Creating a 3G hotspot with the Raspberry Pi


The Raspberry Pi is intended to serve as both a router and a firewall, which means it should send data packets to the Internet and protect the internal network from outside attacks at the same time. Setting up these capabilities requires a bit of work. First, you need to add the line net.ipv4.ip_forward=1 to the /etc/sysctl.conf configuration file. After a restart, this option becomes active and forwards network packets at the kernel level.

In the firewall commands in Listing 5, the last line saves the configuration in /etc/iptables.3ghotspot. The system then automatically loads the configuration when installing the Internet interface in Listing 3 (line 8). You can check for open ports [5] to make sure the system presents the smallest possible attack surface to the outside. Further information on this topic is available in the Debian firewall wiki [6] and from other sources, as well.

Listing 5

Firewall Commands

$ sudo iptables -A FORWARD -i ppp0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -i br0 -o ppp0 -j ACCEPT
$ sudo iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$ sudo iptables-save > /etc/iptables.3ghotspot

The Internals

After you have established a connection to the outside, it is time to take a look at the internal network. The Rasp Pi used as an access point and router generates its own network. As explained earlier, you join WiFi and Ethernet together to form a bridge (Listing 3, lines 10-17). You should also provide the IP address of the router and the private network (e.g., in this example). The bridge-utils package in Listing 1 is there only for purposes of documentation. Unlike Bananian for the Banana Pi [7], which some users prefer for its better performance, this package is already installed on Raspbian.

To generate a WiFi access point, the system needs access point software from the hostapd package. Unfortunately, a glitch in the hardware turns up here, in that not all WiFi chips support access point (AP) mode. Therefore, before you get a USB WiFi dongle, you should do some research to find out whether the one you want supports this mode. Moreover, some chip sets won't function with the standard Hostapd from Raspbian, even if a set does offer AP mode. In case of doubt, you can run some simple tests with:

sudo iw list

If an error message like nl802ll not found appears, then the current version of Hostapd does not support the chip you have chosen. The "WiFi AP Mode with the Realtek RTL8192 Chip" box describes how to get the WiFi chips running.

WiFi AP Mode with the Realtek RTL8192 Chip

The Realtek RTL8192 and earlier chips are found in many moderately priced WiFi sticks, such as the Edimax EW-7811Un, which is very popular among Rasp Pi users. The Realtek chip is small in size, low priced, and offers good reception. It can handle access point mode, but it does not work with the current version of Hostapd delivered with Raspbian.

Because Realtek makes the source code available for drivers and Hostapd [8], the workaround for this problem is easy. The forum run by LeMaker [9], the organization that manufactures the Banana Pi, contains an entry describing all of the steps for building an executable version of the hostapd and hostapd_cli programs. For the Hostapd daemon to find the alternative binary when it boots, you need to modify the path to the file in the /etc/init.d/hostapd boot file. Additionally, you should reference the manually installed rtl871xdrv driver in the configuration file instead of the generic driver, nl80211, as shown in Listing 6 (line 6).

Listing 6

Hostapd Boot File

01 ssid=rpi-hotspot
03 ctrl_interface=/var/run/hostapd
04 interface=wlan0
05 bridge=br0
06 driver=nl80211
07 channel=11
09 beacon_int=100
10 hw_mode=g
11 ieee80211n=0
12 wmm_enabled=1
13 ht_capab=[SHORT-GI-20][SHORT-GI-40][HT40-]
15 wpa=2
16 wpa_passphrase=secret passphrase
17 wpa_key_mgmt=WPA-PSK
18 wpa_pairwise=TKIP
19 rsn_pairwise=CCMP TKIP
20 max_num_sta=8
21 wpa_group_rekey=86400
23 ignore_broadcast_ssid=0

All configuration for Hostapd is in a single file, and you can select the path and the name for this file as you wish (e.g., /etc/hostapd.conf). So that the service can find the configuration file, you should enter it into /etc/default/hostapd with DAEMON_CONF as the variable. It is a good idea to select the channel in line 7 according to local circumstances. A WiFi scanner app like Jaws [10] will do a fine job.

The option exists in line 11 to turn on 802.11n mode by changing the line to ieee80211n=1. With suitable devices, this will raise the transfer rate levels, which, however, could lead to an unstable connection. Line 16 contains the WiFi password for establishing the connection.

A few problem areas with respect to encryption methods show up in lines 18 and 19, especially for simpler devices like WiFi printers. If you do encounter difficulties, you should be able to figure out how to resolve them by looking over the documentation or doing some simple research online.

You will be able to see whether everything works after restarting Hostapd with the

sudo service hostapd restart

command and taking a look at the list of active WiFi networks in the area. One way of checking on your progress is to use your smartphone. However, you need DHCP and DNS servers before a connection is established, both of which are provided by the network infrastructure service Dnsmasq, which you installed at the beginning.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Raspberry Pi Geek

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content