How-to make a Raspberry Pi 3 as a 3G/4G router


In this article we will explain how to configure and use our Raspberry Pi 3 to act as a 3G/4G Wi-Fi Router

Installing the required packages

First of all we need to install the DHCP Server, hostapd (for create a Wi-Fi AP) and usb-modeswitch (for the 3G/4G modem).

sudo apt-get install usb-modeswitch usb-modeswitch-data hostapd isc-dhcp-server



Configure DHCP Server

We proceed now to configure the DHCP Server in order to release IPs to our clients through Wi-Fi (wlan0).
Let’s start by configuring the DHCP subnet, IP range and DNS Server to push to the clients


# Configuration file for ISC dhcpd for Debian

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# Internal subnet.
subnet netmask {
option domain-name-servers,;
option domain-name "local-network";
option routers;
option broadcast-address;
default-lease-time 600;
max-lease-time 7200;

After configuring the DHCP subnet we should specify on which interface/interfaces the DHCP Server should listen, for doing this we edit the following file and insert the interface in the “INTERFACES” section:


# Defaults for isc-dhcp-server initscript
# sourced by /etc/init.d/isc-dhcp-server
# installed at /etc/default/isc-dhcp-server by the maintainer scripts

# This is a POSIX shell fragment

# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).

# Path to dhcpd's PID file (default: /var/run/

# Additional options to start dhcpd with.
#       Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#       Separate multiple interfaces with spaces, e.g. "eth0 eth1".



Configure Wi-Fi AP

We configure now hostapd in order to setup a Wi-Fi network for the clients like Smartphone, Laptop, Tablets, etc..
If doesn’t already exist create a file under “/etc/hostapd/hostapd.conf”

touch /etc/hostapd/hostapd.conf

Then inside the file put the following configuration and change the field ssid and wpa_passphrase with a Wi-Fi name to show to your devices and the password for access to the Wi-Fi

### Wireless network interface ###

### Driver ###

### Network name SSID ###



### Set frequency to 2.4 Ghz ###

### Channel number ###

### Enable Wi-Fi N ###

### Enable WMM ###

### Enable 40 Mhz channels ###

### Allow all MAC Address ###

### Use WPA Auth ###

### Require clients to know the network name ###

### Use WPA2 ###

### Enable Pre-Shared Key ###

### Network key ###


### Use AES ###

Now we should tell to the which configuration file the init script should use, in order to do this we need to edit the file “/etc/default/hostapd” and comment out the parameter “DAEMON_CONF=” and fill it with the path to the previously created hostapd configuration file. At the end the file should be like that:

# Defaults for hostapd initscript
# See /usr/share/doc/hostapd/README.Debian for information about alternative
# methods of managing hostapd.
# Uncomment and set DAEMON_CONF to the absolute path of a hostapd configuration
# file and hostapd will be started during system boot. An example configuration
# file can be found at /usr/share/doc/hostapd/examples/hostapd.conf.gz

# Additional daemon options to be appended to hostapd command:-
#       -d   show more debug messages (-dd for even more)
#       -K   include key data in debug messages
#       -t   include timestamps in some debug messages
# Note that -B (daemon mode) and -P (pidfile) options are automatically
# configured by the init.d script and must not be added to DAEMON_OPTS.



Configure the network interface and Firewall (iptables) rules

We configure now the interface wlan0 in the file “/etc/network/interfaces” in order to disable the automatic configuration through wpa_supplicant and assign a static IP to the wlan0 interface and make it as a default gateway for the clients.
Comment the section “iface wlan0 inet manual” and “wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf”.

# interfaces(5) file used by ifup(8) and ifdown(8)

# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0
#iface wlan0 inet manual
#    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

iface wlan0 inet static

allow-hotplug wlan1
iface wlan1 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

We need now to setup our Raspberry Pi as a “Router” so we should now enable the packets forwarding into the kernel with:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

But this will only enable temporary the packet forwarding so in order to make it permanent we should edit the file “/etc/sysctl.conf” and add (or comment out if exist)

# Uncomment the next line to enable packet forwarding for IPv4

The configuration is almost finished, we need only to setup the iptables rules

iptables -t nat -A POSTROUTING -o usb0 -j MASQUERADE
iptables -A FORWARD -i usb0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o usb0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Save the current iptables rule with

iptables-save > /etc/iptables.ipv4.nat

We configure the rule to be loaded at boot by edit the file “/etc/rc.local” and add at the end of the file (before the “exit 0) the following lines:

iptables-restore < /etc/iptables.ipv4.nat

Why “usb0” interface in the iptables rules?
Probably you are asking why I’ve chosen the usb0 interface in the iptables rules instead of ppp0. I’ve chosen usb0 because my 3G key (a ZTE MF730) is switched by the usb-modeswitch project as an USB Ethernet interface (this happens also for some Huawei 3G/4G key).


