Introducing Telegram Bot for the WLAN Pi

Up until now, you could only use the WLAN Pi display to see its IP address and other IP details. If you are on the same subnet you could do ping wlanpi.local. Alternatively, your DHCP server log or show ip arp on the access switch could tell you.

Telegram Bot for the WLAN Pi automates the whole process and it sends you the IP details of your WLAN Pi whenever the Pi comes online. You can then easily and remotely skim through the details, check its IP address, public IP address, current mode, uptime, switch and port details the WLAN Pi is connected to, or double-check that its Ethernet adapter successfully negotiated 1 Gbps Full Duplex.

And you can do all this from you wrist, phone, tablet or laptop.

How to enable Telegram Bot

  1. Download WLAN Pi image 2.0.1 or newer. Flash it onto an SD card. Boot up from this SD card.
  2. Create a new Telegram account if you do not have one already. Start the Telegram app.
  3. Let’s create a new Telegram bot. Find a person called Botfather and send them a message saying /newbot.
  4. Follow the instructions to create a new bot.
  5. After the new bot is created, copy the API key to a text editor.
  6. Start a new chat with the newly created bot and say Hey, Hi or something like that and welcome them to the blue planet. This is mandatory and you can send more than one message.
  7. Now SSH to the WLAN Pi and run this command with root privileges sudo telegrambot
  8. It will complain about missing API key and tell you where to paste it.
  9. Edit the configuration file, uncomment the second line and paste your own API key from step 5 using sudo nano /etc/networkinfo/telegrambot.conf.
  10. Save the file using CTRL+o (letter o) and exit the editor using CTRL+x.
  11. Make sure you sent a Telegram message in step 6 to your new bot.
  12. Connect your WLAN Pi to the internet.
  13. Finally, reboot by sudo reboot

Multiple Pi’s can use the same API key and send their IP configurations to the same chat or you can have 1 chat per WLAN Pi (my preferred option). It is completely up to you.

How often are Telegram messages sent?

Every time the WLAN Pi reboots and has internet access, it will send a new message to you.

If internet connection goes down (for example when you disconnect the Ethernet cable, DNS server stops responding or something breaks at your ISP while eth0 still remains up) for more than 10 seconds, the WLAN Pi will send you a new message with its fresh details after the internet connection goes up again.

Send a new message manually

Assuming you have completed the setup using the above instructions, you can SSH to the WLAN Pi at any time and send a new Telegram message manually using sudo telegrambot.

How to troubleshoot

If you are not receiving any message from the WLAN Pi, send another message to the Telegram bot using the Telegram app and reboot the Pi.

You can also check the logs and grep for telegrambot:
sudo cat /var/log/messages | grep telegrambot

Apple iOS 14 Private Address feature, per SSID Wi-Fi MAC randomisation and how it actually works

Apple published a brief summary of the newly introduced “Private Address” Wi-Fi feature. Since it does not go into the detail, I tested the public iOS 14.0 release on an iPhone SE and iPad Mini in my lab. Here is how it actually works.

New Wi-Fi networks

For SSIDs you have not connected to before, iOS 14 devices generate a random MAC “Private Address” and they use this MAC address permanently for this SSID. This address does NOT change over time. This works as expected.

Previously used Wi-Fi networks

Known Wi-Fi networks you have already connected to at least once before the upgrading to iOS 14 get a different treatment though. And this is where things are not as straightforward as the documentation suggests.

After upgrading to iOS 14, I connect to a known network which I have already used before the upgrade. The MAC address that is used is actually the real hardware MAC address of the Wi-Fi adapter for 24 hours. Note that the “Private Address” feature is enabled. This could potentially be considered a UI bug.

24 hours after first connecting from an iOS 14 device to this known SSID, the “Private Address” feature kicks in and the MAC address for this SSID automatically switches from the real MAC address to a randomly generated MAC address. Personally, I assume that this 24-hour period has been developed to allow enterprises to disable Private Address feature on their managed iOS devices using MDM, but I may be wrong.

From this point onwards the same randomly generated Private Address is permanently used for this SSID and does NOT change over time.

Schedule WLAN availability on Catalyst 9800 Series Wireless LAN Controllers

Catalyst 9800 controllers come with built-in support for WLAN availability scheduling. When a WLAN becomes disabled, APs do not broadcast the SSID and channel utilisation decreases. Also, it can be implemented as a security enhancement to prevent client devices from connecting during specified hours.

