Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Last updated: Monday 16 February 2026 @ 13:50:43

Routing

Warning

You need to have finished Eduroam or have connected to another internet capable ssid and Access Points before continuing.

  • Ensure this is running: sudo hostapd /etc/hostapd/hostapd.conf and systemctl status dnsmasq.service is running

Introduction

Routing is the process of forwarding network packets between different IP networks. When a device sends traffic to a destination outside its local subnet, the packet is delivered to a router, which determines the next hop toward the destination network.

In this lab, the Raspberry Pi acts as a router between two networks:

  • the hotspot network on wlan1 (192.168.10.0/24)
  • the upstream network on wlan0 (eduroam)

Without routing, devices connected to the access point could communicate locally but would not be able to reach external networks. Enabling routing allows the system to pass traffic between interfaces, forming the foundation for internet sharing and gateway functionality.

Forward AP traffic to wlan0

  1. Enable IP forwarding by running sudo sysctl -w net.ipv4.ip_forward=1

    Note

    This command only enables forwarding for the current session, for it to be presistence on reboot

    • In the terminal

      sudo vim /etc/sysctl.conf

    • In the file:

      net.ipv4.ip_forward=1

    Explanation

    This command enables IPv4 packet forwarding in the Linux kernel. By default, Linux behaves like a host and does not forward packets between interfaces. Enabling this setting allows the system to function as a router, forwarding traffic received on the access point interface (wlan1) to the upstream interface (wlan0).

  2. Install iptables use sudo apt install iptables

    Explanation

    iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

    Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.

  3. We need to next at NAT (masquerading)

    Terminal

    sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
    • This rewrites client source addresses so eduroam or any ssid you are connected to on wlan0 only sees the Pi.

    Explanation

    • This rule enables Network Address Translation (NAT) for outbound traffic leaving via wlan0.
    • The MASQUERADE target rewrites the source IP address of packets from hotspot clients so they appear to originate from the Raspberry Pi’s wlan0 address. This allows multiple client devices to share a single upstream connection.

  4. Allow forwarding rules

    Terminal

    sudo iptables -A FORWARD -i wlan0 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan1 -o wlan0 -j ACCEPT

    Explanation

    The first command:

    • This rule allows return traffic from the upstream network to reach hotspot clients. It permits packets arriving on wlan0 that belong to already-established connections to be forwarded back to wlan1, ensuring bidirectional communication for client-initiated connections.

    The second command:

    • This rule allows packets from devices connected to the access point (wlan1) to be forwarded to the upstream network (wlan0). It enables hotspot clients to send traffic beyond the local wireless network toward the internet.

  5. What we have done is create this setup:

flowchart TD
    A[Client device] --> B["wlan1 (Access Point)"]
    B --> C["dnsmasq (DHCP)"]
    C --> D["Linux routing"]
    D --> E["iptables NAT"]
    E --> F["wlan0 (eduroam)"]
    F --> G[Internet]

Checking connection

  1. Using your laptop or phone connect ping -c 4 8.8.8.8 or load a web page like google and run the following command like we did in Access Points

    Terminal

    sudo tcpdump -i wlan1

    Output

    tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:51:23.471889 IP 192.168.10.143 > dns.google: ICMP echo request, id 5, seq 1, length 64
11:51:23.487566 IP dns.google > 192.168.10.143: ICMP echo reply, id 5, seq 1, length 64
11:51:24.473829 IP 192.168.10.143 > dns.google: ICMP echo request, id 5, seq 2, length 64
11:51:24.489032 IP dns.google > 192.168.10.143: ICMP echo reply, id 5, seq 2, length 64
11:51:25.475982 IP 192.168.10.143 > dns.google: ICMP echo request, id 5, seq 3, length 64
11:51:25.491336 IP dns.google > 192.168.10.143: ICMP echo reply, id 5, seq 3, length 64
11:51:26.476929 IP 192.168.10.143 > dns.google: ICMP echo request, id 5, seq 4, length 64
11:51:26.501555 IP dns.google > 192.168.10.143: ICMP echo reply, id 5, seq 4, length 64
11:51:28.536292 ARP, Request who-has 192.168.10.1 tell 192.168.10.143, length 28
11:51:28.536312 ARP, Reply 192.168.10.1 is-at b0:19:21:6c:7a:31 (oui Unknown), length 28
11:51:28.658985 ARP, Request who-has 192.168.10.143 tell 192.168.10.1, length 28
11:51:28.696771 ARP, Reply 192.168.10.143 is-at f8:fe:5e:8f:69:25 (oui Unknown), length 28

Multi-hop

Each Raspberry Pi acts as a wireless router. The upstream interface (wlan0) connects to another access point, while the downstream interface (wlan1) creates a new network. Traffic is forwarded from the downstream network to the upstream network until it reaches the internet gateway.

