Use systemd-resolve with NetworkManager, use netplan for bridging, Fix DEPRECATION WARNINGs

[jvonau]

Fixes bug:

Might fix #4010 @tim-moody

Description of changes proposed in this pull request:

Use systemd-resolve with NetworkManager just like Ubuntu does

Smoke-tested on which OS or OS's:

RasPiOS trixie
https://paste.centos.org/view/0bb937dd

[jvonau]

jvonau@pi500:/opt/iiab/iiab $ resolvectl
Global
Protocols: +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (eth0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 64.59.176.13 64.59.177.226 2001:4e8:0:4002::13 2001:4e8:0:4003::13
Default Route: yes

Link 3 (wlan0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Default Route: no

Link 4 (tailscale0)
Current Scopes: none
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Default Route: yes

Link 5 (ap0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Default Route: no

Link 7 (br0)
Current Scopes: LLMNR/IPv4
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Domain: lan
Default Route: no

[jvonau]

Issue with the VM updating initramfs-tools:

"Preparing to unpack .../systemd-resolved_252.39-1~deb12u1_arm64.deb ...",
"Unpacking systemd-resolved (252.39-1~deb12u1) ...",
"Selecting previously unselected package libnss-resolve:arm64.",
"Preparing to unpack .../libnss-resolve_252.39-1~deb12u1_arm64.deb ...",
"Unpacking libnss-resolve:arm64 (252.39-1~deb12u1) ...",
"Setting up systemd-sysv (252.39-1~deb12u1) ...",
"Setting up systemd-timesyncd (252.39-1~deb12u1) ...",
"Setting up udev (252.39-1~deb12u1) ...",
"A chroot environment has been detected, udev not started.",
"Setting up libnss-myhostname:arm64 (252.39-1~deb12u1) ...",
"Setting up libpam-systemd:arm64 (252.39-1~deb12u1) ...",
"Setting up systemd-resolved (252.39-1~deb12u1) ...",
"Converting /etc/resolv.conf to a symlink to /run/systemd/resolve/stub-resolv.conf...",
"Creating group 'systemd-resolve' with GID 996.", "",
"Creating user 'systemd-resolve' (systemd Resolver) with UID 996 and GID 996.", "",
"Created symlink /etc/systemd/system/dbus-org.freedesktop.resolve1.service → /lib/systemd/system/systemd-resolved.service.", "",
"Created symlink /etc/systemd/system/sysinit.target.wants/systemd-resolved.service → /lib/systemd/system/systemd-resolved.service.", "",
"Setting up libnss-resolve:arm64 (252.39-1~deb12u1) ...",
"Processing triggers for libc-bin (2.36-9+deb12u10) ...",
"Processing triggers for dbus (1.14.10-1~deb12u1) ...",
"Processing triggers for initramfs-tools (0.142+deb12u3) ...",
"/usr/bin/ln: failed to create hard link '/boot/initrd.img-6.1.0-37-arm64.dpkg-bak' => '/boot/initrd.img-6.1.0-37-arm64': Operation not permitted",
"update-initramfs: Generating /boot/initrd.img-6.1.0-37-arm64", "/usr/bin/grep: /boot/config-6.1.0-37-arm64: No such file or directory",
"W: zstd compression (CONFIG_RD_ZSTD) not supported by kernel, using gzip",
"/usr/bin/grep: /boot/config-6.1.0-37-arm64: No such file or directory",
"E: gzip compression (CONFIG_RD_GZIP) not supported by kernel",
"update-initramfs: failed for /boot/initrd.img-6.1.0-37-arm64 with 1.",
"dpkg: error processing package initramfs-tools (--configure):",
" installed initramfs-tools package post-installation script subprocess returned error exit status 1", "Errors were encountered while processing:", " initramfs-tools"]}

[jvonau]

VM related

install 'systemd-resolved=252.39-1~deb12u1'' failed: E: Sub-process /usr/bin/dpkg returned an error code (1)\n", "rc": 100, "stderr": "E: Sub-process /usr/bin/dpkg returned an error code (1)\n", "stderr_lines": ["E: Sub-process /usr/bin/dpkg returned an error code (1)"], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nThe following additional packages will be installed:\n libnss-myhostname libnss-resolve libpam-systemd libsystemd-shared\n libsystemd0 libudev1 systemd systemd-sysv systemd-timesyncd udev\n

Trying to install "systemd" as a dependency tells me this VM is not using systemd as the init system like the way the other unittest RasPiOS on Zero 2 W test VM does.