At the time of writing IOS-XE 17.3.1 does not yet offer a GUI for this capability, but there is a couple of options how to schedule WLAN availability.

Before we start, please double-check time settings on the controller, enable NTP client and set a correct timezone.

Option 1: Built-in Calendar Profile

The configuration is self-explanatory, so let’s start with that. My example enables all WLANs mapped to the “default-policy-profile” from 9 am to 5 pm every week day. Outside of these times, the SSIDs will not be available for clients to join.

configure terminal
!
wireless profile policy default-policy-profile
shutdown
!
no wireless profile calendar-profile name WEEKDAYS-9-TO-5
!
wireless profile calendar-profile name WEEKDAYS-9-TO-5
day monday
day tuesday
day wednesday
day thursday
day friday
recurrence weekly
start 09:00:00 end 17:00:00
!
wireless profile policy default-policy-profile
calendar-profile name WEEKDAYS-9-TO-5
action wlan_enable
no shutdown
!

Verification

You can verify using a Wi-Fi client. If you do “show wlan summary”, the WLANs will still appear as “Enabled” and this is expected. To verify current status of WLANs controlled by the Calendar Profile, please use “show logging | include SCHEDULED_WLAN”.

Reference

Official documentation explaining Calendar Profiles.

Option 2: EEM Script

If you like flexibility, an EEM script running on the controller triggered by CRON might work even better for you. Special thanks to Federico Ziliotto for this.

event manager applet EEM_SCHEDULE_WLAN_UP
event timer cron cron-entry "0 9 * * 1-5" name 9_AM_MON_TO_FRI
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "wlan MY_SSID"
action 4.0 cli command "no shut"
action 5.0 cli command "end"
action 6.0 syslog msg "Scheduled WLAN_SSID has been enabled"

event manager applet EEM_SCHEDULE_WLAN_DOWN
event timer cron cron-entry "0 17 * * 1-5" name 5_PM_MON_TO_FRI
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "wlan MY_SSID"
action 4.0 cli command "shut"
action 5.0 cli command "end"
action 6.0 syslog msg "Scheduled WLAN_SSID has been disabled"

Reference

Here and here are some useful and practical EEM examples for your reference.

How to convert hundreds of Cisco Aironet or Catalyst APs from Mobility Express or Embedded Wireless Controller to Lightweight mode using Option 43

You may have used DHCP Option 43 to point an AP to its controller before. But only very few people know that Cisco APs can automatically convert themselves from the built-in controller mode (think Mobility Express or Embedded Wireless Controller) to Lightweight mode after they receive a special Option 43 from a DHCP server.

If you have a pallet of access points (or routers with built-in Wi-Fi in Mobility Express mode) next to your desk and need to convert all of them to Lightweight mode, simply configure DHCP Option 43 in the following format on your DHCP server and plug them into a PoE capable switch. After the APs boot up and receive the option from DHCP server, they automatically switch to the Lightweight mode and attempt to join the configured controller (192.168.130.2 in our case).

Option 43 format used for AP conversion

f2:05:c0:a8:82:02

“f2” tells the AP that we want it to switch to Lightweight mode

“05” means that only one controller IP address will follow

“c0:a8:82:02” is the controller IP address (192.168.130.2 in this case) in hexadecimal format, search for “IP to Hex Converter” if you do no want to do the math

Cisco IOS/IOS-XE DHCP server configuration

You can run DHCP server on a Catalyst switch. The DHCP scope configuration is straightforward. 

ip dhcp pool <pool name>
network <ip network> <netmask>
default-router <default-router IP address>
dns-server <dns server IP address>
option 43 hex f205c0a88202

WLAN Pi, Raspberry Pi and any other Linux ISC DHCP server configuration

Special thanks to Nicolas Darchis, who helped me find the “vendor-encapsulated-options” option. It lets you enter Option 43 in the hex format and all it takes is a single line of DHCP server configuration.

