DietPi’s WiFi – Part 1: Combining the WiFi HotSpot with an Ad blocker

This is a first post in a row of several ones dealing with DietPi’s WiFi functionality.
It describes the options of an Ad blocker extension like AdGuard Home resp. Pi-hole and how to combine it with your DietPi WiFi HotSpot.

The WiFi HotSpot of DietPi gives an easy to use subordinated WiFi subnet routet to a superimposed Ethernet LAN. It might be used to implement a guest network. It can also be extended with an Ad blocker to serve as an ad-free WiFi (isolated) subnet.

This blog post is one of a series regarding setup and usage of WiFi subjects:

1. DietPi’s WiFi – Part 1: Combining the WiFi HotSpot with an Ad blocker
2. DietPi’s WiFi – Part 2: WiFi-to-LAN gateway
3. DietPi’s WiFi: Extend network with Bridging – Part 3 (t.b.d.)

Table of contents

1. Introduction
   • 1.1 DietPi’s WiFi HotSpot
   • 1.2 System structures with an Ad blocker
   • 1.3 Onboard WiFi and external WiFi adapters
2. Installation and setup
   • 2.1 Base installation of hotspot and Ad blocker
   • 2.2 Integration of the Ad blocker into the hotspot
   • 2.3 Diagnosis
   • 2.4 Example AdGuard: Manage blocklists
   • 2.5 Option: Ad blocker located in superimposed network
3. Hints
   • 3.1 No use of a DHCP functionality in the Ad blocker
   • 3.2 Memory issues when handling large block lists
4. Issues with external WiFi adapters
5. References

1. Introduction

1.1 DietPi’s WiFi HotSpot

The WiFi HotSpot functionality is described in the DietPi documentation: WiFi HotSpot.

It serves as a WiFi access point with these properties:

• connect the hotspot to the LAN area (DHCP client or fixed IP address settable via dietpi-config)
• form a WiFi area with an own configurable subnet (WiFi settings via dietpi-config)
• provide a configurable DHCP server covering the WiFi area
• route the network traffic from the WiFi area to the internet
• block access from the WiFi area to the LAN area and vice versa

The dietpi-software installation has these default values for the WiFi area:

• Subnet: 192.168.42.0 .. 192.168.42.255
• Subnet mask: 255.255.255.0
• Default gateway: 192.168.42.1

As a result, the WiFi HotSpot can serve as an isolated guest access point preventing access to the home network.

1.2 System structures with an Ad blocker

The WiFi HotSpot functionality neither does contain an Ad blocker, nor uses an external Ad blocker by default. DietPi offers the software options Pi-hole and AdGuard Home, so it can be a good practice to activate such an Ad blocker for devices connected to the WiFi area.

Basically, the following architectures can be used:

1. Ad blocker integrated into the WiFi Hotspot device (serving only for the WiFi area)
2. Ad blocker running as an own device in the WiFi area (serving only for the WiFi area)
3. Ad blocker running in the LAN area (serving for the LAN area as well as for the WiFi area)

The following graphic shows this for option 1. (Ad blocker integrated into the WiFi Hotspot device):

The following graphic shows this for option 3. (Ad blocker running in the LAN area):

The following installation and setup chapter shows how to configure these architectural options.

1.3 Onboard WiFi and external WiFi adapters

Some Hardware devices running DietPi do not have onboard WiFi (e.g. Raspberry Pi 2, ODROID N2, NanoPi R5/R6, Orange Pi 5, Radxa ROCK 5), others have onboard WiFi (e.g. Raspberry Pi 4, NanoPi M4v2, Rock Pi S), which is limited in its range, so there are cases to use an add-on WiFi like e.g. a WiFi USB stick.

