Raspberry pi as access point along with pihole

I connect my raspberry pi with USB tethering. Is there any way to make it as an AP with adblocking. I know creating AP requires hostapd and dhcp server, but I don't know how to set it up.
Please guide me.

I can tell you how to turn a rasperry pi into a router as I've done it so many times I could probably write the following scripts in my sleep. I'll leave integrating them with pi-hole to you (I run pi-hole on a Beagle Bone Black under arch-linux so I can't really do that for you as it's a different environment).

A couple of things:

  • Yes I said router, not access point. These steps will make rpi a router and the ethernet port will be the uplink port, and as I'm guessing you're connecting it to a network that's already behind a router, anything that connects to rpi's wifi will be double nat-ed. This means upnp won't work, and machines on ethernet side won't be able to initiate connections to those on wifi side. To make rpi behave like a pure access point (where wifi clients are on the same network that's connected to ethernet port) it means you have to bridge wifi and ethernet interfaces (I tried it once, it was a pain and much more flaky than making rpi a router).
  • I've always done this using dnsmasq as a DHCP and DNS server. You can probably emulate the behaviour of my dnsmasq config with the pi-hole GUI by turning on dhcp server but you are going to have to set it to bind to wifi interface and that might mean it stops serving the ethernet side as a DNS server.

Ok first thing you want to do is make wifi totally manual, in newer versions of raspbian you this by editing /etc/dhcpcd.conf and adding:

allowinterfaces eth0

Which means only eth0 will be automatically managed, you can also use:

denyinterfaces wlan0

To just keep it away from wlan0.

Now you need to allow ipv4 forwarding so the thing can act as a router, etc /etc/sysctl.conf and add/uncomment the following line:

net.ipv4.ip_forward=1

Reboot the thing so this and the change to dhcpcd.conf can take effect. Now give wifi a static ip that's a private IP but not in your existing network's subnet:

sudo ifconfig wlan0 10.20.30.1 netmask 255.255.255.0

Next step is to use hostapd with wlan0 - save this into a config file called hostapd.conf (or whatever):

interface=wlan0
driver=nl80211
hw_mode=g
channel=6
ssid=MyAwfulWifi
wpa=1
wpa_passphrase=bestpassword
wpa_key_mgmt=WPA-PSK

Use config by running it with

sudo hostapd -B hostapd.conf

You should be able to connect to it but it won't be handing out IP's yet. At this point you'll probably want to muck around with pi-hole settings to see if you can get it to the point it hands out IP's to wifi clients, when you do set interface to wlan0 and router IP address to the IP you gave rpi wifi interface (eg: 10.20.30.1).

Here's a dnsmasq.conf file that I know works for this if you end up having to add some lines to /etc/dnsmasq.conf yourself:

interface=wlan0
bind-interfaces
except-interface=lo
listen-address=10.20.30.1
dhcp-range=10.20.30.10,10.20.30.100,60m
dhcp-option=option:router,10.20.30.1
dhcp-lease-max=50

Ok it's now accepting connections, giving IP's and acting as a DNS server but you can't actually connect to anything on the router side. Here's some iptables rules to get that happening:

sudo iptables -F INPUT
sudo iptables -F OUTPUT
sudo iptables -F FORWARD
sudo iptables -t nat -F PREROUTING
sudo iptables -t nat -F INPUT
sudo iptables -t nat -F OUTPUT
sudo iptables -t nat -F POSTROUTING
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -A FORWARD -d 10.20.30.0/24 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 10.20.30.0/24 -i wlan0 -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o wlan0 -j ACCEPT
sudo iptables -A FORWARD -o wlan0 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A FORWARD -i wlan0 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -t nat -P PREROUTING ACCEPT
sudo iptables -t nat -P INPUT ACCEPT
sudo iptables -t nat -P OUTPUT ACCEPT
sudo iptables -t nat -P POSTROUTING ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.20.30.0/24 ! -d 10.20.30.0/24 -j MASQUERADE

Fingers crossed but that should be it. You'll want to put ifconfig, hostapd and iptables commands into a script and have them load on startup (eg: from rc.local).

