If your Internet-in-a-Box (IIAB) device contains Wi-Fi hardware capable of AP mode (Access Point mode, e.g. to broadcast to many students) it’s likely already working as a Learning Hotspot for your community (i.e. if you installed IIAB software) and you should be all set! CONTEXT: This layout is by far the most popular — especially with Raspberry Pi’s and laptops — and also for example with Intel NUC Mini PC’s containing Wi-Fi hardware capable of supporting 12 WiFi client [student] devices. Optionally a few common customizations are possible, in which case you may want to get to know the sudo iiab-hotspot-off and sudo iiab-hotspot-on commands.
If however your IIAB device does not contain Wi-Fi hardware capable of AP mode, please read about the three network modes below. You’ll want to get to know the sudo iiab-network command (to finalize your networking configuration) as well learning about common customizations in general.
ADVANCED: You might also want to attach an external Wi-Fi Access Point or Wi-Fi router to your IIAB, e.g. to expand the number of Wi-Fi client [student] devices. CAVEAT: Field/Operations communities generally dislike such spaghetti wiring/power/installation/configuration/maintenance complexities as compared to KISS (e.g. underpaid teachers especially, who strongly prefer All-in-One self-contained Internet-in-a-Box devices, that are battle-tested!)
IIAB supports three possible network modes:
IIAB’s installer (or the sudo iiab-network command) first seeks out the WAN interface, defaulting to Appliance mode. It then tries to find other network interfaces for use with the LAN, and if found defaults to Gateway mode.
Finally, you need to make some adjustments to be able to use LAN Controller mode, so that all available network interfaces live under the LAN a.k.a. bridge (August 2022 tips at #3330, for Ubuntu especially).
IIAB’s WAN side IP address is normally assigned by whatever DHCP device manages your network (though it’s possible to set a fixed IP address).
IIAB’s LAN (regardless whether in Gateway or LAN Controller mode) is a bridge containing one or more network interfaces, and always has the IP address 10.10.10.10. Remember, as some are confused by this, that 10.10.10.10 (AKA box.lan, or simply box) is not visible on the WAN side — but only on the LAN side — and is used by all of the bridge’s interfaces, whether wireless or wired.
Many Raspberry Pi’s support up to 32 simultaneous Wi-Fi client [student] devices (IIAB provides you WiFi firmware alternatives; if you change this, please then run cd /opt/iiab/iiab then sudo ./runrole firmware). Mini PC’s however (e.g. Intel NUC) can often handle no more than 12 Wi-Fi client [student] devices.
As such, attaching an external Wi-Fi Access Point or Router is one way to expand the number of Wi-Fi client [student] devices — e.g. in a community library where a large number of laptops, tablets and smartphones are all in use.
In Most Cases: It’s best to disable the DHCP service within your Wi-Fi Access Point or Wi-Fi Router, instead allowing IIAB’s own DHCP service (dnsmasq) to assign 10.x.x.x IP addresses to each Wi-Fi client [student] device. Do this within your Wi-Fi device’s own control panel (read the manufacturer’s instructions if necessary!)
In Other Cases: Some choose to leave the Wi-Fi device’s DHCP service enabled. If so, just be careful to think through carefully whether (1) your IIAB will assign a DHCP IP address to your Wi-Fi device (recommended!) or (2) the other way around, i.e. your Wi-Fi device will assign a DHCP IP address to your IIAB (not recommended or supported!)
FINALLY: Before running sudo iiab-network to finalize your network configuration, you need to connect your Wi-Fi Access Point(s) and/or Wi-Fi Router(s) to your IIAB, per the final “in-field” layout, and ensure they’re all turned on! EXAMPLE: If you’re going to use a wired Ethernet on the LAN side (i.e. as a “slave” interface within bridge br0, for wired and/or wireless client [student] devices) connect all cables and turn everything on, before running sudo iiab-network. ADDITIONAL WARNING: if your wired Ethernet LAN is not connected during boot, you may experience a 2-minute delay similar to PR #1634.
