Part two with configs for Raspberry Pi 3 Access point.

Part 1 of the two part post I covered the basics for getting a Raspberry Pi 3 Access Point up and running. As promised the required packages, network config, and hostapd config below with some additional tips and tricks.

*** Note: The below config DOES NOT require modifying the internal firewall/iptables NAT setup.

After installing Raspbian on the SD card and booting up your Pi with Ethernet configured, make sure you do a full update that might take 20 minutes or so. I loaded the non-GUI Raspbian as I have no need for it since this will be a completely autonomous access point powered over Ethernet. Don’t forget to do an initial setup with the Raspbian handy utility.

sudo raspi-config
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install wireless-tools hostapd bridge-utils

Some handy additional installs for managing processes (htop), USB devices (lsusb), and WiFi devices (iw). You can concatenate these to the above command and do them in one go if you would like.

sudo apt-get install htop lsusb iw

For the record, and the YMMV disclaimer, the version of kernel I am running is (This is important when talking about drivers that may, or may not be, included in your kernel for USB WiFi dongles and such):

pi@piap:~ $ uname -a
Linux piap 4.4.21-v7+ #911 SMP Thu Sep 15 14:22:38 BST 2016 armv7l GNU/Linux

Do yourself a favor and if you ARE NOT using the Raspberry Pi 3 internal WiFi for this go ahead and blacklist the internal WiFi and Bluetooth kernel drivers as this will give you better overall WiFi strength from your USB WiFi as the signals will not be competing so much with each other.

sudo nano /etc/modprobe.d/raspi-blacklist.conf

Edit the file to (You will need to remove these entries, and reboot, to use the on-board WiFi and Bluetooth again):

blacklist brcmfmac
blacklist brcmutil

blacklist btbcm
blacklist hci_uart

Reboot so you will no longer load on-board WiFi and Bluetooth:

sudo reboot

Now connect your WiFi USB device and if you now run a quick lsusb command you will see your USB WiFi chipset. Mine is the Ralink RT5370 below. This comes in handy for troubleshooting the exact config required for hostapd if you run into trouble, especially with the correct driver for hostapd if it doesn’t automatically pick it up.

pi@piap:~ $ lsusb
Bus 001 Device 004: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. SMSC9512/9514 Fast Ethernet Adapter
Bus 001 Device 002: ID 0424:9514 Standard Microsystems Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

For example you MAY need to load a similar package for your particular chipset (Ralink reported already up to date in Raspbian):

sudo apt-get install firmware-ralink

Make sure your device can become a access point. You are looking for the “AP” entry:

pi@piap:~ $ iw list | grep "Supported interface modes" -A 8
        Supported interface modes:
                 * IBSS
                 * managed
                 * AP
                 * AP/VLAN
                 * WDS
                 * monitor
                 * mesh point
        Band 1:

Next we will build a hostapd config file. Hostapd is the daemon responsible for broadcasting and running the access point. With bridge-utils installed, it can also associate a physical NIC to the access point; exactly what we want to do:

sudo nano /etc/hostapd/hostapd.conf

Edit the file to (Replace <<>> with your entries and removing the << and >>):

interface=wlan0   #Should be set to your physical NIC interface
bridge=br0        #Should be set to your bridge interface
#driver=rt2800usb #May be required for correct hostapd operation
#ieee80211d=1     #Optional broadcast Country Code
ieee80211n=1      #Do you want/can you use 802.11n?
hw_mode=g         #g for 2.4 GHz
channel=9         #Pick a channel not in use too much in your area 
wmm_enabled=1     #Usually required for correct 802.11n operation
ssid=<<Your SSID for your Access Point>>
wpa_passphrase=<<Your WPA2 Passphrase>>

And make it executable:

sudo chmod 600 /etc/hostapd/hostapd.conf

Now make sure to point the daemon to the correct config file:

sudo nano /etc/default/hostapd

Find the line:


And edit it so it says:


Don’t forget to remove the # in front to activate it!

Likewise, run:

sudo nano /etc/init.d/hostapd

And find the line:


And change it to:


Now lets edit our network configuration. There are two ways to do this…

The first way: If you would like to be able to plug the Ethernet cable from any network, that has a DHCP server running on it, and have your Pi get a random DHCP IP address and extend that network for you on WiFi with a specific SSID that you can then connect devices up to. This comes in handy if you are say at a hotel and the provided WiFi has a ton of people on it, the speed sucks because the AP’s are overloaded, and you would rather not have to share bandwidth on the WiFi network’s APs with everyone else in the hotel that is trying to stream Netflix. You can simply plug YOUR AP into an Ethernet drop provided in your room and only allow YOUR devices to associate with it on a specific SSID, password, and channel far from the channel the hotel’s AP’s are using for maximum speed. The downside here is that you have no idea what IP address the Pi now has and if you need to make any changes you will have to unplug it and reconnect with your laptop. Not a huge inconvenience given when we are done here you should be able to plug it in (selecting DHCP when editing the below file) and power up the Pi, and about 20 seconds later see the Pi’s AP pop up in your available WiFi list on your device.