Edit: Correction systemd is being upgraded

"Recommended packages:", " libnss-systemd", "The following NEW packages will be installed:", " libnss-myhostname libnss-resolve systemd-resolved", "The following packages will be upgraded:", " libpam-systemd libsystemd-shared libsystemd0 libudev1 systemd systemd-sysv", " systemd-timesyncd udev", "8 upgraded, 3 newly installed, 0 to remove and 32 not upgraded.",

but the failure at initramfs-tools

"Processing triggers for initramfs-tools (0.142+deb12u3) ...", "/usr/bin/ln: failed to create hard link '/boot/initrd.img-6.1.0-37-arm64.dpkg-bak' => '/boot/initrd.img-6.1.0-37-arm64': Operation not permitted", "update-initramfs: Generating /boot/initrd.img-6.1.0-37-arm64", "/usr/bin/grep: /boot/config-6.1.0-37-arm64: No such file or directory", "W: zstd compression (CONFIG_RD_ZSTD) not supported by kernel, using gzip", "/usr/bin/grep: /boot/config-6.1.0-37-arm64: No such file or directory", "E: gzip compression (CONFIG_RD_GZIP) not supported by kernel", "update-initramfs: failed for /boot/initrd.img-6.1.0-37-arm64 with 1.", "dpkg: error processing package initramfs-tools (--configure):", " installed initramfs-tools package post-installation script subprocess returned error exit status 1", "Errors were encountered while processing:", " initramfs-tools"

prevents the rest of the update to proceed to the point where systemd-resolve would be started and making use of

"Converting /etc/resolv.conf to a symlink to /run/systemd/resolve/stub-resolv.conf..."

breaking DNS name resolution in the VM.

Failed to fetch http://deb.debian.org/debian/pool/main/w/wpa/hostapd_2.10-12%2bdeb12u3_arm64.deb Temporary failure resolving 'deb.debian.org'
etc...

[holta]

1. What test coverage does this PR most need?

2. Is creation of symlink /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf absolutely needed ?

[jvonau]

Just RasPiOS the ubuntu family already is configured like that so the makes things more uniform across distros. The link is desired for 2 reasons, first the resolver will cache the dns lookups for faster response to subsequent lookups and provides the needed interface zone lookups to enable concurrent working dns when the VPN is active.

[holta]

the ubuntu family already is configured like that

When you say "ubuntu family" here, are you including the wider family e.g. Debian 13 Trixie?

(And also Ubuntu 24.04 derivatives like Mint 22, and Trisquel 12?)

[jvonau]

The Ubuntu family would include MintOS and perhaps Trisquel. Haven't seen a iiab-diagnostics from Trisquel posted yet. Debian is the bases for RasPiOS so that would included also. The VM test fails because apt upgrade is not preformed before that start of installing IIAB.

[holta]

The VM test fails because apt upgrade is not [performed] before that start of installing IIAB.

Interesting! 🧩

Tangentially related:

• PR Enable systemd logging across reboots on RasPiOS -- important diagnostics were being lost since May 2025 iiab-factory#251
• PR Expand RasPiOS swap very early on during IIAB installs (see 'man swap.conf') — and avoid reboot if just setting Storage=persistent iiab-factory#252

[holta]

@EMG70 would you have time to test[*] this PR on 64-bit RPiOS? Either on "Lite" or "with desktop" ?

curl iiab.io/install.txt | bash -s 4093

[*] If you do have time, please test that the WiFi hostpot actually works well in the end 😄

[jvonau]

Failure at ansible collections

IIAB requires these ~4 Ansible Collections: (we upgrade them here if possible!)
Warning: : Skipping Galaxy server https://galaxy.ansible.com/api/. Got an unexpected error when getting available versions of collection community.mysql: 'results'
Error: : Unexpected Exception, this is probably a bug: 'results'

potential cause

Reading state information...
43 packages can be upgraded. Run 'apt list --upgradable' to see them.

[holta]

https://githubstatus.com confirms...

[jvonau]

I don't have time to explain the backstory about the "nameserver 127.0.0.53" right now.

