comitup icon indicating copy to clipboard operation
comitup copied to clipboard
verified publisher icon davesteele

Accessing internet through comitup

Open wspi opened this issue 11 months ago • 7 comments

I usually use comitup on my raspberry pi 3 connected via ethernet cable, doing so I was wondering, is there a way to comitup detect that the wired connection is on, and turn the wifi on so users could connect to this wifi and have access to the internet?

I've connected to the hotspot ssid but it won't have access to the internet

not sure if #168 would allow this

wspi avatar Jan 31 '25 18:01 wspi

#168 is different. It suggests that Comitup should drop the hotspot if there is a wired connection.

You need two things to be able to do this - ip_forwarding needs to be enabled, and masquerading needs to be set for the wired port. Comitup does both of these things. See the rules with nft when all interfaces are up.

I replaced iptables with nft last year. I may have messed the masquerading up. Let me know if you see a problem with the rules.

davesteele avatar Jan 31 '25 18:01 davesteele

I'm not familiar with nft, but I'll take a look and let you know

wspi avatar Jan 31 '25 18:01 wspi

one thing that I've noticed is that ip_forwarding is not enabled,

# cat /proc/sys/net/ipv4/ip_forward
0

and if I'm looking at the right place, there are no nft rules

# nft list ruleset
table ip filter {
	chain COMITUP-OUT {
		type filter hook output priority 100; policy accept;
		icmp type destination-unreachable counter packets 277 bytes 153104 drop
		icmp code port-unreachable counter packets 0 bytes 0 drop
		counter packets 10799 bytes 707213 return
	}
}

also looking at the comitup-cli info

Host comitup-147.local on comitup version 1.43
'single' mode
HOTSPOT state

so I guess the single mode it's not what it should be?

wspi avatar Jan 31 '25 19:01 wspi

Marking as a bug.

davesteele avatar Jan 31 '25 20:01 davesteele

Marking as a bug.

thanks, if you need help, just let me know

wspi avatar Feb 03 '25 15:02 wspi

I finally had some time and learned enough nft to be able to create masquerading rules

I enabled the port forwarding, then created a nat table for masquerading

sudo nft add table ip nat
sudo nft add chain ip nat postrouting '{ type nat hook postrouting priority 100; }'
sudo nft add rule ip nat postrouting oifname "eth0" ip saddr 10.41.0.0/24 masquerade

I had to change the DNS server on my mobile also, otherwise it would always go to the captive portal... it's just not fast, around 20mb/s but it might be related to hardware (raspberry pi 5)

briefly looking at the code, it needs to enter MULTI_MODE to activate the ip forwarding and masquerade, but it will only enter MULTI_MODE if there are more than one wifi module (https://github.com/davesteele/comitup/blob/main/comitup/modemgr.py#L40), but in my case there is one wifi and one ethernet so that's the reason, maybe it's a simple fix, I'll take a look later

wspi avatar May 15 '25 00:05 wspi

Changing to enhancement.

davesteele avatar May 15 '25 04:05 davesteele