Raspberry pi access-point routing not working
I have setup an access point on my raspberry pi 4 following this guide: https://www.raspberrypi.com/documentation/computers/configuration.html#before-you-begin
I can connect to the wireless network, ping the ip address on the raspberry pi wlan interface, and dns seems to work fine.
But the NAT/routing is not working. I'm unable to access the internet or the rest of my network.
I believe this has something to do with docker and maybe messing up my iptables? But I don't know enough about iptables to explain why it isn't working. This is a dump of the iptables. I see the rule "-A POSTROUTING -o eth0 -j MASQUERADE" was added which should enable the nat routing for my access-point.
# Generated by iptables-save v1.8.7 on Sun Feb 26 12:27:58 2023
*filter
:INPUT ACCEPT [36647:6241476]
:FORWARD DROP [151:15122]
:OUTPUT ACCEPT [34684:33197826]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i br-ea8912f60ffe -o br-ea8912f60ffe -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9443 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p udp -m udp --dport 10001 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p udp -m udp --dport 3478 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 ! -s 172.80.0.0/24 -o br-ea8912f60ffe -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d 172.80.0.0/24 -i br-ea8912f60ffe -j DROP
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Feb 26 12:27:58 2023
# Generated by iptables-save v1.8.7 on Sun Feb 26 12:27:58 2023
*nat
:PREROUTING ACCEPT [1508:237688]
:INPUT ACCEPT [1207:192448]
:OUTPUT ACCEPT [15971:766826]
:POSTROUTING ACCEPT [8642:433956]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p udp -m udp --dport 10001 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p udp -m udp --dport 3478 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 9443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.2:443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9443 -j DNAT --to-destination 172.17.0.3:9443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.2:80
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.3:9000
-A DOCKER ! -i docker0 -p udp -m udp --dport 10001 -j DNAT --to-destination 172.17.0.4:10001
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 172.17.0.3:8000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 172.17.0.4:8443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.4:8080
-A DOCKER ! -i docker0 -p udp -m udp --dport 3478 -j DNAT --to-destination 172.17.0.4:3478
COMMIT
# Completed on Sun Feb 26 12:27:58 2023
I tried adding a specific rule for the subnet I'm trying to route with
sudo iptables -t nat -A POSTROUTING -s 192.168.4.0/24 ! -o eth0 -j MASQUERADE
I also tried cleaning the ip tables with sudo iptables -F , but docker seems to immediately change the file again
Solution
You will need to allow forwarding of traffic from the wlan interface to the eth interface and you will also need to allow reverse traffic for established connections. Something like this should work:
iptables -A FORWARD -i eth0 -o wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i wlan0 -j ACCEPT
- Unable to pull images no such host on Windows
- Check if clickhouse is healthy docker-compose
- Docker Compose, Rails and Webpacker not perserving node_modules
- Need to use docker-compose to build but but not run
- Docker Error: Jupyter Notebook container is not running after successful build
- error during connect: This error may indicate that the docker daemon is not running
- Google Jib throws UnknownManifestFormatException: Unknown mediaType: application/vnd.oci.image.index.v1+json when building the application
- AWS ECS exec /usr/local/bin/docker-entrypoint.sh: exec format error
- Docker: Running nano in docker container
- Error building nextjs app on docker but not locally
- Tekton error , how to fix: Error executing command: fork/exec /tekton/scripts/script-2-m6dkb
- php_network_getaddresses: getaddrinfo failed error in Docker's adminer
- "update-locale: Error: invalid locale settings" when using a Dockerfile
- JVM -XX:MaxRAMPercentage not being applied in container
- docker-compose up not recreate container
- How can I find a Docker image with a specific tag in Docker registry on the Docker command line?
- Pass environment variables from docker-compose to container at build stage
- denied: requested access to the resource is denied when pushing image to gitlab registry
- How to use a devcontainer in vscode.dev?
- Unable to connect to mongodb database on docker container with nestJs
- Gitlab doesn't loads new ssl cert and key
- How to diagnose "docker: invalid reference format" when calling "docker run"?
- Azure Container Instance does not respond with dns name on browser
- Auto-generate OpenFGA json model when saving .fga DSL file
- KASM Stand Alone Service inaccessble behind Nginx: Websocket error or invalid HTTP version
- how to run NiFi-toolkit docker image
- How to check if a Docker image with a specific tag exist on registry?
- Can we mount sub-directories of a named volume in docker?
- AWS InvalidSignatureException, Signature expired when running from docker container
- No such host CI, docker