Este contenido no está disponible en el idioma seleccionado.
Chapter 11. Configuring RHEL as a WPA2 or WPA3 Personal access point
On a host with a wifi device, you can use NetworkManager to configure this host as an access point. Wi-Fi Protected Access 2 (WPA2) and Wi-Fi Protected Access 3 (WPA3) Personal provide secure authentication methods, and wireless clients can use a pre-shared key (PSK) to connect to the access point and use services on the RHEL host and in the network.
When you configure an access point, NetworkManager automatically:
-
Configures the
dnsmasq
service to provide DHCP and DNS services for clients - Enables IP forwarding
-
Adds
nftables
firewall rules to masquerade traffic from the wifi device and configures IP forwarding
Prerequisites
- The wifi device supports running in access point mode.
- The wifi device is not in use.
- The host has internet access.
Procedure
List the wifi devices to identify the one that should provide the access point:
# nmcli device status | grep wifi wlp0s20f3 wifi disconnected --
Verify that the device supports the access point mode:
# nmcli -f WIFI-PROPERTIES.AP device show wlp0s20f3 WIFI-PROPERTIES.AP: yes
To use a wifi device as an access point, the device must support this feature.
Install the
dnsmasq
andNetworkManager-wifi
packages:# yum install dnsmasq NetworkManager-wifi
NetworkManager uses the
dnsmasq
service to provide DHCP and DNS services to clients of the access point.Create the initial access point configuration:
# nmcli device wifi hotspot ifname wlp0s20f3 con-name Example-Hotspot ssid Example-Hotspot password "password"
This command creates a connection profile for an access point on the
wlp0s20f3
device that provides WPA2 and WPA3 Personal authentication. The name of the wireless network, the Service Set Identifier (SSID), isExample-Hotspot
and uses the pre-shared keypassword
.Optional: Configure the access point to support only WPA3:
# nmcli connection modify Example-Hotspot 802-11-wireless-security.key-mgmt sae
By default, NetworkManager uses the IP address
10.42.0.1
for the wifi device and assigns IP addresses from the remaining10.42.0.0/24
subnet to clients. To configure a different subnet and IP address, enter:# nmcli connection modify Example-Hotspot ipv4.addresses 192.0.2.254/24
The IP address you set, in this case
192.0.2.254
, is the one that NetworkManager assigns to the wifi device. Clients will use this IP address as default gateway and DNS server.Activate the connection profile:
# nmcli connection up Example-Hotspot
Verification
On the server:
Verify that NetworkManager started the
dnsmasq
service and that the service listens on port 67 (DHCP) and 53 (DNS):# ss -tulpn | egrep ":53|:67" udp UNCONN 0 0 10.42.0.1:53 0.0.0.0:* users:(("dnsmasq",pid=55905,fd=6)) udp UNCONN 0 0 0.0.0.0:67 0.0.0.0:* users:(("dnsmasq",pid=55905,fd=4)) tcp LISTEN 0 32 10.42.0.1:53 0.0.0.0:* users:(("dnsmasq",pid=55905,fd=7))
Display the
nftables
rule set to ensure that NetworkManager enabled forwarding and masquerading for traffic from the10.42.0.0/24
subnet:# nft list ruleset table ip nm-shared-wlp0s20f3 { chain nat_postrouting { type nat hook postrouting priority srcnat; policy accept; ip saddr 10.42.0.0/24 ip daddr != 10.42.0.0/24 masquerade } chain filter_forward { type filter hook forward priority filter; policy accept; ip daddr 10.42.0.0/24 oifname "wlp0s20f3" ct state { established, related } accept ip saddr 10.42.0.0/24 iifname "wlp0s20f3" accept iifname "wlp0s20f3" oifname "wlp0s20f3" accept iifname "wlp0s20f3" reject oifname "wlp0s20f3" reject } }
On a client with a wifi adapter:
Display the list of available networks:
# nmcli device wifi IN-USE BSSID SSID MODE CHAN RATE SIGNAL BARS SECURITY 00:53:00:88:29:04 Example-Hotspot Infra 11 130 Mbit/s 62 ▂▄▆_ WPA3 ...
-
Connect to the
Example-Hotspot
wireless network. See Managing Wi-Fi connections. Ping a host on the remote network or the internet to verify that the connection works:
# ping -c 3 www.redhat.com
Additional resources
-
nm-settings(5)
man page on your system