems I am stuck with the slower 2.4GHz interface mode (which still doesn’t explain the actual speeds I have seen).
For the time being, however, I have obtained enough improvements, it shall suffice for my goals (and hopefully also to join videoconferencing meetings).
Resources (SO many out there, so just a few here):
https://thehackingfactory.com/crear-un-punto-de-acceso-con-hostapd-y-dnsmasq