Setting up the bridge
Linux won't let you bridge a wireless interface in managed mode at all unless you enable 4addr:
iw dev wlan0 set 4addr on
Enable routing by modifying the ip_forward /proc filesystem file
echo 1 > /proc/sys/net/ipv4/ip_forward
Create the bridge using brctl:
root@bridge:~> brctl addbr br0
Second, we do not need the STP (Spanning Tree Protocol). I.e. we do only have one single router, so a loop is highly improbable. We may then deactivate this feature. (Results in less polluted networking environment, too):
root@bridge:~> brctl stp br0 off
After these preparations, we now do finally some effective commands. We add our two (or even more) physical ethernet interfaces. That means, we attach them to the just born logical (virtual) bridge interfacebr0
.
root@bridge:~> brctl addif br0 wlan0 root@bridge:~> brctl addif br0 eth1
Now, our two previously physical ethernet interfaces became a logical bridge port each. Erm, ok, there were and will be the physical devices. They are still there, go have a look ;-) But now they became part of the logical bridge device and therefore need no IP configuration any longer. So release the IPs:
root@bridge:~> ifconfig wlan0 down root@bridge:~> ifconfig eth1 down root@bridge:~> ifconfig wlan0 0.0.0.0 up root@bridge:~> ifconfig eth1 0.0.0.0 up
We tell Linux the new (logical) interface and associate one single IP with it:
root@bridge:~> ifconfig br0 192.168.0.1 up
Setting up DNSMasq
By default DNSMasq will forward the DNS requests to the DNS server specify in /etc/resolv.conf. Therefore I needed to create this file:
# more /etc/resolv.conf nameserver 192.168.10.1
DNSmasq reads a configuration file, the default file is /etc/dnsmasq.conf:
The following configuration was defined:
# If you want dnsmasq to listen for DHCP and DNS requests only on # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than one interface. interface=br0 # Uncomment this to enable the integrated DHCP server, you need # to supply the range of addresses available for lease and optionally # a lease time. If you have more than one network, you will need to # repeat this for each network on which you want to supply DHCP # service. dhcp-range=192.168.0.50,192.168.0.150,12h # Override the default route supplied by dnsmasq, which assumes the # router is the same machine as the one running dnsmasq. dhcp-option=3,192.168.0.1 Run dnsmasq: # dnsmasq or # dnsmasq -C /path-to-your-configuration/dnsmasq.conf
The first time that dnsmasq is run, it complains about not finding the directory '/var/lib/misc'. Please create this directory manually:
#mkdir /var/lib/misc
Setting up HostAPD
By default, HostAPD reads the configuration at /etc/hostapd.confThe following configuration was defined:
# more hostapd.conf interface=wlan0 driver=nl80211 ssid=tss_ap channel=1 hw_mode=g auth_algs=1 wpa=3 wpa_passphrase=12345678 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP rsn_pairwise=CCMP
Run hostapd. The -b option is used to run hostapd in the background:
#hostapd -B hostapd.conf
Setting up IPTables
Enable routing by modifying the ip_forward /proc filesystem file
echo 1 > /proc/sys/net/ipv4/ip_forward
Allow masquerading
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
Prior to masquerading, the packets are routed via the filter table's FORWARD chain.
iptables -A FORWARD -t filter -i wlan0 -j ACCEPT