# eth0 DHCP scope on ISC DHCP server
subnet 192.168.130.0 netmask 255.255.255.0 {
interface eth0;
range 192.168.130.100 192.168.130.200;
option routers 192.168.130.1;
option domain-name-servers 208.67.222.220, 208.67.222.220;
default-lease-time 86400;
max-lease-time 86400;
option vendor-encapsulated-options f2:05:c0:a8:82:02;
}

DHCP server on Cisco Meraki MX appliance

If your DHCP server runs on a Cisco Meraki MX appliance, you can easily configure Option 43 using Dashboard. Here are the instructions.

Packet capture or it did not happen

Here is the DHCP Offer packet with the special Option 43 value sent from DHCP server to the APs. They will start the conversion automatically after receiving it.

Option 43 which converts the AP from ME or EWC mode to lightweight

Verify successful AP conversion to Lightweight mode

Console to one of the APs and you will notice this message:

[*08/25/2020 23:24:39.5620] Last reload reason : 2: AP type changed from ME to CAPWAP

Or you can let the AP finish its job. And then verify successful conversion to Lightweight mode whenever you are ready using the “show version” command.

9120#show version
<output omitted>
9120 uptime is 0 days, 0 hours, 5 minutes
Last reload time : Tue Aug 25 23:24:39 UTC 2020
Last reload reason : AP type changed from ME to CAPWAP
<output omitted>

Cisco Aironet and Catalyst AP Option 43 configuration for ISC DHCP server on Linux

There is great document explaining how to configure Option 43 on ISC DHCP server on the Cisco website.

If all you need is a simple DHCP server which will assign Option 43 to all devices on the network, without selectively assigning it only to specific AP models using the class construct, you can simplify your ISC DHCP server configuration to this. It works great on a WLAN Pi.

Configuration

# Linux ISC DHCP server configuration in /etc/dhcp/dhcpd.conf
option space Cisco_LWAPP_AP;
option Cisco_LWAPP_AP.server-address code 241 = array of ip-address;

# eth0 DHCP scope
subnet 192.168.73.0 netmask 255.255.255.0 {
interface eth0;
range 192.168.73.100 192.168.73.200;
option routers 192.168.73.1;
option domain-name-servers 208.67.222.222, 208.67.220.220;
default-lease-time 86400;
max-lease-time 86400;
vendor-option-space Cisco_LWAPP_AP;
option Cisco_LWAPP_AP.server-address 10.10.10.10, 10.20.20.20;
}

Verification

The access point will get its IP configuration from the DHCP server including Option 43 and will try to join these controllers.

Throughput speed test of the fastest tp-link and Devolo Magic 2 Wi-Fi power line adapters (PLC)

I am in the market of buying a new pair of power line adapters. Power line is a great alternative or complement to Ethernet and Wi-Fi. It provides low latency and jitter and is very flexible and easy to install.

The current tp-link TL-PA6010 adapters have served me well, but they are now reaching their maximum throughput. So, I decided to get a new pair of the fastest adapters on the market (Devolo Magic 2 Wi-Fi) and also a pair of the best adapters from tp-link (TL-PA9020P). These will be used to connect my home office and lab networks to my router.

Since there are multiple brands offering a variety of products with a variety of advertised speeds, I am curious to see if the more expensive adapters are worth the premium price, what real throughput they would provide and if and how much a passthrough socket improves the power line speed.

Left to right: Devolo Magic 2 Wi-Fi, tp-link TL-PA9020P, tp-link PL-PA6010 (not sold anymore, this would be an equivalent)

Specification

I tested my current low-end adapters and two new high-speed ones:

Throughput, ping, jitter, power and Wi-Fi tests

Power line speeds vary and depend on the distance between the two adapters, your electrical wiring and interference. Please take the numbers below as relative ones, which would allow you to compare how these adapters perform under the same conditions and in the same setup.

All throughput numbers below were TCP measurements taken by iPerf3 running on a WLAN Pi (a single-board computer with 1 Gbps Ethernet) and the client was my MacBook with 1 Gbps USB-C Ethernet adapter. There were no intermediate network devices between them:

MacBook iPerf3 client <-> PLC1 <-> PLC2 <-> WLAN Pi iPerf3 server

The average download speed (measured 5 times at each of the locations in my house) ranges from 13% to 26% of the advertised speeds and goes nowhere near them. With £16 per 100 Mbps, the cheapest adapter seems to be the best value for money, unless you need higher speed and are willing to pay for it. It also is the most power efficient.

