How to create an Access Point (not hotspot) with NetworkManager? I want to create a Wi-Fi access point from the existing Ethernet connection. And also I still need to be able to use the Ethernet.
Not hotspot as in clients will get DHCP from the upstream router not the AP, i.e. no NAT, just like a regular / dumb AP.
From searching online, it seems I need to create a bridge and 2 ports[1]:
$ nmcli con add type bridge con-name Bridge ifname br0
$ nmcli con add type ethernet con-name br-port-eth ifname ens3 controller Bridge
# Create Wi-Fi
But questions:
If I want to still be able to use the Ethernet, should I create a new Ethernet connection (profile) like above, instead of using the existing one? I noticed that a bridge profile is kinda different from the default Ethernet profile.
Only 1 connection / profile can be active on an interface / device at the same time. But, create a new profile, in case you want to switch to the old one at some time. The Ethernet will be usable under the bridge configuration, no prob.
I used the nmcli dev wifi hotspot..., seems to be a convenient function with sane defaults, it’s slightly more than what the manual command creates ( 802-11-wireless-security.group ccmp, 802-11-wireless-security.proto rsn).
The above may be able to automatically create WPA3 (different settings) if the hardware is capable? Not sure since I can’t test it. RPi and other SoC don’t support WPA3 upstream[1][2].
$ nmcli con add type bridge con-name Bridge ifname br0 autoconnect-ports 1
$ nmcli con add type ethernet con-name br-port-eth ifname enabcm6e4ei0 controller Bridge autoconnect no
$ nmcli dev wifi hotspot ifname wlan0 con-name br-port-wap ssid birb
$ nmcli conn modify br-port-wap controller Bridge port-type bridge
$ nmcli dev wifi show-password
The regular ipv4 / ipv6 config on the Ethernet should go to bridge instead, since it’s the controller.
P.S. Using connection name instead of UUID or interface name is undefined in documentation. And connection.controller Bridge results in broken config (not expanded to UUID, just says “Bridge”), whereas controller Bridge will be correct.
Despite that the default Ethernet connection has priority -999 (lowest), it’s still auto connected over the bridge (which requires Ethernet) with priority 0.
If there is a better way, lmk. I would prefer that the Ethernet connection auto connects if the bridge fails.
Consider removing the default Ethernet connection since its fault tolerance is on the same level as the wired port of the bridge connection, and the bridge can work even if its wireless port is disabled.
It just works for me with those 3 connections linked above and I have not changed any properties related to autoconnect.
Despite autoconnect and autoconnect-ports in the Bridge, the ports are not autoconnected (And that’s why the default -999 connection was auto connected). The documentation says they are “unrelated”… So I guess ports need autoconnect as well.
Changing the hotspot to a port clears the psk (password) in the on-disk config file, so it fails complaining about no password. No sure if this is intended or a bug. A workaround is specifying the password when modifying.
$ nmcli con add type bridge con-name Bridge ifname br0 connection.autoconnect-ports 1
$ nmcli con add type ethernet con-name br-port-eth ifname enabcm6e4ei0 controller Bridge
$ nmcli dev wifi hotspot ifname wlan0 con-name br-port-wap ssid birb
$ nmcli dev wifi show-password
$ nmcli conn modify br-port-wap controller Bridge port-type bridge wifi-sec.psk <password> autoconnect yes