[holta]

@EMG70 would you have time to test[*] this PR on 64-bit RPiOS? Either on "Lite" or "with desktop" ?

@EMG70 please make sure all apt updates are applied (with a reboot!) before beginning test of this PR, to be extra sure!

curl iiab.io/install.txt | bash -s 4093

[*] If you do have time, please test that the WiFi hostpot actually works well in the end 😄

[jvonau]

NetworkManager has baked in netplan as a single source of truth in newer releases making things more Ubuntu like in the networking department, just trying to get out in front of future issues. In the past dnsmasq parsed /etc/resolv.conf to gather the information on what upstream dns servers to query for internet websites, it appears that with /etc/resolv.conf now being a symlink the parsing is not preformed as in the past. This is not really a big issue for IIAB and it's usual use of dnsmasq for dns and dhcp for the wifi clients connected via hostapd except for when 'iiab_gateway_enabled=True' there would be no way to make the upstream DNS query.

Side notes:

• https://github.com/iiab/iiab/blob/master/roles/network/tasks/install.yml#L71 should really be toggled within iiab-internet-on|off or iiab-gen-iptables

• https://github.com/iiab/iiab/blob/master/roles/network/tasks/install.yml#L75 is actually ineffective when NetworkManager is enabled.

[holta]

1. @muthuri-dev test[*] can you test this PR on 64-bit RPiOS "Lite" ?

   curl iiab.io/install.txt | bash -s 4093
   

   [*] If it installs cleanly, then please test that the IIAB WiFi hostpot actually works well in the end, Thanks You! 😄

2. @jvonau what others scenarios (or OS's!) should @muthuri-dev test, to help confirm this PR is safe?

[jvonau]

Would be worthy to look at #4067 also given it's 2 month old statnding

[jvonau]

0b957ee4 and 5b572c02 That chipset/driver doesn't support running both ap and sta at the same time.

COMMAND: /usr/sbin/iw list    # List capabilities of all wireless devices
        software interface modes (can always be added):
                 * AP/VLAN
                 * monitor
        interface combinations are not supported

Running Pi500

	software interface modes (can always be added):
	valid interface combinations:
		 * #{ managed } <= 2, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,
		   total <= 3, #channels <= 2
		 * #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,
		   total <= 4, #channels <= 1

Some document fodder for the wiki.

[jvonau]

@holta lsusb would be a nice addition to iiab-diagnostics
FWIW I have a Realtek 8812AU/8821AU usb wifi adaptor

lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 3151:3020 YICHIP Wireless Device
Bus 001 Device 004: ID 0bda:0811 Realtek Semiconductor Corp. Realtek 8812AU/8821AU 802.11ac WLAN Adapter [USB Wireless Dual-Band Adapter 2.4/5Ghz]
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 002: ID 2e8a:0010 Raspberry Pi Ltd Pi 500 Keyboard
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

I used https://github.com/lwfinger/rtw88 to compile the driver on RasPiOS

/usr/sbin/iw list
	software interface modes (can always be added):
		 * AP/VLAN
		 * monitor
	valid interface combinations:
		 * #{ managed } <= 1, #{ AP, P2P-client, P2P-GO } <= 1,
		   total <= 2, #channels <= 1

https://forums.raspberrypi.com/viewtopic.php?t=315108
@muthuri-dev what does lsusb identify your usb wifi device as?

[holta]

@holta lsusb would be a nice addition to iiab-diagnostics

1. Should we put lsusb right after lspci -nn ?

   iiab/scripts/iiab-diagnostics

   Line 250 in a595dce

   cat_cmd 'lspci -nn' 'Devices on PCI buses'

2. Do you recommend any/specific lsusb flags?

[muthuri-dev]

@muthuri-dev what does lsusb identify your usb wifi device as?