We are going to create a multi-hop across the classroom

flowchart LR
    NET[(Internet)] --> I0["My Pi\nwlan0: upstream (Internet)\nwlan1: AP (SSID: hop14)\nNAT: wlan1→wlan0"]

    I0 --> S13["Student 13 Pi\nwlan0: client → hop14\nwlan1: AP (SSID: hop13)\nNAT: wlan1→wlan0"]
    S13 --> S12["Student 12 Pi\nwlan0: client → hop13\nwlan1: AP (SSID: hop12)\nNAT: wlan1→wlan0"]
    S12 --> S11["Student 11 Pi\nwlan0: client → hop12\nwlan1: AP (SSID: hop11)\nNAT: wlan1→wlan0"]

flowchart LR
    S11 --> S10["Student 10 Pi\nwlan0: client → hop11\nwlan1: AP (SSID: hop10)\nNAT: wlan1→wlan0"]
    S10 --> S9["Student 9 Pi\nwlan0: client → hop10\nwlan1: AP (SSID: hop9)\nNAT: wlan1→wlan0"]
    S9 --> S8["Student 8 Pi\nwlan0: client → hop9\nwlan1: AP (SSID: hop8)\nNAT: wlan1→wlan0"]
    S8 --> S7["Student 7 Pi\nwlan0: client → hop8\nwlan1: AP (SSID: hop7)\nNAT: wlan1→wlan0"]


flowchart LR
    S7 --> S6["Student 6 Pi\nwlan0: client → hop7\nwlan1: AP (SSID: hop6)\nNAT: wlan1→wlan0"]
    S6 --> S5["Student 5 Pi\nwlan0: client → hop6\nwlan1: AP (SSID: hop5)\nNAT: wlan1→wlan0"]
    S5 --> S4["Student 4 Pi\nwlan0: client → hop5\nwlan1: AP (SSID: hop4)\nNAT: wlan1→wlan0"]

flowchart LR
    S4 --> S3["Student 3 Pi\nwlan0: client → hop4\nwlan1: AP (SSID: hop3)\nNAT: wlan1→wlan0"]
    S3 --> S2["Student 2 Pi\nwlan0: client → hop3\nwlan1: AP (SSID: hop2)\nNAT: wlan1→wlan0"]
    S2 --> S1["Student 1 Pi (tail)\nONLY wlan0: client → hop2"]

Device (wlan1)AP subnetGateway
My Pi192.168.140.0/24192.168.140.1
Student 13192.168.130.0/24192.168.130.1
Student 12192.168.120.0/24192.168.120.1
Student 11192.168.110.0/24192.168.110.1
.........
Student 1192.168.10.0/24192.168.10.1

  1. So you need to modify your dnsmasq via file sudo vim /etc/dnsmasq.d/hotspot.conf

    Code

    interface=wlan1
dhcp-range=192.168.120.50,192.168.120.150,12h

    note the third octet should match the table for your number, ie here we have 120, so this is student 12.

    Important

    Each router in the chain must provide a unique IP subnet for its downstream network. This prevents routing conflicts and allows packets to be forwarded correctly across multiple hops.

  2. Restart hostapd, sudo hostapd /etc/hostapd/hostapd.conf and dnsmasq, sudo systemctl restart dnsmasq

  3. Use iwctl to connect to each others AP:

    Terminal

    iwctl
station wlan0 scan
station wlan0 get-networks
station wlan0 connect MyHotspot-#
passphrase

    Remember MyHotspot-# is the hotspot of the next person in the chain from yo

  4. Now you should have access to the internet when you all connect to each others ssid, remember, at least one of you on wlan0 must be connected to me.

    Terminal

    ping -C4 -I wlan0 8.8.8.8

  5. You can also try traceroute (sudo apt install traceroute)

    Terminal

    traceroute -i wlan0 8.8.8.8

    Note

    We specifiy the interface -I and -i was we have more than one in use.

Summary

Traffic from wireless clients connected to the access point is routed through the Linux kernel and translated using NAT before being sent through wlan0. This allows multiple devices on the hotspot network to share a single upstream wireless connection.

SUCCESS! We will look at Bridge Networks next!