Devolo Magic 2 proved to the be the fastest solution with 331 Mbps average download speeds, while TL-PA9020P provided slightly better upload speeds than Devolo.

Each of the parameters (i.e. Download average) consisted of five iPerf3 tests in each location and I then computed the average values:

Built-in Wi-Fi access point

Devolo Magic 2 Wi-Fi remote adapter comes with a built-in dual-band 802.11ac Wi-Fi AP (not just a repeater as some of the cheaper adapters), but it is unstable and resets the power line connection every single time I connect and generate some traffic. I used the latest firmware available in July 2020. If a built-in Wi-Fi is a must-have for you, do NOT buy this adapter. Wait until it gets fixed or look for alternatives.

This is what happens. The SSID is broadcast, a Wi-Fi client can associate to the AP, but when the iPerf test starts, the client gets disconnected and power line connection is torn down for 10 seconds or so and then re-establishes. I was able to reproduce this bug every single time and it was not just one-off random problem.

On the positive note, it supports 2.4 GHz only, 2.4 + 5 GHz or 5 GHz only modes. It does not let you change channel width on 5 GHz though and always uses 80 MHz, which may sound like a good idea in a small town, but it is a disaster in a shared building with many other access points and neighbours present.

If high-speed power line without Wi-Fi is what you are after, then the Magic 2 non-Wi-Fi model could be a good option for you.

Passthrough socket

Passthrough socket allows you to plug an electrical appliance to the power line adapter without generating the socket your adapter is plugged into unusable. Cheaper adapters usually do not provide this.

The other benefit is that adapters with passthrough socket use filters to suppress noise coming from the connected electrical appliance and this improves speed by 13% – 15%.

Pros and cons

Devolo Magic 2 Wi-Fi
+ Fastest average download speed
+ Comes with a mobile app and each unit has a management web GUI
– Built-in access point resets the whole unit and Wi-Fi is not usable
– It runs quite warm compared to the other two and is the largest

tp-link TL-PA9020P
+ Very good and symmetrical performance
+ Stable
– No built-in Wi-Fi
– Still quite expensive compared to the slower and cheaper units

tp-link TL-PA6010 (or similar)
+ Great value for money
+ Stable
– Relatively low speeds
– No passthrough socket, no Wi-Fi

And the winner is

My personal preferences are very likely different from yours and that is fine. I am looking for symmetrical TCP throughput of at least 200 Mbps, ideally a passthrough socket support and all other features are nice to have.

Devolo Magic 2 Wi-Fi proves to be unstable as the built-in access point crashes the whole adapter and resets the power line connection. Its back side also becomes quite warm regardless the load.

So, I decided for tp-link TL-PA9020P. It is stable, does all I need it to do and both adapters come with 2 Ethernet ports which gives me flexibility to plug my own access point in or connect using wired Ethernet connection.

Configure DHCP Option 43 on Cisco Meraki MX appliance to point AP to its WLC

Here is how to configure Option 43 on an MX appliance for a Cisco Aironet or Catalyst AP to discover its Wireless LAN Controller (WLC).

My Catalyst 9800-CL controller IP address: 173.38.219.33

Meraki MX appliance DHCP server configuration

Format of the hex string

In my example, the final string would be “f1:04:ad:26:db:21”

“f1:04” tells the AP that only one WLC IP address is used, followed by the actual address
“ad” is hex representation of 173
“26” is hex representation of 38
“db” is hex representation of 219
“21” is hex representation of 33

Verification on the AP

Two controllers

If you provide the AP with IP addresses of 2 standalone controllers (think N+1 HA mode), then simply change “f1:04” to “f1:08” and append the second controller’s IP address in hex representation to the end of the hex string.

Primary controller IP address: 173.38.219.33
Secondary controller IP address: 173.38.219.34
Hex string: f1:08:ad:26:db:21:ad:26:db:22

iPhone USB Tethering on WLAN Pi

We have all been there. It is the night before an important training or meeting and you need to install few more packages on your WLAN Pi or push some code changes to GitHub. Guess what? There is no wired connection available in your room and the hotel Wi-Fi uses a captive portal or is very poor.

iPhone USB tethering on the WLAN Pi lets you use your iPhone or iPad as a cellular modem and share the internet connectivity with the WLAN Pi. It also charges your iPhone, which is nice.

iPhone USB tethering to WLAN Pi

How to enable iPhone USB tethering on WLAN Pi

Simply follow these steps:

