Wi-Fi Access Point Setup for OpenThread Border Router

A Wi-Fi access point (AP) connects a Thread network to the internet.

A Raspberry Pi 3B (RPi3B) functioning as an OpenThread Border Router (OTBR) may also serve as a Soft Access Point (SoftAP). This SoftAP acts as a DHCP server to assign IPv4 addresses to the RPi3B and any devices used as External Commissioners.

The BeagleBone Black does not have built-in Wi-Fi support, and cannot be used as a Wi-Fi Access Point.

All configuration and terminal commands occur on a RPi3B running OTBR. See Build and Configuration for more information.

The RPi3B must be connected to the internet via Ethernet (eth0 interface, as displayed in the output of the ifconfig command) to successfully serve as a SoftAP.

Install packages

Three packages are required:

  • hostapd — Allows use of a device's built-in Wi-Fi radio as an AP
  • dnsmasq — A combined DHCP and DNS server
  • tayga — Stateless NAT64
sudo apt-get install hostapd dnsmasq tayga

Configure static IPv4 addresses

In newer Raspbian versions, interface configuration is handled by dhcpcd by default. Disable dhcpcd for the interface and manually configure static IPv4 addresses for the SoftAP.

  1. Update dhcpcd to ignore the wlan0 (Wi-Fi) interface:
    1. Open the dhcpcd configuration file:
      sudo vim /etc/dhcpcd.conf
    2. Add the following line to the end of the file:
      denyinterfaces wlan0
  2. Configure static IPv4 addresses on the wlan0 interface:
    1. Create a configuration file for the wlan0 interface:
      sudo vim /etc/network/interfaces.d/wlan0
    2. Add the following configuration parameters to the wlan0 file:
      allow-hotplug wlan0
      iface wlan0 inet static
          address 192.168.1.2
          netmask 255.255.255.0
          network 192.168.1.0
          broadcast 192.168.1.255

Configure hostapd

  1. Create a new hostapd configuration file:
    sudo vim /etc/hostapd/hostapd.conf
  2. Add the following configuration parameters to hostapd.conf:

    # The Wi-Fi interface configured for static IPv4 addresses
    interface=wlan0
    
    # Use the 802.11 Netlink interface driver
    driver=nl80211
    
    # The user-defined name of the network
    ssid=Pi3-AP
    
    # Use the 2.4GHz band
    hw_mode=g
    
    # Use channel 6
    channel=6
    
    # Enable 802.11n
    ieee80211n=1
    
    # Enable WMM
    wmm_enabled=1
    
    # Enable 40MHz channels with 20ns guard interval
    ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
    
    # Accept all MAC addresses
    macaddr_acl=0
    
    # Use WPA authentication
    auth_algs=1
    
    # Require clients to know the network name
    ignore_broadcast_ssid=0
    
    # Use WPA2
    wpa=2
    
    # Use a pre-shared key
    wpa_key_mgmt=WPA-PSK
    
    # The network passphrase
    wpa_passphrase=raspberry
    
    # Use AES, instead of TKIP
    rsn_pairwise=CCMP
    
  3. Set this new configuration file as the default daemon:

    1. Open the default configuration file:
      sudo vim /etc/default/hostapd
    2. Enable the DAEMON_CONF parameter and point it to the new hostapd configuration file:
      DAEMON_CONF="/etc/hostapd/hostapd.conf"
  4. Bootstrap the hostapd daemon automatically upon reboot:

    1. Create a service configuration file for hostapd:
      sudo vim /etc/systemd/system/hostapd.service
    2. Add the following configuration parameters to hostapd.service:

      [Unit]
      Description=Hostapd IEEE 802.11 Access Point
      After=sys-subsystem-net-devices-wlan0.device
      BindsTo=sys-subsystem-net-devices-wlan0.device
      
      [Service]
      Type=forking
      PIDFile=/var/run/hostapd.pid
      ExecStart=/usr/sbin/hostapd -B /etc/hostapd/hostapd.conf -P /var/run/hostapd.pid
      
      [Install]
      WantedBy=multi-user.target
      
    3. Open the /etc/rc.local file:

      sudo vim /etc/rc.local

    4. Add the following at the end of the file, before the exit 0 line:

      sudo service hostapd start

Verify the access point

Once hostapd is configured, the SoftAP should be live (though without internet connectivity).

To verify, reboot the RPi3B:

sudo reboot

After reboot, check for wireless networks on another device. You should see the Pi3-AP SSID.