1 Like

I just realised I'm replying to someone who posted 7 months ago, oh well hopefully this makes someone's day.

its 2018 these steps are a little old. you cant put static ips in /etc/netork/interfaces so after a day of fumbling through i figured id post my recipe to help someone else along the way

the key here is to install pihole after you set up you interfaces, and leave the dnsmasq til after its set up

most of this was derived from above and http://home.iitk.ac.in/~saiwal/electronics/using-pi-hole-and-raspberry-pi-as-hotspot-for-ad-less-online-experience/

along with the raspbian ap setup here https://www.raspberrypi.org/documentation/configuration/wireless/access-point.md#internet-sharing

install raspbian

raspi-config , enable ssh adjust keyboard n lang timezone

sudo apt update; sudo apt upgrade -y
sudo apt install hostapd -y

in /etc/dhcpcd.conf
interface wlan0
static ip_address=192.168.4.1/24

in /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
#driver=rtl871xdrv
hw_mode=g
channel=6
ieee80211n=1
wmm_enabled=1
ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
ssid=Pi3-AP
wpa_passphrase=raspberry

/etc/default/hostapd
echo DAEMON_CONF="/etc/hostapd/hostapd.conf" | sudo tee -a /etc/default/hostapd

in /etc/sysctl.conf
uncomment net.ipv4.ip_forward=1

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

echo 'iptables-restore < /etc/iptables.ipv4.nat' | sudo tee /lib/dhcpcd/dhcpcd-hooks/70-ipv4-nat

reboot

install pihole
curl -L https://install.pi-hole.net | bash

add in /etc/dnsmasq.conf
interface=wlan0
dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h
ot

then secure box

change pihole password
pihole -a -p

its now 2020 and the new steps are now old :o)

however, I have been trying for weeks to get pihole and AP running on one unit. one catch is that i cannot assign a dns address manually in my router so I have to disable dhcp in the router and use piholes dhcp server. are your instructions still up-to-date?

kind regards

I've been playing with this for a few days as well, but I haven't managed to get Pi-Hole working. I set everything up in order to make the RaspeberryPi an AP with DoH and everything woks fine.

I then install Pi-Hole, but FTL is offline and I cannot make ti work.
The AP is still working fine though, just no traffic going through Pi-Hole.

Here are my steps:

  • setup up DoH with Cloudflared

  • edit /etc/dhcpcd.conf)

interface wlan0
static ip_address=192.168.10.1/24
static routers=192.168.10.1
static domain_name_servers=127.0.0.1
nohook wpa_supplicant

  • edit /etc/dnsmasq.conf

interface=wlan0
server=127.0.0.1
dhcp-range=192.168.10.201,192.168.10.254,255.255.255.0,24h

  • edit /etc/hostapd/hostapd.conf

interface=wlan0
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

ssid=WHATEVERNAME
wpa_passphrase=WHATEVERPASSWORD

sudo nano /etc/sysctl.conf
uncomment this line: net.ipv4.ip_forward=1

  • sort out routing and iptables

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

sudo nano /etc/rc.local
Add this just above "exit 0" to install these rules on boot.
iptables-restore < /etc/iptables.ipv4.nat

  • install Pi-Hole and

sudo nano /etc/dnsmasq.d/01-pihole.conf
comment out both #server=1.1.1.1 and #server=1.0.0.1
add server=127.0.0.1#53

sudo nano /etc/pihole/setupVars.conf
comment #PIHOLE_DNS_1=1.1.1.1 and #PIHOLE_DNS_2=1.0.0.1

It doesn't make any difference if I chose the wlan0 or eth0 as the interface for Pi-Hole, and if I enter the wlan0 IP address or the eth0 IP address.

pihole -d looks good apart from:

  • Pi-Hole cannot ping the wlan0 ip address
    192.168.10.1: Name or service not known

  • Pi-Hole cannot resolve a domain
    [✗] Failed to resolve ad.doubleclick.net.55877.9083.302br.net via Pi-hole (192.168.10.1)
    [this showing Pi-Hole using w;an0, but it doesn't make any difference if I use the eth0 ip address]

[127.0.0.1:53] is in use by pihole-FTL, so I'm not sure why it isn't trying to solve the DNS queries via that.

Any suggestions?

Have you checked this post? That"s my current setup and it does work.

Cheers,

Thank you for the suggestion.
I'm not using RaspAp, but I might give it a go soon.
I seem to have sorted out part of the issue, and pihole -d looks good apart from:

[2020-02-08 17:14:39.409 8428] Finished config file parsing
[2020-02-08 17:14:39.410 8428] SQLite3 message: cannot open file at line 38452 of [0eca3dd3d3] (14)
[2020-02-08 17:14:39.410 8428] SQLite3 message: os_unix.c:38452: (2) open(/etc/pihole/pihole-FTL.db) - (14)

I looked at the database, but I couldn't find that specific line and what that refers to.

Reinstalled everything and used RaspAp.
Everything works fine.
Not sure where the problem was, because all the setting are practically the same.

2 posts were split to a new topic: Enabling RaspberryPi OS's Access Point conflicts with Pi-hole