The sky, when the stars rise, the stars fly away, the stars weep.
Setting up a bridge wlan0 to eth0 on a Raspberrypi
This is for an ipv4 Bridge connection between WAN and LAN using a Raspberrypi. Another Linux computer would also work instead of a Raspberrypi. Some of this is basically a dump of note that I took while trying to get this up and running in 2017. This post may be of use to someone who is struggling to get this sort of thing going as some of the sources on the net were not always clear on how to do it and validate it’s operation.
The idea with this plan is to have the R-Pi act as a router and hand out addresses to devices on the network and do a DNS masquerade on the eth0 connection. It will also forward ipV4 packets in BOTH directions, thereby bridging a wired and wireless networks. Note: Devices running on the LAN will require setting up a default route to the gateway on the WLAN to see devices on the WLAN.
Why Setup a wlan0 to eth0 Bridge
I had to do this to allow a connection between a ZTE WiFi hotspot that did not have any Ethernet connection port and a need to connect a set of desktop computers that only have Ethernet ports to the Internet. Essentially I have two networks, one is WiFi, one hardwired and they machines have to be able to reach the Internet and each other from both sides. The Ethernet machines are connected to a switch with a router connected to it acting as an access point, DHCP set to off. This network is on an “island” that needed to be bridge via WLAN to get out to the Internet via the ZTE hotspot.
Install dnsmasq
dnsmasq is a lightweight program that will run as a service that will take care of the DNS and the DHCP functions that are required to make the R-Pi act as a router and bridge.
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install rpi-update dnsmasq -y
sudo rpi-update
Static IP on Ethernet Connection
Next, setup a static ip for the dhcp server. Edit /etc/network/interfaces to make the R-Pi reside at a static address on the wired network. In this example it is setup for 192.168.1.17, the typical gateway address for a router on a 192.168.1.0 network, would be 192.168.1.1 which was the gateway at one time on this network. There is nothing magical about the 192.168.1.1 address, a default gateway can exist on any valid address, excluding 192.168.1.0 and 255.
NOTICE THAT THE DEFAULT GATEWAY FOR THE eth0 IS NOT SET! This is important because the default gateway should be grabbed from the WiFi network and not the wired, which in my case is not connected to the Internet. It will go to the Ethernet first by default if there are two default gateways, WLAN and LAN.
Router Settings
If there is a router on the network, it is important to turn off DHCP on it as it does not have to hand out addresses anymore. It should just behave as a switch instead, just forwarding packets in/out of all ports including WiFi if it has it and this option is wanted, then it will function as an AP ( Access Point) as well on it’s own network (192.168.1.0/24 in my case).
erick@raspberrypi ~ $ cat /etc/network/interfaces
auto lo
iface lo inet loopback
#iface eth0 inet dhcp
iface eth0 inet static
address 192.168.1.17
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
#gateway 192.168.1.1
# nameservers
dns-nameservers 8.8.8.8 8.8.4.4
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
Sanity Check using mtr, a.k.a. My Trace Route
Running mtr shows a direct route to Optiplex-790, running mtr from Optiplex-790 to 192.168.128.1 shows a bounce via the R-pi.
See Appendix 1 for more info.
Configure dnsmasq via /etc/dnsmasq.conf
Copy the rather wordy original to a backup copy and use sudo nano to edit in new details. The listen address will be the same as entered into the /etc/network/interfaces file for the R-Pi now that it is at a static address, mine is at 192.168.1.17 for example. Server is the dns server that dnsmasq will be using to do it’s masquerade magic. This can be a comma separated list. I have Google in there for DNS at 8.8.8.8, but an ISP would do as well. Sometimes the router upstream includes a caching DNS and it can be included as well. If the upstream router does have a caching DNS this helps a bit with lookups as the lookup table will be maintained locally as a cache of frequently visited web addresses. Having a local lookup for DNS has less delays than reaching out on the web for every word address to IP numeric address translation.