Configure dnsmasq

  1. For ease of configuration, if a default dnsmasq configuration file already exists on your system, move it and create a new one:
    sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
    sudo vim /etc/dnsmasq.conf
  2. Add the following configuration parameters to dnsmasq.conf:

    # The Wi-Fi interface configured for static IPv4 addresses
    interface=wlan0
    
    # Explicitly specify the address to listen on
    listen-address=192.168.1.2
    
    # Bind to the interface to make sure we aren't sending things elsewhere
    bind-interfaces
    
    # Forward DNS requests to the Google DNS
    server=8.8.8.8
    
    # Don't forward short names
    domain-needed
    
    # Never forward addresses in non-routed address spaces
    bogus-priv
    
    # Assign IP addresses between 192.168.1.50 and 192.168.1.150 with a 12 hour lease time
    dhcp-range=192.168.1.50,192.168.1.150,12h
    
  3. The bind9 service might conflict with dnsmasq during start up. To ensure there is no conflict, update the bind9 service to not start until dnsmasq has started. Open the /lib/systemd/system/bind9.service file:

    sudo vim /lib/systemd/system/bind9.service

  4. Modify the After parameter so bind9 starts after dnsmasq:

    "After=network.target dnsmasq.service"

Configure NAT

Network Address Translation (NAT) is a method of translating IP addresses while packets are in transit. NAT64 translates addresses between IPv6 and IPv4.

OTBR uses tayga for stateless NAT64, iptables for stateful NAT44, and combines the two to provide stateful NAT64. This allows Thread devices to communicate with IPv4 hosts. See the Tayga documentation for more information.

Configure tayga

  1. Create the configuration:
    1. Open the /etc/tayga.conf file:
      sudo vim /etc/tayga.conf
    2. Update the file with the following configuration:
      prefix 64:ff9b::/96
      dynamic-pool 192.168.255.0/24
      ipv6-addr 2001:db8:1::1
      ipv4-addr 192.168.255.1
      
  2. Enable tayga:
    1. Open the /etc/default/tayga file:
      sudo vim /etc/default/tayga
    2. Change the RUN parameter to yes:
      RUN="yes"

In this configuration, ipv6-addr is optional. If ipv6-addr is not defined, tayga generates it for you from the prefix parameter.

Configuration parameters

ParameterDescription
prefixSince Tayga provides stateless NAT64, a /96 or greater prefix is required to map all of IPv4 to IPv6. This parameter should be an unused /96 prefix from your IPv6 address range. For OTBR, use the Well-Known Prefix (64:ff9b::/96) to enable automatic address translation.
dynamic-poolRequired for Tayga to map IPv6 to IPv4. Set to an IPv4 network.
ipv6-addrRequired for Tayga to act as an IPv6 router. When using the Well-Known Prefix for the prefix parameter, this address should be one that is not included in prefix.
ipv4-addrRequired for Tayga to act as an IPv4 router. This address should be one that is included in dynamic-pool.

Enable forwarding

  1. Enable IPv4 and IPv6 forwarding:
    sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
    sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/all/forwarding"
  2. To ensure IPv4 forwarding remains enabled after reboot, also update the sysctl configuration file:
    1. Open the /etc/sysctl.conf file:
      sudo vim /etc/sysctl.conf
    2. Uncomment the IPv4 forwarding parameter and ensure it's set to 1:
      net.ipv4.ip_forward=1
  3. Configure NAT with iptables:
    1. Enable NAT 44:
      sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    2. Configure NAT between the wlan0 (Wi-Fi) and eth0 (Ethernet) interfaces:
      sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
      sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
  4. Apply these NAT rules automatically upon reboot:
    1. Save the rules to the /etc/iptables.ipv4.nat file:
      sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
    2. Open the /etc/rc.local file:
      sudo vim /etc/rc.local
    3. Add the following at the end of the file, before the exit 0 line:
      iptables-restore < /etc/iptables.ipv4.nat

Verify the configuration

  1. Reboot the Raspberry Pi 3B:
    sudo reboot
    OTBR Web GUI Home
  2. After reboot, connect a different device (not the RPi3B) to the Pi3-AP Wi-Fi access point.
  3. Open a browser window on that device and navigate to 192.168.1.2 (the IPv4 address configured for the wlan0 interface). If the AP configuration is successful, the OTBR Web GUI loads.

The Pi3-AP Wi-Fi access point should also provide regular internet connectivity. Verify by visiting or pinging any public website from a device connected to the Pi3-AP Wi-Fi access point.

Troubleshooting

If the Pi3-AP Wi-Fi access point is not available, check the system status of the RPi3B:

sudo systemctl status

If the status shows the RPi3B in a degraded state, check which services have failed to start:

sudo systemctl --failed

If any of the required OTBR services have failed to start:

  1. Go back through the configuration steps in Build and Configuration and Wi-Fi Access Point Setup and check for errors.
  2. Reboot the RPi3B or use the server script to stop and restart required OTBR services:
cd borderrouter
./script/server