output for lsusb:

root@box:~# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 03f0:3341 HP, Inc OMEN Encoder
Bus 001 Device 004: ID 10c4:8108 Silicon Labs USB OPTICAL MOUSE
Bus 001 Device 005: ID 0bda:8176 Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

this one : Bus 001 Device 005: ID 0bda:8176 Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter

and lspci -nn

root@box:~# lspci -nn 
00:00.0 Host bridge [0600]: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host Bridge/DRAM Registers [8086:191f] (rev 07)
00:01.0 PCI bridge [0604]: Intel Corporation 6th-10th Gen Core Processor PCIe Controller (x16) [8086:1901] (rev 07)
00:02.0 VGA compatible controller [0300]: Intel Corporation HD Graphics 530 [8086:1912] (rev 06)
00:14.0 USB controller [0c03]: Intel Corporation 100 Series/C230 Series Chipset Family USB 3.0 xHCI Controller [8086:a12f] (rev 31)
00:14.2 Signal processing controller [1180]: Intel Corporation 100 Series/C230 Series Chipset Family Thermal Subsystem [8086:a131] (rev 31)
00:16.0 Communication controller [0780]: Intel Corporation 100 Series/C230 Series Chipset Family MEI Controller #1 [8086:a13a] (rev 31)
00:16.3 Serial controller [0700]: Intel Corporation 100 Series/C230 Series Chipset Family KT Redirection [8086:a13d] (rev 31)
00:17.0 SATA controller [0106]: Intel Corporation Q170/Q150/B150/H170/H110/Z170/CM236 Chipset SATA Controller [AHCI Mode] [8086:a102] (rev 31)
00:1f.0 ISA bridge [0601]: Intel Corporation Q170 Chipset LPC/eSPI Controller [8086:a146] (rev 31)
00:1f.2 Memory controller [0580]: Intel Corporation 100 Series/C230 Series Chipset Family Power Management Controller [8086:a121] (rev 31)
00:1f.3 Audio device [0403]: Intel Corporation 100 Series/C230 Series Chipset Family HD Audio Controller [8086:a170] (rev 31)
00:1f.4 SMBus [0c05]: Intel Corporation 100 Series/C230 Series Chipset Family SMBus [8086:a123] (rev 31)
00:1f.6 Ethernet controller [0200]: Intel Corporation Ethernet Connection (2) I219-LM [8086:15b7] (rev 31)

[jvonau]

AI Overview
+5
0bda:8176
is the USB vendor and product ID for a Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter, a common USB Wi-Fi dongle. Users often encounter this ID when dealing with Linux or other embedded systems and may need to install or troubleshoot the correct drivers, frequently using the rtl8192cu driver or a DKMS module to ensure proper functionality, especially after kernel updates. 
What it is

    Hardware: A Realtek RTL8188CUS USB Wi-Fi adapter.
    Function: Provides 802.11n wireless networking via a USB port.
    Purpose: Commonly used with devices like the Raspberry Pi, BeagleBone, or other single-board computers. 

Common issues and solutions

    Driver problems: Many users on Linux-based systems need to install or update drivers, particularly the rtl8192cu driver, to get the adapter working.
    Installation command: A common method is to use git and make commands in a terminal, as described on [Ask Ubuntu](https://askubuntu.com/questions/632270/rtl8188cus-wireless-dongle-perpetually-connecting-but-never-connected):
        sudo apt-get install git build-essential
        git clone https://github.com/lwfinger/rtl8192cu.git
        cd rtl8192cu
        make
        sudo make install
    Kernel updates: After installing a driver this way, it may need to be re-installed after every kernel upgrade. Using a DKMS (Dynamic Kernel Module Support) module is a more robust solution that automates this process, which can be installed from a PPA, as suggested in the Ask Ubuntu article.
    Monitor mode: Some users have issues enabling monitor mode for Wi-Fi hacking tools on the adapter, which can be related to driver configuration.

FWIW I would try compiling the above alternate driver, not sure if that would unlock being able to run ap and sta concurrently, the key change to look for is replacing the 'interface combinations are not supported' with 'valid interface combinations' in the iw list output. Having 'interface combinations are not supported' is saying that 'wifi_up_down: False' is required, we don't have an auto detection for that condition. The less used older hostapd only path is used with 'wifi_up_down: False' and would require hotspot-on|off to switch between wifi-client mode and AP mode.

[jvonau]

@holta lsusb would be a nice addition to iiab-diagnostics

1. Should we put `lsusb` right after `lspci -nn` ?
   https://github.com/iiab/iiab/blob/a595dce00926bf45fc0b37f835a5c06c0e2f8b0b/scripts/iiab-diagnostics#L250

2. Do you recommend any/specific `lsusb` flags?

Good place and flags aren't really needed, just looking at the high level should be enough to identify the attached devices.