Many of the port numbers below can be changed when installing IIAB. If you need to do this, look over the default ports in default_vars.yml, and then override those that are necessary within /etc/iiab/local_vars.yml
| Protocol | Port | Service |
|---|---|---|
| TCP | 22 | sshd |
| TCP | 80 | nginx (was apache2) |
| TCP | 83, 5060, 5160, 5161, 10000-20000 | pbx (Asterisk & FreePBX) |
| UDP | 137, 138 | samba |
| TCP | 139, 445 | samba |
| TCP | 631 | cups (printing) |
| TCP | 873 | xinetd (xs-rsync, for legacy XOs) [DEPRECATED] |
| UDP | 1194 | openvpn outgoing and not in iptables |
| TCP | 1705 | openvpn outgoing handle announcements |
| TCP | 1880 | nodered |
| TCP | 1883 | mosquitto |
| TCP | 3000 | kiwix-serve |
| TCP | 3128, 3129 | squid |
| TCP | 3130 | squid / dansguardian [DEPRECATED] |
| TCP | 4244 | internetarchive |
| TCP | 4369, 5222, 5223, 5280, 47893 | ejabberd OR ejabberd-xs [DEPRECATED] |
| UDP | 5353 | avahi, mDNS, bonjour |
| UDP | 5959-5970 | remoteit (outbound traffic) |
| TCP | 8000 | jupyterhub |
| TCP | 8006 | kalite-serve-fr |
| TCP | 8007 | kalite-serve-es |
| TCP | 8008 | kalite-serve (English & others) |
| TCP | 8009 | kolibri |
| TCP | 8010 | calibre-serve (if avoiding idmgr/8080) |
| TCP | 8080 | calibre-serve OR idmgr (for legacy XOs) |
| TCP | 1935, 8081 | cham video streaming server (nginx,rtmp) [PROPOSED] |
| TCP | 8083 | calibre-web |
| TCP | 8089 | sugarizer |
| TCP | 8090 | apache2 (NGINX proxying to legacy svcs) [DEPRECATED] |
| TCP | 9090 | captiveportal |
| TCP | 9091, 51413 | transmission (BitTorrent downloader) |
| TCP | 10000-10499, 12080 (main), 12443 | azuracast |
| TCP | 27017 (formerly 27018) | mongodb (if used by Sugarizer) |
| UDP | 30000 | minetest (Minecraft, but open source!) |
On the LAN side, all ports except for databases ports are generally open.
On the WAN side, “campus access” to 10+ common IIAB services like Kiwix (3000), KA Lite (8008) and Calibre (8010 or 8080) is enabled by default. Override this default by uncommenting just one of the following lines in /etc/iiab/local_vars.yml:
#ports_externally_visible: 0 # none
#ports_externally_visible: 1 # ssh only
#ports_externally_visible: 2 # ssh + http-or-https (for Admin Console's box.lan/admin too)
ports_externally_visible: 3 # ssh + http-or-https + common IIAB services <-- DEFAULT
#ports_externally_visible: 4 # ssh + http-or-https + common IIAB services + Samba
#ports_externally_visible: 5 # all but databasesIf your IIAB is already installed, run sudo iiab-network to put this firewall change into effect.
If necessary, you can further customize your iptables firewall by modifying /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables (part of Ansible’s network role, this is the template for the /usr/bin/iiab-gen-iptables command). As above, you’d then need to run sudo iiab-network to put your firewall changes into effect.
To see your current firewall rules, look at file /etc/iptables/rules.v4 and use commands like iptables -L -n — also running iptables -L -v -t nat and lsmod can be useful, e.g. if verifying that ‘MASQUERADING’ is on (for IIAB’s gateway behavior, summarized below).
And if you really want to get rid of all iptables firewall rules, you can run these 3 commands.
April 2021 FYI: With iptables v1.8.5+ (nftables) evolving, PR #2728 introduced several improvements. For example, two commands now allow you to quickly enable or disable Internet for student/client devices: (IIAB’s gateway behavior)
WARNING: The change will persist (as part of iptables’ firewall rule set) through IIAB reboots until (1) the opposite command is run, or until (2) an Ansible command like sudo iiab-network is run, using the iiab-gateway-enabled variable’s value.
