How to auto-detect on 'sub network'

[flatsiedatsie]

I've managed to start a wifi hotspot from a Raspberry Pi Gateway while the gateway is itself connected via wifi to my home network. This was done using hostapd and dnsmasq, and without modifying any files on the gateway outside of the addon directory. The goal is to have a locked down network for smart home devices that use wifi. So the pi kind of acts like a router. It uses NAT to 'sandbox' this network. Or that's the idea at least.

I've also managed to get a webthing on this 'sub network' to succesfully connect to the Gateway. But only by adding it manually.

E.g. http://192.168.12.14:8889 worked.

But I haven't been able to get the Gateway to auto-detect the webthing on this subnetwork.

I'm trying to understand why this is, and if there is something I could do to get the gateway to also 'scan' on this sub network. Any suggestions?

[benfrancis]

I've managed to start a wifi hotspot from a Raspberry Pi Gateway while the gateway is itself connected via wifi to my home network.

Huh, I thought there was a hardware limitation which prevent this. I understood you had to shut down the access point in order to connect to another one. What version of the Pi is this and how did you achieve it?

I think the multicast UDP packets used by mDNS broadcasts are limited to a single subnet. It might be possible to configure Avahi to forward these packets between subnets using enable-reflector="yes" in its configuration file. See https://linux.die.net/man/5/avahi-daemon.conf

[flatsiedatsie]

Interesting, thanks. I'm bending over backwards to make sure it's all possible without changing anything in the linux config files (which made enabling a hotspot while being connected via wifi even more of a challenge), so I suspect I can's really make a change in the avahi config files.

I had a look at this project earlier, which perhaps does the same thing? It didn't seem to work when I tried it though. But I guess this is the right direction? https://github.com/alsmith/multicast-relay

Huh, I thought there was a hardware limitation which prevent this.

I want to turn this into an addon, so I can share the code if you like. I have it running on a pi 4, haven't tested it on a pi 3 yet.

[flatsiedatsie]

Good news, I just tried it again, and it seems it does work now. I've been changing a lot of settings, so perhaps something clicked. It seems to work a little too well, since it lists the same device twice - once as an ip address and once as a hostname.

The cool thing is that it's also possible to see what servers the devices on the sub network are trying to connect to. Here you see the output from connecting to the Webthings gateway that is running on this sub network, from a macbook that is also on the subnetwork:

(the discourse server is a bit of a mystery?)

Not only that, but it would theoretically also be able to block some of these requests like an outgoing firewall, as well as to feed dnsmasq additional hosts files to block common surveillance/tracking services. So it could be used to make wifi-based IoT devices less privacy invasive. Ideally, I'd want to add a feature where users could allow access to some domains on a timer-basis. E.g. allow a device to reach out to the update server, but only once a month for 10 minutes.

[madb1lly]

Hi @flatsiedatsie,

This looks great! This discourse sever might be because you at one point enabled notifications from that website?

How to know which domains to block and which to allow? I suppose some Wifi devices might not work at all via WebThings if their OEM server isn't available? I'm not sure how easy it would be to make a UI in the Gateway to do this, do you think it would need to be done in a config file?

It could also be used to allow/block addresses for devices which aren't Webthings at all, e.g. I've got a Sonoff switch I still use their cloud for, and that isn't connected to my WebThings gateway.

Anyway, this looks great and I think my first use case for this sort of thing would be the kind of Wifi devices which initially need to be registered (some bulbs?) but can then be controlled via Webthings.

Cheers :slightly_smiling_face:

[createcandle]

@madb1lly thanks :-)

Here's a sneak preview of the current build.

As you can see, even on a different tablet I see the connection to discourse.mozilla.org.

Overall it's really quite interesting and educational to be able to see what domains devices are attempting to connect to in such a simple way. The screenshot above shows how many things an android tablet tries to connect to in the background.