Wi-Fi Access Point Setup for OpenThread Border Router

A Wi-Fi access point (AP) connects a Thread network to the internet.

A Raspberry Pi 3B (RPi3B) functioning as an OpenThread Border Router (OTBR) may also serve as a Soft Access Point (SoftAP). This SoftAP acts as a DHCP server to assign IPv4 addresses to the RPi3B and any devices used as External Commissioners.

The BeagleBone Black does not have built-in Wi-Fi support, and cannot be used as a Wi-Fi Access Point.

All configuration and terminal commands occur on a RPi3B running OTBR. See Build and Configuration for more information.

The RPi3B must be connected to the internet via Ethernet (eth0 interface, as displayed in the output of the ifconfig command) to successfully serve as a SoftAP.

If you ran the OTBR setup script without disabling NETWORK_MANAGER, as described in Build and Configuration, the Wi-Fi AP has already been configured. Skip down to Using Network Manager for more information.

Install packages

Three packages are required:

hostapd — Allows use of a device's built-in Wi-Fi radio as an AP
dnsmasq — A combined DHCP and DNS server
tayga — Stateless NAT64

sudo apt-get install hostapd dnsmasq tayga

Configure static IPv4 addresses

In newer Raspbian versions, interface configuration is handled by dhcpcd by default. Disable dhcpcd for the interface and manually configure static IPv4 addresses for the SoftAP.

Update dhcpcd to ignore the wlan0 (Wi-Fi) interface:
1. Open the dhcpcd configuration file:
```
sudo vim /etc/dhcpcd.conf
```
2. Add the following line to the end of the file:
```
denyinterfaces wlan0
```

Configure static IPv4 addresses on the wlan0 interface:

Create a configuration file for the wlan0 interface:
```
sudo vim /etc/network/interfaces.d/wlan0
```

Add the following configuration parameters to the wlan0 file:

allow-hotplug wlan0
iface wlan0 inet static
    address 192.168.1.2
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255

Configure hostapd

Create a new hostapd configuration file:
```
sudo vim /etc/hostapd/hostapd.conf
```

Add the following configuration parameters to hostapd.conf:

# The Wi-Fi interface configured for static IPv4 addresses
interface=wlan0

# Use the 802.11 Netlink interface driver
driver=nl80211

# The user-defined name of the network
ssid=BorderRouter-AP

# Use the 2.4GHz band
hw_mode=g

# Use channel 6
channel=6

# Enable 802.11n
ieee80211n=1

# Enable WMM
wmm_enabled=1

# Enable 40MHz channels with 20ns guard interval
ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]

# Accept all MAC addresses
macaddr_acl=0

# Use WPA authentication
auth_algs=1

# Require clients to know the network name
ignore_broadcast_ssid=0

# Use WPA2
wpa=2

# Use a pre-shared key
wpa_key_mgmt=WPA-PSK

# The network passphrase
wpa_passphrase=12345678

# Use AES, instead of TKIP
rsn_pairwise=CCMP

Set this new configuration file as the default daemon:
1. Open the default configuration file:
```
sudo vim /etc/default/hostapd
```
2. Enable the DAEMON_CONF parameter and point it to the new hostapd configuration file:
```
DAEMON_CONF="/etc/hostapd/hostapd.conf"
```

Bootstrap the hostapd daemon automatically upon reboot:

Unmask and manually start hostapd in case it is masked:

sudo systemctl unmask hostapd
sudo systemctl start hostapd

Create a service configuration file for hostapd:
```
sudo vim /etc/systemd/system/hostapd.service
```

Add the following configuration parameters to hostapd.service:

[Unit]
Description=Hostapd IEEE 802.11 Access Point
After=sys-subsystem-net-devices-wlan0.device
BindsTo=sys-subsystem-net-devices-wlan0.device

[Service]
Type=forking
PIDFile=/var/run/hostapd.pid
ExecStart=/usr/sbin/hostapd -B /etc/hostapd/hostapd.conf -P /var/run/hostapd.pid

[Install]
WantedBy=multi-user.target

Open the /etc/rc.local file:
```
sudo vim /etc/rc.local
```
Add the following at the end of the file, before the exit 0 line:
```
sudo service hostapd start
```

Verify the access point

Once hostapd is configured, the SoftAP should be live (though without internet connectivity).

To verify, reboot the RPi3B:

sudo reboot

After reboot, check for wireless networks on another device. You should see the BorderRouter-AP SSID.