  1. Connect to the WLAN Pi using SSH and run this command. Do not skip this step, it is required:
    sudo apt-get update
  2. Then install this package:
    sudo apt-get install usbmuxd
  3. Plug your iPhone into the WLAN Pi using a lightning to USB-A data cable.
  4. On the iPhone, go to Settings > Personal Hotspot > Allow Others to Join.
  5. A new eth1 interface will appear on the WLAN Pi.
  6. Tap on the Trust button on your iPhone/iPad and enter your passcode.
  7. After you click Trust, the eth1 interface will get a dynamically assigned IP address by the DHCP server running on the iPhone.
  8. Your WLAN Pi is now connected to the internet. You can verify using the Reachability tool in the Front Panel Menu System (FPMS). Go to Menu > Utils > Reachability.

Share iPhone internet connection with multiple devices on you LAN

You can even take this one step further. Perhaps you have multiple other devices connected to a switch and you need to provide temporary internet connectivity to all of them. That is where the USB Tethering mode comes to the rescue.

The easiest solution is to tweak the existing Hotspot mode on your WLAN Pi. In most cases we will replace wlan0 with eth0 and eth1.

  1. Before you start, please backup all these files or ideally start with a fresh SD card and fresh WLAN Pi image.
  2. Edit this file:
    sudo nano /etc/wlanpihotspot/default/isc-dhcp-server
  3. Update this line to:
    “INTERFACESv4=”usb0 eth0”
  4. Edit this file:
    sudo nano /etc/wlanpihotspot/dhcp/dhcpd.conf
  5. Update this block to:
    # eth0 DHCP Scope
    subnet 192.168.88.0 netmask 255.255.255.0 {
    interface eth0;
  6. Edit this file:
    sudo nano /etc/wlanpihotspot/network/interfaces
  7. Update these lines and comment some out:
    allow-hotplug eth0
    iface eth0 inet static
    #Wired ethernet
    #allow-hotplug eth0
    #iface eth0 inet dhcp
  8. Edit this file:
    sudo nano /etc/wlanpihotspot/ufw/before.rules
  9. Update this line to:
    -A POSTROUTING -s 192.168.88.0/24 -o eth1 -j MASQUERADE
  10. However strange it sounds, plug a supported Wi-Fi adapter into a USB port of your WLAN Pi. Without the adapter plugged in, the WLAN Pi will not switch from the Classic mode to the Hotspot mode.
  11. Now go to Menu > Modes > Hotspot > Confirm
  12. Your WLAN Pi will reboot. Disconnect the Wi-Fi adapter, we do not need it anymore.
  13. The WLAN Pi will do PAT (Port Address Translation) on its eth1 outside interface. On the inside eth0, it will start DHCP server and share the iPhone cellular internet connection with all devices on your LAN.

Here is a traceroute output from one of the devices connected to the switch. First hop to the internet is WLAN Pi’s eth0 interface and second is the iPhone’s inside interface.

A word of caution

While this new mode is a great feature, it can potentially cause some harm. Please read before you tweak.

  • In this mode, WLAN Pi runs DHCP server on the built-in eth0 interface. At no circumstances you want to plug it to an existing corporate network and especially one which is not under your management. Your WLAN Pi might take over clients of the existing DHCP server and route all traffic via the cellular connection. If you have not already, I highly recommend you enable DHCP snooping on your switches. This is a security feature and will block untrusted DHCP servers connected to your network.
  • Double-check that your data plan is suitable for tethering. Your mobile operator will charge you for the cellular data services.
  • You are potentially opening a backdoor to the existing LAN network over the cellular connection.
  • Always switch your WLAN Pi back to the Classic mode before shutting it down. Next time you use it, it will boot up to the Classic mode, which is safe by design.

Your feedback counts

If you find this feature useful, let us know. Perhaps a new “USB Tethering” mode might be a nice addition and will save you time editing the configuration files manually.

Although the WLAN Pi team implements most of the new features into the official image, it also assesses all security aspects. At the end of the day, everyone’s goal is to maintain high standards.

My setup

I have successfully tested this setup with iPhone 8 Plus and WLAN Pi NEO2 Black running 1.9.1-RC2 release. Please add a comment to this post with your setup so that we know what has been tested and works.