The second way: If you want to say use the Pi for a AP in your home and you already have a range of IP addresses on your home network set aside for things like this, and you would like a static IP address assigned to it so that you can remotely manage it. The downside here is that if you are wanting to use the first use case above and you have a static IP set in the network configuration, you may be able to connect to your device over WiFi but you will have no route to the Internet. You will need to go back in and reset the Pi to DHCP or a static IP on the target network and just hope it isn’t already in use (unless of course you know the network you are connecting to because you are a network admin on it or something similar).

sudo nano /etc/network/interfaces

*** Note: Don’t try to get OCD here and change the order of the lines. For example the “auto lo br0” MUST come first. This tells the system to bring “online” the bridge interface and this is a requirement for hostapd to bind to this interface with the “bridge=br0” config parameter we dictated above. It also creates a loopback on the bridge and there will be an internal route created inside the Pi to allow traffic to move from the wifi AP in/out of the eth0 NIC. If you run a ifconfig during normal AP operation you will see some odd addresses on the eth0 and wlan0 interfaces usually at This is OK as your bridge interface has the IP that is identifying your Pi to the outside world.

Edit it to one of the options below and comment out the other’s config lines with a #:

# interfaces(5) file used by ifup(8) and ifdown(8)

# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto lo br0
iface lo inet loopback

allow-hotplug eth0
iface eth0 inet manual

allow-hotplug wlan0
iface wlan0 inet manual
    post-up iw dev $IFACE set power_save off   #Save yourself some trouble and disable USB sleep after interface has come up 

#Option 1 uncomment below two lines by removing the hash and comment out all of option 2 lines
#iface br0 inet dhcp
        #bridge_ports eth0 wlan0

#Option 2 uncomment all lines below by removing the hash and comment out all of option 1 lines
#I use this as my default as my access point is being used in a permanent location
iface br0 inet static
        bridge_ports eth0 wlan0
        address        #Pick an IP address for your AP

Last but not least, set hostapd to start on boot:

sudo update-rc.d hostapd enable

Now reboot your Pi and you should have yourself a brand new access point!

To check the status, start, stop, or restart the hostapd service (You can now use the new systemd based commands too: “sudo systemctl status hostapd.service”):

pi@piap:~ $ sudo service hostapd status
● hostapd.service - LSB: Advanced IEEE 802.11 management daemon
   Loaded: loaded (/etc/init.d/hostapd)
   Active: active (running) since Wed 2016-10-12 16:04:11 EDT; 2h 1min ago
  Process: 770 ExecStart=/etc/init.d/hostapd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/hostapd.service
           └─799 /usr/sbin/hostapd -B -P /run/ /etc/hostapd/hostapd.conf

If you have devices connected to your AP, you should see the following below the status output:

Oct 12 17:57:59 piap hostapd[799]: wlan0: STA fc:db:b3:23:c5:8f IEEE 802.11: authenticated
Oct 12 17:57:59 piap hostapd[799]: wlan0: STA fc:db:b3:23:c5:8f IEEE 802.11: associated (aid 6)
Oct 12 17:57:59 piap hostapd[799]: wlan0: STA fc:db:b3:23:c5:8f RADIUS: starting accounting session 57FE973B-00000009
Oct 12 17:57:59 piap hostapd[799]: wlan0: STA fc:db:b3:23:c5:8f WPA: pairwise key handshake completed (RSN)
Oct 12 18:04:19 piap hostapd[799]: wlan0: STA a4:77:33:72:ac:26 WPA: group key handshake completed (RSN)
Oct 12 18:04:19 piap hostapd[799]: wlan0: STA 6c:ad:f8:5a:bd:da WPA: group key handshake completed (RSN)
Oct 12 18:04:19 piap hostapd[799]: wlan0: STA 74:75:48:27:8d:8b WPA: group key handshake completed (RSN)
Oct 12 18:04:19 piap hostapd[799]: wlan0: STA 00:04:4b:57:e5:3d WPA: group key handshake completed (RSN)
Oct 12 18:04:19 piap hostapd[799]: wlan0: STA 9c:b6:d0:10:21:61 WPA: group key handshake completed (RSN)
Oct 12 18:04:21 piap hostapd[799]: wlan0: STA fc:db:b3:23:c5:8f WPA: group key handshake completed (RSN)

Helpful troubleshooting/tailing commands:

sudo journalctl -u hostapd.service -f
sudo journalctl | grep hostapd

You MAY be able to adjust the transmission power of your USB WiFi device. Be careful though as there is only so much power you can draw over USB, especially if using PoE. Also the above hostapd config sets the Country Code which will limit your transmit power, and additionally if you have set the region within your OS/kernel the kernel will also, as a second measure of protection, also limit your transmit power. Lastly, be careful you don’t melt your dongle or permanently damage it!

Commands for reference (Don’t run the comment “#” part):

iw reg get #Get your country code
iw reg set #This is what hostapd is doing already
sudo iwconfig wlan0 txpower 30 #TX power of 30dBm is = 1000mW max for US

See these useful links:

Max WiFi TX power settings and their regions/countries and codes

Editing the Kernel’s database and removing country limits

A good forum read if you are having trouble setting TX Power

Another one if you are having trouble setting TX Power