Address Reservation
For dncp-range I am choosing from 192.168.1.20-192.168.1.255 as the ones below 20 on my network are kept in reserve for static addresses.
Backup and then edit…
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
sudo nano /etc/dnsmasq.conf
/etc/dnsmasq.conf example
This is the one that I am using for the R-pi bridge. R-Pi is static on 192.168.1.17. DNS server is Googles 8.8.8.8 and I am reserving addresses from 192.168.1.0-20.
interface=eth0 # Use interface eth0
listen-address=192.168.1.17 # Explicitly specify the address to listen on
bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere
server=8.8.8.8 # Forward DNS requests to Google DNS
domain-needed # Don't forward short names
bogus-priv # Never forward addresses in the non-routed address spaces.
dhcp-range=192.168.1.20,192.168.1.255,12h # Assign IP addresses between 192.168.1.20,192.168.1.255 with a 12 hour lease time
Enable IPv4 forwarding
The R-pi kernel has to be told explicitly to forward IPv4 packets between wlan0 and eth0.
sudo nano /etc/sysctl.conf
Fin and UNCOMMENT the following line
net.ipv4.ip_forward=1
TO APPLY CHANGE WITHOUT A REBOOT
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
IPTABLES rules update
iptables needs a few rules added to it to cover the DNS masquerading and accepting packets forwarded from wlan0 to eth0 and in the other direction. Execute the following commands to add the rules to iptables.
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
iptables will keep it’s info as long as the machine is booted up. Needs a reload when rebooted.
THE STUFF BELOW IS NOT NEEDED AS THE PI HAS A METHOD TO RESTORE THE IPTABLES VIA iptable-save.sh
HAVE NOT DONE THIS YET as of 12/12/2017
sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”
HOOK FILE
sudo nano /lib/dhcpcd/dhcpcd-hooks/70-ipv4-nat
ADD…
iptables-restore < /etc/iptables.ipv4.nat
—————————————————-
—————————————————–
On the PC – Optiplex-790
I set up the main desktop PC as static IP via Edit Connections on the GUI.
Configure Wired Connection 1 as IPv4 Settings, Manual with address as 192.168.1.18 netmask 255.255.255.0 and gateway as the R-pi at 192.168.1.17
DNS servers, the R-pi itself 192.168.1.17 and Google at 8.8.8.8. It might be possible to have 192.168.128.1 as well as that might be a caching DNS on the upstream ZTE WiFi hotspot. It might have a caching DNS server inside of the Sprint Box itself, not sure and requires looking at the specs for it.
Feasibility Test Using a PC as a Bridge
Before I went through the trouble of setting up the R-Pi as a bridge I did a sanity check/prototype by using a PC as a bridge. By taking the WiFi USB dongle and plugging it into the PC, Optiplex-790 running Linux Mint. I was able to test the feasibility out beforehand.
Create shared connection
On an initial test of setting up the network, before digging into the R-pi to do this, I shared the wifi to the eth via editing the Wired Connection 1 and sharing under IPv4 Settings. But it puts it on a 10.42.0.x network. Use the following to change this…
In versions before 1.4.2, 10.42.0.x is hard-coded into NetworkManager. The choice is either upgrade to Ubuntu 17.04, with version 1.4.4, or go the easy way and use the following command from Thomas Haller to set the host IP and class. For my setup it was 192.168.1.18…
nmcli connection modify $CONNECTION_ID +ipv4.addresses 192.168.1.18/24
where $CONNECTION_ID if found via…
nmcli connection show
… Afterwards, verify with…
nmcli connection show $CONNECTION_ID.
from …
https://askubuntu.com/questions/609645/configure-connection-sharing-with-specific-ip-address
ANY CHANGES MADE TO THE CONNECTION EDITOR REQUIRES A DISCONNECT AND RECONNECT TO APPLY THE CHANGES!!