1.3.1 Check USB detection

The USB detection of the device can be checked by using the command lsusb. The output can be compared without and with the USB stick. Example (WiFi stick in bold):

lsusb

root@hotspot:~# lsusb
Bus 001 Device 004: ID 2001:3319 D-Link Corp. DWA-131 Wireless N Nano Adapter (Rev. E1) [Realtek RTL8192EU]
Bus 001 Device 003: ID 0424:ec00 Microchip Technology, Inc. (formerly SMSC) SMSC9512/9514 Fast Ethernet Adapter
Bus 001 Device 002: ID 0424:9514 Microchip Technology, Inc. (formerly SMSC) SMC9514 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
root@hotspot:~#

1.3.2 Check kernel device support

Not every of these external devices are supported by the Debian kernel by default. This can be checked in advance by executing the following steps. Futher troubleshooting is described in chapter 4. Issues with external WiFi adapters.

The kernel support can be checked via dietpi-config: If the WiFi adapter is found in the menu option “Network Options: Adapters” (-> WiFi: Available) and a connection to a WLAN can be established, the necessary prerequisites are proven.

2. Installation and setup

The following installation is illustrated with the Ad blocker AdGuard Home, the usage of Pi-hole is done in the same manner. An installation of Unbound, a validating, recursive, caching DNS resolver which increases the internet privacy, is optional.

2.1 Base installation of hotspot and Ad blocker

The base installation is executed with this easy command line (installation with Unbound):

dietpi-software install 60 126 182

This installs the WiFi HotSpot (60), AdGuard Home (126) and Unbound (182) within one step.

2.2 Integration of the Ad blocker into the hotspot

As a next step, the Ad blocker (AdGuard Home) needs to be configured to the WiFi HotSpot. After the base installation described in the previous chapter, the WiFi HotSpot uses the so called “Quad9” addresses to be used as the primary DNS server (IPv4: 9.9.9.9, 149.112.112.112). This is the WiFi HotSpot installation configuration within the file /etc/dhcp/dhcpd.conf (option domain-name-servers):

authoritative;
#default-lease-time 43200;
#max-lease-time 86400;

subnet 192.168.42.0 netmask 255.255.255.0 {
        range 192.168.42.10 192.168.42.250;
        option broadcast-address 192.168.42.255;
        option routers 192.168.42.1;
        option domain-name "local";
        option domain-name-servers 9.9.9.9, 149.112.112.112;
}

Remark: The configuration of the file dhcpd.conf match to the graphics given in the introduction chapter.

Now, the configuration file needs to be changed, so that it directs the name servers directive to the IP address running AdGuard Home which is the WiFi HotSpot itself (192.168.42.1):

authoritative;
#default-lease-time 43200;
#max-lease-time 86400;

subnet 192.168.42.0 netmask 255.255.255.0 {
        range 192.168.42.10 192.168.42.250;
        option broadcast-address 192.168.42.255;
        option routers 192.168.42.1;
        option domain-name "local";
        option domain-name-servers 192.168.42.1;
}

Remarks: The final ‘;’ in the line must not be omitted. The real IP address must be used, a placeholder like ‘127.0.0.1’ or ‘localhost’ will not work.

As a final step, the DHCP server is restarted via

systemctl restart isc-dhcp-server.service

2.3 Diagnosis

2.3.1 WiFi diagnosis

A basic WiFi diagnosis with some information about the WiFi hardware status can be obtained via iwconfig.

iwconfig wlan0

This e.g. shows:

root@hotspot:~# iwconfig wlan0
wlan0     IEEE 802.11  Mode:Master  Tx-Power=20 dBm
          Retry short limit:7   RTS thr=2347 B   Fragment thr:off
          Power Management:off

In addition, the IP settings can be obtained via ip.

ip a show wlan0

This e.g. shows:

root@hotspot:~# ip a show wlan0
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 64:70:af:fe:08:15 brd ff:ff:ff:ff:ff:ff
    inet 192.168.42.1/24 brd 192.168.42.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::6780:dead:affe:4711/64 scope link
       valid_lft forever preferred_lft forever

2.3.2 Basic services status diagnosis

To diagnose the status of the running services of the hotspot, DHCP server, AdGuard Home and Unbound, the following command can be used:

systemctl status isc-dhcp-server hostapd adguardhome unbound

In addition, the IP address status of the WiFi HotSpot can be monitored via ip a.