[jvonau]

Cloning detection but I would rather pursue that in a different issue/PR

git diff
diff --git a/roles/network/defaults/main.yml b/roles/network/defaults/main.yml
index d0004c87f..3cf2e8eb8 100644
--- a/roles/network/defaults/main.yml
+++ b/roles/network/defaults/main.yml
@@ -61,6 +61,7 @@ virtual_network_devices: "-e wwlan -e ppp -e ap0 -e lo -e br0 -e tun -e br- -e d
 wifi1: "not found-1"
 wifi2: "not found-2"
 can_be_ap: False
+can_be_cloned: False
 exclude_devices: none
 device_gw: none
 prior_gw_device: unset
diff --git a/roles/network/tasks/detected_network.yml b/roles/network/tasks/detected_network.yml
index eecdc5e9c..d049680e3 100644
--- a/roles/network/tasks/detected_network.yml
+++ b/roles/network/tasks/detected_network.yml
@@ -138,6 +138,23 @@
     can_be_ap: True
   when: look_for_ap.failed is defined and not look_for_ap.failed
 
+- block:
+    - name: Run 'iw list' to check for Cloning capability -- if discovered_wireless_iface ({{ discovered_wireless_iface }}) != "none"
+      shell: iw list | grep 'valid interface combinations'    # If grep doesn't find the regex, it returns 1
+      register: look_for_ap0
+      when: discovered_wireless_iface != "none"    # Line not nec (but can't hurt?)
+
+  rescue:    # Force another red error msg (to explain) then proceed
+    - name: WiFi chipset/firmware NOT CAPABLE of AP & STA Mode (details above)
+      fail:
+        msg: WiFi chipset/firmware NOT CAPABLE of AP & STA Mode (details above)
+      ignore_errors: yes
+
+- name: "Set 'can_be_cloned: True' if 'iw list' output has 'valid interface combinations'"
+  set_fact:
+    can_be_cloned: True
+  when: look_for_ap0.failed is defined and not look_for_ap.failed
+
 - name: Detect wifi gateway active
   shell: ip r | grep default | grep {{ discovered_wireless_iface }} | wc -l
   register: wifi_gateway_found
@@ -275,6 +292,11 @@
     wifi_up_down: False
   when: rpi3bplus_rpi4_wifi_firmware == "24"
 
+- name: Forcing wifi_up_down to False based on iw list
+  set_fact:
+    wifi_up_down: False
+  when: not can_be_cloned
+
 - name: Detect "Firmware rejected country setting" in dmesg (invert return code, for intentional red error)
   shell: '! dmesg | grep ieee80211 | grep "Firmware rejected country setting"'
   register: FW_rejected_country
@@ -343,6 +365,8 @@
       value: "{{ iiab_wan_iface }}"
     - option: can_be_ap
       value: "{{ can_be_ap }}"
+    - option: can_be_cloned
+      value: "{{ can_be_cloned }}"
     - option: host_country_code_found
       value: "{{ host_country_code_found }}"
     - option: wifi_firmware_43430

The other way might be better to grep for 'interface combinations are not supported' and revise the logic, hence lets move that part to a new issue.

[jvonau]

@jvonau am I right that wifi_up_down is rpi only?

I believe wifi_up_down: True works on quite a number of old laptops too.

Somewhat Related:

https://wiki.iiab.io/go/FAQ#Can_I_create_a_Wi-Fi_hotspot_using_an_old_laptop%3F

Funny thing is users showing up with random wifi equipment and expecting stuff to just work, #3057 as noted in the wiki, that is how the can_be_ap code came into being. This hardware is the newest corner case with a cloning issue.

[muthuri-dev]

---

PR #4093 Test Results - Ubuntu 24.04 LTS (Marvell WiFi Chipset)

Test Environment

• Hardware: Laptop with Marvell Technology Group Ltd. WiFi chipset
• OS: Ubuntu 24.04.3 LTS
• WiFi Chipset: Marvell (supports concurrent AP+STA mode)

✅ WHAT WORKS PERFECTLY:

1. Modern DNS Stack Integration:

• systemd-resolved active and listening on 127.0.0.53:53
• dnsmasq correctly forwarding to systemd-resolved: using nameserver 127.0.0.53#53
• DNS resolution chain: Client → dnsmasq → systemd-resolved → upstream