Uncheck and Recheck Enable Networking
erick@OptiPlex-790 ~ $ nmcli connection show
NAME UUID TYPE DEVICE
Wired connection 1 1a2d9768-104d-3714-814c-57ea2faff63b 802-3-ethernet eno1
NETGEAR63 13f543ac-ea4b-455e-9ff7-9e0ecaddb139 802-11-wireless --
SprintHotspot2.4-BA3A b85d60f9-5875-4eaa-a0c0-df43d174c869 802-11-wireless --
...Verification that the change took hold after setting via nmcli connection modify command...
erick@OptiPlex-790 ~ $ nmcli connection show 1a2d9768-104d-3714-814c-57ea2faff63b
connection.id: Wired connection 1
connection.uuid: 1a2d9768-104d-3714-814c-57ea2faff63b
connection.interface-name: --
connection.type: 802-3-ethernet
connection.autoconnect: yes
connection.autoconnect-priority: -999
connection.timestamp: 1513298233
connection.read-only: no
connection.permissions:
connection.zone: --
connection.master: --
connection.slave-type: --
connection.autoconnect-slaves: -1 (default)
connection.secondaries:
connection.gateway-ping-timeout: 0
connection.metered: unknown
connection.lldp: -1 (default)
802-3-ethernet.port: --
802-3-ethernet.speed: 0
802-3-ethernet.duplex: full
802-3-ethernet.auto-negotiate: yes
802-3-ethernet.mac-address: 18:03:73:D1:52:FC
802-3-ethernet.cloned-mac-address: --
802-3-ethernet.mac-address-blacklist:
802-3-ethernet.mtu: auto
802-3-ethernet.s390-subchannels:
802-3-ethernet.s390-nettype: --
802-3-ethernet.s390-options:
802-3-ethernet.wake-on-lan: 1 (default)
802-3-ethernet.wake-on-lan-password: --
ipv4.method: manual
ipv4.dns: 192.168.1.17,8.8.8.8
ipv4.dns-search:
ipv4.dns-options: (default)
ipv4.dns-priority: 0
ipv4.addresses: 192.168.1.18/24
ipv4.gateway: 192.168.1.17
ipv4.routes:
ipv4.route-metric: -1
ipv4.ignore-auto-routes: no
ipv4.ignore-auto-dns: no
ipv4.dhcp-client-id: --
ipv4.dhcp-timeout: 0
ipv4.dhcp-send-hostname: yes
ipv4.dhcp-hostname: --
ipv4.dhcp-fqdn: --
ipv4.never-default: no
ipv4.may-fail: yes
ipv4.dad-timeout: -1 (default)
ipv6.method: auto
ipv6.dns:
ipv6.dns-search:
ipv6.dns-options: (default)
ipv6.dns-priority: 0
ipv6.addresses:
ipv6.gateway: --
ipv6.routes:
ipv6.route-metric: -1
ipv6.ignore-auto-routes: no
ipv6.ignore-auto-dns: no
ipv6.never-default: no
ipv6.may-fail: yes
ipv6.ip6-privacy: 0 (disabled)
ipv6.addr-gen-mode: stable-privacy
ipv6.dhcp-send-hostname: yes
ipv6.dhcp-hostname: --
GENERAL.NAME: Wired connection 1
GENERAL.UUID: 1a2d9768-104d-3714-814c-57ea2faff63b
GENERAL.DEVICES: eno1
GENERAL.STATE: activated
GENERAL.DEFAULT: yes
GENERAL.DEFAULT6: no
GENERAL.VPN: no
GENERAL.ZONE: --
GENERAL.DBUS-PATH: /org/freedesktop/NetworkManager/ActiveConnection/14
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/Settings/1
GENERAL.SPEC-OBJECT: /
GENERAL.MASTER-PATH: --
IP4.ADDRESS[1]: 192.168.1.18/24
IP4.GATEWAY: 192.168.1.17
IP4.ROUTE[1]: dst = 169.254.0.0/16, nh = 0.0.0.0, mt = 1000
IP4.DNS[1]: 192.168.1.17
IP4.DNS[2]: 8.8.8.8
IP6.ADDRESS[1]: fe80::7abb:ec07:22dc:c7bd/64
