Mobile Pi-Hole on USB Ethernet Gadget (PI 4) + Wifi Access Point

term7 · May 23, 2021, 6:58pm

We are working in a lot of different places, different WIFI, etc. So we configured a Raspberry Pi 4 as a USB Ethernet Gadget and installed Pi-Hole (+ a VPN) to enhance our privacy and block ads wherever we go. This way the wifi of the computer can be switched off, because it gets its its internet connection from the Raspberry Pi. The DHCP server of the Pi-Hole works really well in this setup. Every virtual machine that runs on the Laptop is recognized as an individual client which is exactly what is needed.

Furthermore a USB Wifi-dongle provides the internet connection (because it provides better speed than the built-in wifi of the Pi). Thus our Pi-hole Ethernet Interface is wlan1. This means in this setup the internal wifi card (wlan0) of the Pi is free, which is why we tried to install an additional access point via hostapd. This is where we got stuck. The wifi access point does show up and it is possible to connect to it via ssh. However if a computer or a mobile phone connects to this access point it has no internet connectivity. Is there a way this can work?

This is our dhcpcd-setup:

/etc/dhcpcd.conf

interface usb0
    static ip_address=192.168.77.1/24

interface wlan0
    static ip_address=192.168.79.1/24
    nohook wpa_supplicant

These are the dnsmasq configuration files:

/etc/dnsmasq.d/00-dnsmasq.conf

interface=usb0 # USB interface
address=/access.tardigrade/192.168.77.1
                # Alias for this router

# Wifi-AP
interface=wlan0 # Access Point
dhcp-range=192.168.79.2,192.168.79.21,24h
                # Pool of IP addresses served via DHCP

AND:

/etc/dnsmasq.d/02-pihole-dhcp.conf

dhcp-authoritative
dhcp-range=192.168.77.2,192.168.77.21,24h
dhcp-option=option:router,192.168.77.1
dhcp-leasefile=/etc/pihole/dhcp.leases
#quiet-dhcp

domain=lan
local=/lan/
dhcp-rapid-commit

And finally the access point configuration:

/etc/hostapd/hostapd.conf

country_code=DE
interface=wlan0
ssid=testnetwork
hw_mode=g
channel=7
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=password-testnetwork
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

IPv4 forwarding is set up:

/etc/sysctl.conf

net.ipv4.ip_forward=1

Also the required iptables rule is in place:

sudo iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE

The Pi-hole is set to listen on all interfaces (it also filters the VPN). In the DHCP settings of the admin interface we can define our dhcp server. These point to our usb0 interface. Everything connected via usb0 works flawlessly. The Pi-hole also sees all devices that connect to Raspberry Pi via wlan0 (access point) and it does issue dhcp leases to those devices as well. These devices successfully connect, but have no internet.

What are we missing?

Bucking_Horn · May 23, 2021, 7:28pm

This isn't a Pi-hole issue.

Pi-hole is only related as pihole-FTL happens to be a tailored version of dnsmasq, and you are trying to have a dnsmasq AP configuration to co-exist with Pi-hole's own.
While this may be quite possible, as long as your own settings don't conflict with Pi-hole's, it is something you'd have to figure for yourself.

Your interface lines are likely to conflict with Pi-hole if you ever decide to change

For your current case, you'd have to make thorough use of dnsmasq's documentation.
And I mean thorough. It may be hard to read, but it almost always has all the information needed to get it working, if in several distinct locations.

That said, I'd guess you are lacking a gateway proper for your wlan0 clients.

Very likely, you would have to make use of dnsmasq's tag system and provide the correct router (your RPi Pi-hole host?) for those clients (qouted from docs linked above):

The tag system works as follows: For each DHCP request, dnsmasq collects a set of valid tags from active configuration lines which include set: (...) a tag whose name is the name of the interface on which the request arrived is also set.
(...)
When selecting --dhcp-options , a tag from --dhcp-range is second class relative to other tags, to make it easy to override options for individual hosts, so --dhcp-range=set:interface1,...... --dhcp-host=set:myhost,..... --dhcp-option=tag:interface1,option:nis-domain,domain1 --dhcp-option=tag:myhost,option:nis-domain,domain2 will set the NIS-domain to domain1 for hosts in the range, but override that to domain2 for a particular host.

term7 · May 23, 2021, 9:26pm

Thanks for your quick and kind advice. Managed to get it to work. You were right, setting the exact dhcp range and gateway per interface did the trick. Your remark was spot on! This setup is working now:

/etc/dnsmasq.d/00-dnsmasq.conf

# USB Gadget
interface=usb0 # USB interface
dhcp-range=set:usb0,192.168.77.2,192.168.77.21,255.255.255.0,24h
dhcp-option=usb0,3,192.168.77.1
address=/access.tardigrade/192.168.77.1
                # Alias for this router

# Wifi-AP
interface=wlan0 # Access Point
dhcp-range=set:wlan0,192.168.79.2,192.168.79.21,255.255.255.0,24h
                # Pool of IP addresses served via DHCP
dhcp-option=wlan0,3,192.168.79.1

Yes, you are right that this is indeed not really a Pi-hole issue. Nevertheless we are using the the pihole-specific tailored version of dnsmasq only. There is no other version of dnsmasq installed on our machine (if there was, it probably would cause further conflicts... or not work at all.)

Thanks again for your advice! This was really helpful.

system · June 14, 2021, 3:41pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.