Configure dnsmasq

For ease of configuration, if a default dnsmasq configuration file already exists on your system, move it and create a new one:
```
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
sudo vim /etc/dnsmasq.conf
```

Add the following configuration parameters to dnsmasq.conf:

# The Wi-Fi interface configured for static IPv4 addresses
interface=wlan0

# Explicitly specify the address to listen on
listen-address=192.168.1.2

# Bind to the interface to make sure we aren't sending things elsewhere
bind-interfaces

# Forward DNS requests to the Google DNS
server=8.8.8.8

# Don't forward short names
domain-needed

# Never forward addresses in non-routed address spaces
bogus-priv

# Assign IP addresses between 192.168.1.50 and 192.168.1.150 with a 12 hour lease time
dhcp-range=192.168.1.50,192.168.1.150,12h

The bind9 service might conflict with dnsmasq during start up. To ensure there is no conflict, update the bind9 service to not start until dnsmasq has started. Open the /lib/systemd/system/bind9.service file:
```
sudo vim /lib/systemd/system/bind9.service
```
Modify the After parameter so bind9 starts after dnsmasq:
```
"After=network.target dnsmasq.service"
```

Configure NAT

Network Address Translation (NAT) is a method of translating IP addresses while packets are in transit. NAT64 translates addresses between IPv6 and IPv4.

OTBR uses tayga for stateless NAT64, iptables for stateful NAT44, and combines the two to provide stateful NAT64. This allows Thread devices to communicate with IPv4 hosts. See the Tayga documentation for more information.

Configure tayga

Create the configuration:

Open the /etc/tayga.conf file:
```
sudo vim /etc/tayga.conf
```

Update the file with the following configuration:

prefix 64:ff9b::/96
dynamic-pool 192.168.255.0/24
ipv6-addr 2001:db8:1::1
ipv4-addr 192.168.255.1

Enable tayga:
1. Open the /etc/default/tayga file:
```
sudo vim /etc/default/tayga
```
2. Change the RUN parameter to yes:
```
RUN="yes"
```

Note: Use of the Well-Known Prefix (64:ff9b::/96) for the prefix parameter prevents a Thread network from accessing private IPv4 networks. To support private IPv4 networks, designate a prefix from your site's IPv6 addresses range instead.

In this configuration, ipv6-addr is optional. If ipv6-addr is not defined, tayga generates it for you from the prefix parameter.

Configuration parameters

Parameter	Description
`prefix`	Since Tayga provides stateless NAT64, a `/96` or greater prefix is required to map all of IPv4 to IPv6. This parameter should be an unused `/96` prefix from your IPv6 address range. For OTBR, use the Well-Known Prefix (`64:ff9b::/96`) to enable automatic address translation.
`dynamic-pool`	Required for Tayga to map IPv6 to IPv4. Set to an IPv4 network.
`ipv6-addr`	Required for Tayga to act as an IPv6 router. When using the Well-Known Prefix for the `prefix` parameter, this address should be one that is not included in `prefix`.
`ipv4-addr`	Required for Tayga to act as an IPv4 router. This address should be one that is included in `dynamic-pool`.

Enable forwarding

Enable IPv4 and IPv6 forwarding:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/all/forwarding"

To ensure IPv4 forwarding remains enabled after reboot, also update the sysctl configuration file:
1. Open the /etc/sysctl.conf file:
```
sudo vim /etc/sysctl.conf
```
2. Uncomment the IPv4 forwarding parameter and ensure it's set to 1:
```
net.ipv4.ip_forward=1
```
Configure NAT with iptables:
1. Enable NAT 44:
```
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```
  Note: If the dynamic-pool prefix used in the tayga configuration is private, NAT44 is needed to allow the Thread network to access a public IPv4 network.
2. Configure FILTER between the wlan0 (Wi-Fi) and eth0 (Ethernet) interfaces:
```
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
```
Apply these NAT rules automatically upon reboot:
1. Save the rules to the /etc/iptables.ipv4.nat file:
```
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
```
2. Open the /etc/rc.local file:
```
sudo vim /etc/rc.local
```
3. Add the following at the end of the file, before the exit 0 line:
```
iptables-restore < /etc/iptables.ipv4.nat
```

Verify the configuration

Reboot the Raspberry Pi 3B:
```
sudo reboot
```
After reboot, connect a different device (not the RPi3B) to the BorderRouter-AP Wi-Fi access point.
Open a browser window on that device and navigate to 192.168.1.2 (the IPv4 address configured for the wlan0 interface). If the AP configuration is successful, the OTBR Web GUI loads.

The BorderRouter-AP Wi-Fi access point should also provide regular internet connectivity. Verify by visiting or pinging any public website from a device connected to the BorderRouter-AP Wi-Fi access point.

Troubleshooting

If the BorderRouter-AP Wi-Fi access point is not available, check the system status of the RPi3B:

sudo systemctl status

If the status shows the RPi3B in a degraded state, check which services have failed to start:

sudo systemctl --failed

If the AP was set up manually and any of the required OTBR services have failed to start:

Go back through the configuration steps in Build and Configuration and Wi-Fi Access Point Setup and check for errors.
Reboot the RPi3B or use the server script to stop and restart required OTBR services:

cd ot-br-posix
./script/server NETWORK_MANAGER=0

Using Network Manager

When the AP is automatically setup during installation, it is managed by Network Manager. The OTBR setup script uses the same default values detailed in the manual setup:

SSID = BorderRouter-AP
Password = 12345678

Control Network Manager using the nmcli command line tool.

For example, to display all information related to the AP once OTBR is up and running:

nmcli -s c show BorderRouter-AP

For more information, see the OTBR Network Manager script.

Build and Configuration

Web GUI