IP6.GATEWAY:
Looking at the ZTE WiFi Hotspot as seen from the Optiplex-790
erick@OptiPlex-790 ~ $ nmcli connection show b85d60f9-5875-4eaa-a0c0-df43d174c869
connection.id: SprintHotspot2.4-BA3A
connection.uuid: b85d60f9-5875-4eaa-a0c0-df43d174c869
connection.interface-name: --
connection.type: 802-11-wireless
connection.autoconnect: yes
connection.autoconnect-priority: 0
connection.timestamp: 1513128371
connection.read-only: no
connection.permissions:
connection.zone: --
connection.master: --
connection.slave-type: --
connection.autoconnect-slaves: -1 (default)
connection.secondaries:
connection.gateway-ping-timeout: 0
connection.metered: unknown
connection.lldp: -1 (default)
802-11-wireless.ssid: SprintHotspot2.4-B838
802-11-wireless.mode: infrastructure
802-11-wireless.band: --
802-11-wireless.channel: 0
802-11-wireless.bssid: --
802-11-wireless.rate: 0
802-11-wireless.tx-power: 0
802-11-wireless.mac-address: 08:86:3B:04:85:88
802-11-wireless.cloned-mac-address: --
802-11-wireless.mac-address-blacklist:
802-11-wireless.mac-address-randomization:default
802-11-wireless.mtu: auto
802-11-wireless.seen-bssids: 34:69:87:BB:B8:38
802-11-wireless.hidden: no
802-11-wireless.powersave: default (0)
802-11-wireless-security.key-mgmt: wpa-psk
802-11-wireless-security.wep-tx-keyidx: 0
802-11-wireless-security.auth-alg: --
802-11-wireless-security.proto:
802-11-wireless-security.pairwise:
802-11-wireless-security.group:
802-11-wireless-security.leap-username: --
802-11-wireless-security.wep-key0: <hidden>
802-11-wireless-security.wep-key1: <hidden>
802-11-wireless-security.wep-key2: <hidden>
802-11-wireless-security.wep-key3: <hidden>
802-11-wireless-security.wep-key-flags: 0 (none)
802-11-wireless-security.wep-key-type: 0 (unknown)
802-11-wireless-security.psk: <hidden>
802-11-wireless-security.psk-flags: 0 (none)
802-11-wireless-security.leap-password: <hidden>
802-11-wireless-security.leap-password-flags:0 (none)
ipv4.method: auto
ipv4.dns: 8.8.8.8,8.8.4.4
ipv4.dns-search:
ipv4.dns-options: (default)
ipv4.dns-priority: 0
ipv4.addresses:
ipv4.gateway: --
ipv4.routes:
ipv4.route-metric: -1
ipv4.ignore-auto-routes: no
ipv4.ignore-auto-dns: no
ipv4.dhcp-client-id: --
ipv4.dhcp-timeout: 0
ipv4.dhcp-send-hostname: yes
ipv4.dhcp-hostname: --
ipv4.dhcp-fqdn: --
ipv4.never-default: no
ipv4.may-fail: yes
ipv4.dad-timeout: -1 (default)
ipv6.method: auto
ipv6.dns:
ipv6.dns-search:
ipv6.dns-options: (default)
ipv6.dns-priority: 0
ipv6.addresses:
ipv6.gateway: --
ipv6.routes:
ipv6.route-metric: -1
ipv6.ignore-auto-routes: no
ipv6.ignore-auto-dns: no
ipv6.never-default: no
ipv6.may-fail: yes
ipv6.ip6-privacy: 0 (disabled)
ipv6.addr-gen-mode: stable-privacy
ipv6.dhcp-send-hostname: yes
ipv6.dhcp-hostname: --
Note: Needed to Add a Route on a Machine Connected to Raspberry Pi via Ethernet
I needed to add a route to the rpi to get to the 192.168.1.0/24 network.
