How to configure Linux networking with WLAN working in STA and AP mode?

Question

I am working on an embedded Linux system where there is a WLAN interface can work in both STA and AP mode.

valid interface combinations:
                 * #{ AP } <= 2, #{ managed } <= 2, #{ P2P-client, P2P-GO } <= 2, #{ P2P-device } <= 1, #{ IBSS } <= 1,
                   total <= 4, #channels <= 2

Now I have configured the WLAN interface to STA and AP mode (by creating a software AP uap0) as follows,

# ifconfig
uap0      Link encap:Ethernet  HWaddr D6:9C:DD:A0:13:78
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4749 errors:0 dropped:333 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:458760 (448.0 KiB)  TX bytes:5526 (5.3 KiB)

wlan0     Link encap:Ethernet  HWaddr D4:9C:DD:A0:13:78
          inet addr:192.168.95.14  Bcast:192.168.95.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:36 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5425 (5.2 KiB)  TX bytes:1723 (1.6 KiB)

wlan0 is the physical interface, whose IP address is got from external AP.
uap0 is software interface used as an AP, which can be connected by my cell phone.

I enabled the sysctl -w net.ipv4.ip_forward=1, and route -n shows,

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.95.1    0.0.0.0         UG    0      0        0 wlan0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 uap0
192.168.95.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0

I can ping external public internet from the target board, and my cell phone's IP (192.168.0.190).
But now my cell phone cannot access internet through the WIFI (uap0).
How to configure the Linux networking in this case to enable my cell phone to access public internet?

Answer 1

With your current settings, the external AP probably thinks the 192.168.95.x/24 is an "edge" network, i.e. as far as it knows, there are no other network segments accessible through it.

But the network between your embedded Linux AP and the cell phone forms another network segment: 192.168.0.x/24. The external AP and the network beyond it has no knowledge about this, and in fact the same IP address range could be in use elsewhere in the network. (I will call your 192.168.0.x/24 network segment a "rogue" one, and the possible other network segment with the same IP addresses the "official" one.)

When your cellphone sends outgoing packets to the internet using 192.168.0.190 as its source IP, your laptop could route it to the external AP, and the external AP will probably send it towards its upstream router... but if that router has a "martian filter" configured, it will see that the source address does not match its expectation that only packets with source addresses in 192.168.95.x range should come from the external AP, and will filter it out. But let's assume that does not happen.

If a reply from the internet arrives to the external AP's upstream router with a destination address of 192.168.0.190, one of two things will happen:

• if an official 192.168.0.x/24 network segment exists, the reply packet will be routed there instead of towards your laptop.
• if the router has no official 192.168.0.x/24 network segment defined, the router will be mildly puzzled: "Why did I get this? As far as I know, there is no such network. It must be some misrouted junk, so to the trash it goes!" It might also send a "network unreachable" ICMP error message back to the sender of the reply packet.

In other words, to make your current configuration work, you would have to make the external AP's upstream router(s) aware of your 192.168.0.x/24 network and the fact that it is accessible using 192.168.95.14 as a router/gateway. But unless you have administrative access to the upstream router(s), you cannot do this.

Instead, you would have to configure your embedded system to masquerade (=a form of NAT) the cellphone's traffic so that it appears to come from the embedded system itself:

iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.0.0/24 -j MASQUERADE

(-j SNAT --to-source 192.168.95.14 would also work, but -j MASQUERADE works better in situations where DHCP is used between the external AP and the embedded system.)

Note that this means there will be a "double NAT" between your cellphone and the internet, which is not ideal and may cause problems with some network protocols.

After solving this fundamental routing issue, there may be secondary issues; like dirkt mentioned in the comments, you would have to have some way to supply DNS server addresses for the phone.