RECAP: If you want this changed more permanently (so Ansible doesn’t wipe out your setting) change variable iiab-gateway-enabled in /etc/iiab/local_vars.yml and then run: sudo iiab-network
DNS (name resolution) for LAN side clients is provided by dnsmasq.
However some Linux distributions do not function well with dnsmasq’s default service (several of these ship with systemd unit files that have a timing problem). As a result, IIAB instead uses its own iiab-dnsmasq service — to start dnsmasq at the correct time during boot. And IIAB disables the OS’s stock dnsmasq unit file across all distros, to be safe.
Finally, after your IIAB install is complete, you can monitor dnsmasq as follows:
systemctl status dnsmasqIN APPLIANCE MODE:
(1a) dnsmasq provides a caching name server, just for the IIAB box itself (on Raspberry Pi OS only).
(1b) Ubuntu 18.04+ systemd-resolved runs on 127.0.0.53 providing DNS lookups (as seen in /etc/resolv.conf).
OUTSIDE OF APPLIANCE MODE:
(2a) dnsmasq provides both DHCP and DNS server functionality for the LAN side clients. On Raspberry Pi OS, dnsmasq provides DNS lookups for the box itself.
(2b) Ubuntu 18.04+ systemd-resolved runs on 127.0.0.53 providing DNS lookups (as seen in /etc/resolv.conf). But all LAN side clients use dnsmasq.
wpa_supplicant is started by the dhcpcd service (b) your building’s Wi-Fi SSID and password can be put into /etc/wpa_supplicant/wpa_supplicant.conf by running the sudo raspi-config command.host_country_code: XX in /etc/iiab/local_vars.ymlsudo iiab-networkFYI as a bonus this also generates a new unique BSSID/MAC address for your internal Wi-Fi’s ap0 interface (i.e. when wifi_up_down: True is set, to attempt AP+STA mode, as briefly explained around Line 92 of /etc/iiab/local_vars.yml).
sudo iiab-hotspot-offsudo raspi-config on Raspberry Pi OS, to enter the building’s 2.4 GHz SSID and its password (do not use 5.0 GHz!) Or do the same thing using IIAB’s Admin Console (box.lan/admin) > Control > Wifi Control. Or if you must, use the graphical widget in the top-right of your Linux OS’s desktop.sudo iiab-hotspot-on then Reboot, to verify that “student” Wi-Fi devices can once again connect to your IIAB! Note: “student” Wi-Fi devices (i.e. your IIAB’s Wi-Fi client devices) are blocked from accessing the Internet by default.If you want to hard-code a Fixed IP Address on the WAN side of your IIAB, see “How do I set a static IP address?” at FAQ.IIAB.IO
If your Internet-in-a-Box (IIAB) contains multiple Wi-Fi interfaces, put the following into /etc/iiab/local_vars.yml to ask IIAB not to create a LAN side access point on the (for example) wlan0 interface:
reserved_device: wlan0
This is used to exclude the listed device during network detection, and for calculation of br0’s (i.e. LAN side) member/slave devices. See also: #2610, PR #2682, PR #3334.
Context: IIAB code defaults to the highest numbered when setting up a Wi-Fi hotspot, e.g. IIAB would normally use wlan1 anyway, if it found both {wlan0, wlan1}. So in this case reserved_wifi: wlan0 just avoids ambiguity, explicitly confirming that wlan0 should remain unused by IIAB.
You’d typically do this to force wlan0 onto the WAN side (e.g. for possible Internet access, or other purposes) of your IIAB. Guaranteeing that your wlan1 becomes the “learning hotspot” Wi-Fi access point on the LAN side — i.e. under the bridge (br0) — as shown by running brctl show (or try bridge -d link). Background at: #531
ports_externally_visible: 3 (read above to modify your firewall settings for different kinds of campuses/SOHO/families)iiab_gateway_enabled: False (blocks LAN side users from reaching the Internet, while permitting them access to IIAB/local content)To (re)configure networking after IIAB is installed, run:
sudo iiab-networkOr if necessary:
cd /opt/iiab/iiab
sudo ./runrole --reinstall networkPlease also read “Any other networking tips?” within FAQ.IIAB.IO