I THOUGHT that this had worked automatically initially. It seemed that I could at least get to the pi at http://raspberrypi and 192.168.1.17.
But really a route is needed to the 192.168.1.0/24 network via the raspberrypi.rputer on 192.168.128.X
sudo route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.128.46
there is a helper file for this in ~/bin add-route-to-192.168.1.0.sh
erick@media-pc ~/Music $ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.128.1 0.0.0.0 UG 600 0 0 wlx08863b02838f
link-local * 255.255.0.0 U 1000 0 0 wlx08863b02838f
192.168.1.0 raspberrypi.rou 255.255.255.0 UG 0 0 0 wlx08863b02838f
192.168.128.0 * 255.255.255.0 U 600 0 0 wlx08863b02838f
using mtr to a device on the 192.168.1.0 network confirms hw packets are routed through!
————————————————————————————–
NETSTAT VERY HELPFUL
netstat –help
usage: netstat [-vWeenNcCF] [<Af>] -r netstat {-V|–version|-h|–help}
netstat [-vWnNcaeol] [<Socket> …]
netstat { [-vWeenNac] -i | [-cWnNe] -M | -s }
-r, –route display routing table
-i, –interfaces display interface table
-g, –groups display multicast group memberships
-s, –statistics display networking statistics (like SNMP)
-M, –masquerade display masqueraded connections
-v, –verbose be verbose
-W, –wide don’t truncate IP addresses
-n, –numeric don’t resolve names
–numeric-hosts don’t resolve host names
–numeric-ports don’t resolve port names
–numeric-users don’t resolve user names
-N, –symbolic resolve hardware names
-e, –extend display other/more information
-p, –programs display PID/Program name for sockets
-c, –continuous continuous listing
-l, –listening display listening server sockets
-a, –all, –listening display all sockets (default: connected)
-o, –timers display timers
-F, –fib display Forwarding Information Base (default)
-C, –cache display routing cache instead of FIB
<Socket>={-t|–tcp} {-u|–udp} {-w|–raw} {-x|–unix} –ax25 –ipx –netrom
<AF>=Use ‘-6|-4’ or ‘-A <af>’ or ‘–<af>’; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)
—————————————————————————————
APPENDIX 1:
https://raspberrypi.stackexchange.com/questions/8010/internet-access-via-1-of-2-network-interfaces
You need to verify that you DO NOT have a default gateway set on your ETH0 interface. It has probably been assigned by DHCP, so you may have to address it statically, edit your router configuration. You will also need to verify that you have a default gateway on your WLAN interface.
Post the output of ip route show when both interfaces are connected for more detailed response.
You also need to ensure that your two routers are on different subnets. For example, the network connected to ETH0 could be 192.168.1.0 255.255.255.0, and WLAN0 could be 192.168.0.0 255.255.255.0, but they have to be on different networks. More on subnet mask
Finally you may want to read up on local routing for Debian systems.
Sorry I can’t be more specific, but there could be a book written to explain this topic. If you get stuck, or have a more specific question after doing a little reading, please let me know. I would be happy to help.
EDIT: Based on the added ip route show, you need to re-address one of your networks so the pi knows they are not connected. You may still have gateway issues, but that is where you need to start.
shareimprove this answer
edited Jun 18 ’13 at 16:13
answered Jun 17 ’13 at 22:38
Butters
1,339522
add a comment
up vote
3
down vote
eth0 is always preferred interface over wireless, you will need to issue command route -n to see your routes and then probably change default routing using:
$ sudo route add default gw 192.168.1.1 wlan0
just use correct address for your wireless router.