Starting the services

The configuration now is ended so let’s start the services!
First of all restart the networking in order to apply the modification

root@raspberrypi:~# /etc/init.d/networking restart

Then start or restart if running the DHCP Server service

root@raspberrypi:~# /etc/init.d/isc-dhcp-server restart

Start hostapd

root@raspberrypi:~# /etc/init.d/hostapd restart

We are done! Now you should see your Wi-FI Network and able to connect to it. You can also use now use multiple devices through your 3G/4G USB key.

Posted in How-To, Linux, Raspberry Pi.


  1. hello !
    Thank you for your article !
    But i have a question :
    I have not 3G/4G USB key … Can i use a smartphone ?
    It is on usb0 and it is on modem mode !

    usb0 Link encap:Ethernet HWaddr 02:55:35:3b:3b:38
    inet addr: Bcast: Mask:
    inet6 addr: fe80::7f43:9856:9c9a:e338/64 Scope:Link
    RX packets:12 errors:0 dropped:0 overruns:0 frame:0
    TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1531 (1.4 KiB) TX bytes:9060 (8.8 KiB)

    wlan0 Link encap:Ethernet HWaddr 84:16:f9:0b:71:46
    inet addr: Bcast: Mask:
    inet6 addr: fe80::848c:b2ea:6147:fa42/64 Scope:Link
    RX packets:1513 errors:0 dropped:96 overruns:0 frame:0
    TX packets:1353 errors:0 dropped:241 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:379567 (370.6 KiB) TX bytes:1565778 (1.4 MiB)

    Bus 001 Device 007: ID 04e8:6864 Samsung Electronics Co., Ltd


    • Hi M@rco,

      sorry for the late reply! I have lost the email notification that someone have commented.. Yes you can also use the Smartphone, I never test it but if the Smartphone it’s in modem mode and recognised as a network interface it will work 🙂

    • Hi denadai,

      Thank you!
      yes, I can comment a bit more! What do you want to know or what is not clear? 🙂


      • I’m new to iptables. If you could comment what specific these rules do? I’ve found other command, that you could update the post later: sudo iptables -t nat -A PREROUTING -p tcp –dport 2525 -j DNAT –to-destination It will give you access to modem trougth this bridge.
        And, thanks you for this great job!

        • Sure! I’ll do here a short explanation of the rules and when I have time I will update the post

          # This rule will NAT all the traffic that exit from the Modem interface (usb0) with the modem IP
          iptables -A POSTROUTING -o usb0 -j MASQUERADE

          # This rule will allow all new and already established connections from the Wi-Fi clients to Internet
          iptables -A FORWARD -i wlan0 -o usb0 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT

          # This rule will accept all the reply that come back from internet to the Wi-Fi clients (as you can see there is not the flag NEW)
          iptables -A FORWARD -i usb0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT

  2. I get stuck at “sudo iptables -A POSTROUTING -o usb0 -j MASQUERADE”
    I get the following message “iptables: No chain / target / match by that name.”

    my ifconfig indicates that wwan0 is the “Bus 001 Device 007: ID 148f: 760b Ralink Technology, Corp. MT7601U Wireless Adapter”.

    I tried to make usb0, wwan0 but get the same error message.

    Please your help, thanks in advance

    • sorry in ifconfig is see wwan0 and it is: Bus 001 Device 009: ID 12d1:14cb Huawei Technologies Co., Ltd.

      i dont see a usb0 in the list

    • Your modem have the interface name called “wwan0” instead of “usb0” so the iptables rule would be:

      “sudo iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE”

      • hello dark-vex,

        see in my first log: ” I tried to make usb0, wwan0 but get the same error message.”
        so if i type in “sudo iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE”

        still i get: “iptables: No chain / target / match by that name.”

        any suggestion?

        • In the post there was missing the parameter “-t nat” and I have fixed it. So “sudo iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE” should work.. in case you still receive “No chain / target / match by that name” please paste the output of “sudo iptables -t nat -nvL”

  3. Hi, i want to create a 4G raspberry pi router but only with 2 lan ports and 4g module only for remote accessing from everywhere. Can you help me how can i do that?

    • Hi Peter, the additional ethernet port for the raspberry it’s and usb ethernet card or it’s a shield over the raspberry?

  4. Hi, thanks for your tutorial. How can I make these changes permanent on every startup? I would change the setup slightly because I want to share 4g connection over ethernet port, it is near the same.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.