# systemd-resolved active and listening
$ systemctl status systemd-resolved | grep Active
Active: active (running) since Tue 2025-12-23 19:19:47 UTC

# Listening on 127.0.0.53
$ ss -tulnp | grep 127.0.0.53
udp   UNCONN 0      0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=574,fd=14))
tcp   LISTEN 0      4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=574,fd=15))

# dnsmasq forwarding to systemd-resolved
$ journalctl -u dnsmasq | grep "127.0.0.53"
Dec 23 19:19:50 box dnsmasq[1079]: using nameserver 127.0.0.53#53

2. Netplan Bridge Management:

• /etc/netplan/60-iiab.yaml created correctly with renderer: networkd
• Bridge br0 UP with IP 10.10.10.10/24
• ap0 properly enslaved to br0 and in forwarding state

# Netplan configuration created
$ cat /etc/netplan/60-iiab.yaml
network:
  version: 2
  renderer: networkd
  bridges:
    br0:
      dhcp4: no
      dhcp6: no
      addresses: [10.10.10.10/24]

# Bridge UP with correct IP
$ ip addr show br0
2: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.10.10.10/24 brd 10.10.10.255 scope global br0

# ap0 enslaved to br0 and forwarding
$ bridge link show
5: ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 100

3. Event-Driven Startup (No Race Conditions):

• networkd-dispatcher working perfectly:

  Dec 23 19:19:48 box: NET-DISP-configured br0 no-carrier
  Dec 23 19:19:50 box: NET-DISP-configured br0 routable
  

• No arbitrary sleep/wait times - services start when br0 becomes routable

# networkd-dispatcher event logs
$ journalctl -u networkd-dispatcher | grep br0
Dec 23 19:19:48 box: NET-DISP-configured br0 no-carrier
Dec 23 19:19:50 box: NET-DISP-configured br0 routable

# dnsmasq started AFTER br0 routable
$ journalctl -u dnsmasq --since "19:19:48" --until "19:19:52"
Dec 23 19:19:50 box systemd[1]: Starting dnsmasq.service...
Dec 23 19:19:50 box dnsmasq[1079]: started, version 2.90 cachesize 150

4. WiFi Hotspot Functional:

• hostapd active and running (Marvell chipset supports AP+STA)
• ap0 interface created successfully
• SSID: unittest broadcasting
• Interface states: UNINITIALIZED→COUNTRY_UPDATE→ENABLED→AP-ENABLED

# hostapd active
$ systemctl status hostapd | grep Active
Active: active (running) since Tue 2025-12-23 19:19:50 UTC

# Configuration
$ cat /etc/hostapd/hostapd.conf | grep -E '(ssid|pass|interface|channel)'
interface=ap0
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=unittest
channel=6

# ap0 interface exists and UP
$ ip link show ap0
5: ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP mode DEFAULT

5. Configuration Correct:

• dnsmasq-iiab: bind-dynamic, no-resolv, server=127.0.0.53
• DHCP range: 10.10.10.11 -- 10.10.10.254
• bind-dynamic preventing socket binding race conditions

# dnsmasq configuration
$ cat /etc/dnsmasq.d/dnsmasq-iiab
#IIAB
bind-dynamic
no-resolv
server=127.0.0.53

# DHCP range configured
$ journalctl -u dnsmasq | grep "DHCP, IP range"
Dec 23 19:19:50 box dnsmasq-dhcp[1079]: DHCP, IP range 10.10.10.11 -- 10.10.10.254, lease time 1h

# bind-dynamic working
$ journalctl -u dnsmasq | grep "sockets bound"
Dec 23 19:19:50 box dnsmasq-dhcp[1079]: DHCP, sockets bound exclusively to interface br0

6. DNS Resolution Working:

# Test DNS queries
$ dig @10.10.10.10 google.com +short
142.251.47.174

$ dig @10.10.10.10 iiab.me +short
76.71.81.199

📊 Architecture Flow Validated:

Boot → systemd-resolved starts
     → Netplan renders br0 via systemd-networkd
     → hostapd starts, creates ap0 (cloned interface)
     → ap0 enslaved to br0
     → br0 becomes routable
     → networkd-dispatcher triggers dnsmasq start
     → WiFi hotspot ready for clients
     → DNS: Client → dnsmasq → systemd-resolved → Internet

⚠️ HARDWARE-SPECIFIC NOTE:

Unlike previous tests with Realtek RTL8188CUS (which doesn't support concurrent AP+STA), my Marvell chipset works perfectly with PR #4093. This confirms that when hardware supports interface combinations, the PR works flawlessly.