2.3.3 Journal diagnosis

Diagnostic messages of the DHCP server can be retrieved from the Linux journal via

journalctl -u isc-dhcp-server

resp.

journalctl -u isc-dhcp-server -u hostapd -u ifup@wlan0

2.3.4 DHCP address diagnosis

The DHCP server signals the assigned IP addresses within the file /var/lib/dhcp/dhcpd.leases.

cat /var/lib/dhcp/dhcpd.leases

As an example, its contents might look like this:

root@hotspot:~# cat /var/lib/dhcp/dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.4.3-P1

# authoring-byte-order entry is generated, DO NOT DELETE
authoring-byte-order little-endian;

lease 192.168.42.11 {
  starts 5 2023/12/24 21:34:56;
  ends 6 2023/12/25 09:34:56;
  cltt 5 2023/12/24 21:34:56;
  binding state active;
  next binding state free;
  rewind binding state free;
  hardware ethernet 0c:8b:af:fe:47:11;
  uid "\001\014\213\375n\3759";
  set vendor-class-identifier = "android-dhcp-12";
  client-hostname "Mama smartphone";
}

The example shows one assigned IP address 192.168.42.11 to an Android smartphone with a DHCP lease time of twelve hours (option default-lease-time in file dhcpd.conf).

2.4 Example AdGuard: Manage blocklists

In AdGuard Home, a blocklist management is contained which offers predefined lists. The management interface is accessible via port 8083, e.g:

http://hotspot:8083/

The default login and password is given in the DietPi AdGuard Home documentation (admin/dietpi).

The configuration dialog can be called via the “Filters” -> “DNS blocklists” menu entry.

Also, DNS whitelists, services blocking, etc. can be set. See the AdGuard Home Wiki for further details.

2.5 Option: Ad blocker located in superimposed network

If there is already an Ad blocker present (e.g. in the superimposed LAN area), this can also be used for the WiFi area. This is achieved with these steps:

1. Installation of the DietPi WiFi-HotSpot
2. Configuration of the Ad blocker’s IP address in /etc/dhcp/dhcpd.conf
3. Restart of the HotSpot (alternative: System reboot)

The installation of the DietPi WiFi-Hotspot (without an Ad blocker) is done via

dietpi-software install 60

Often a system reboot is necessary and should be executed to be sure: reboot

In the next step, the IP address of the Ad blocker has to be edited within /etc/dhcp/dhcpd.conf by setting the option domain-name-servers: This is set to option domain-name-servers 9.9.9.9, 149.112.112.112; by default. Assumed is that the router in the LAN area has an IP address of 192.168.178.1 and the Ad blocker has an IP address 192.168.178.2, the contents of the file dhcpd.conf might look like:

authoritative;
#default-lease-time 43200;
#max-lease-time 86400;

subnet 192.168.42.0 netmask 255.255.255.0 {
        range 192.168.42.10 192.168.42.250;
        option broadcast-address 192.168.42.255;
        option routers 192.168.42.1;
        option domain-name "local";
        option domain-name-servers 192.168.178.2;
}

Remarks: The final ‘;’ in the line must not be omitted. The real IP address must be used, a hostname like ‘pihole.fritz.box’ will not work.

3. Hints

3.1 No use of a DHCP functionality in the Ad blocker

It is important, that DHCP functionality which is optional within Ad blockers like Pi-hole or AdGuard Home must be disabled, otherwise this conflicts with the DCHP server installed by the WiFi HotSpot package (isc-dhcp-server).

3.2 Memory issues when handling large block lists

It shall be noted, that in case of large block lists, much RAM is needed on the system running the Ad blocker. This should be monitored, e.g. via htop to avoid poor memory.

The slogan “A lot helps a lot” might not be a perfect idea for blocklists in all cases.

4. Issues with external WiFi adapters

The following USB WiFi adapters were tested on a RPi 4, DietPi v8.24 and Debian Bookworm getting the following results:

BrosTrend AC1200: Driver installation was necessary. See https://github.com/morrownr/88x2bu-20210702 resp. https://docs.alfa.com.tw/Support/Linux/RTL8812BU for details.

5. References

• DietPi WiFi HotSpot
• Ad blocker Pi-hole
• Ad blocker AdGuard Home
• Recursive, caching DNS resolver Unbound