# My Marvell chipset supports interface combinations
$ iw list | grep -A5 "interface combinations"
        valid interface combinations:
                 * #{ managed, AP, P2P-client, P2P-GO } <= 3,
                   total <= 3, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz }

WiFi hotspot visible and working:

Conclusion: The Realtek RTL8188CUS limitation (interface combinations are not supported) is a hardware/driver issue, not a PR issue.

PR #4093 works perfectly on hardware that supports interface combinations

iiab-diagnostics: https://paste.centos.org/view/2ae8bb8b

[jvonau]

@holta Are you going to fix and push this PR after being broken by recent changes in master? Hope @muthuri-dev didn't waste his time testing this PR.

[holta]

• @muthuri-dev can you help resolve the merge conflicts here, so we can try to get this merged ASAP?

• In a new branch of your own, if that proves necessary??

[jvonau]

<<<<<<< resolv
    discovered_wan_iface: "{{ ansible_facts.default_ipv4.alias }}"
  when: ansible_facts.default_ipv4.gateway is defined
=======
    discovered_wan_iface: "{{ ansible_default_ipv4.alias }}"
  when:
    - ansible_default_ipv4.gateway is defined
    - not is_proot
>>>>>>> master

I'll fix it here on github as I don't plan on changing anything else as this PR is the most tested change in the history of this project.

[holta]

@muthuri-dev this weekend (or ASAP in coming days!) is probably a good time to merge this PR in my opinion, if you agree?

[chapmanjacobd]

I'm not too familiar with Netplan... is the goal that systemd-networkd manages br0 but everything else is managed by NetworkManager?

[chapmanjacobd]

https://askubuntu.com/a/1032012

should this template file have a higher priority like, 99-iiab.yml.j2?

[jvonau]

I'm not too familiar with Netplan... is the goal that systemd-networkd manages br0 but everything else is managed by NetworkManager?

In a nutshell, yes. I chose to use systemd-networkd as the backend as that service is started much before NetworkManager and the wired interface bridging code uses systemd-networkd to bring up the wired slaves of br0 which needs to be created before the slaves are added to br0. RasPiOS used to use dhcpcd as the network backend but since has moved to using NetworkManager and now netplan is in the mix, the code has more or less been using systemd-networkd sidestepping netplan for Ubuntu server for the last 9 years

[jvonau]

https://askubuntu.com/a/1032012

should this template file have a higher priority like, 99-iiab.yml.j2?

Why would you suggest that? Don't think it matters much as in the end all that is going on is the creation of a Virtual interface and assigning an IP address and waiting for the wifi or wired slaves to be added. The base file used on RasPi Ubuntu server image is 50-cloud-init.yaml.

[chapmanjacobd]

Yeah, it is a dumb suggestion on my part--just trying to make conversation lol :-)

The PR looks solid

[chapmanjacobd]

similar discussion happening here: basecamp/omarchy#1414

[muthuri-dev]

@muthuri-dev this weekend (or ASAP in coming days!) is probably a good time to merge this PR in my opinion, if you agree?

@holta from all the tests I have done and what @jvonau stated should be achieved, meets all the checks. It is ready.

[jvonau]

similar discussion happening here: basecamp/omarchy#1414

How does a distribution not supported by IIAB matter? Most of that discussion is around replacing iwd with network-manager.

[chapmanjacobd]

Ah I thought Omarchy was Debian-based so I thought it was interesting that people in similar situations are doing similar things but that's Omakub. Anyway. It's completely tangential

[holta]

1. Thanks especially to @jvonau, and also to Everyone who tested and reviewed this, hard work all around to help folks out everywhere!

2. I don't yet understand why it's important that the two "40 min" CI scripts have their local_vars.yml files swapped (on RPiOS on Zero 2 W and Debian on RPi 3, FWIW with both OS's apparently out of date ?) But no worries, we can fine-tune later if/when that needs any further adjustment (certainly CI workflows are always being refined, regardless :)