Raspberry Pi - Bridge WLAN to local LAN


Object:

Use a Raspberry Pi (RPi) to connect to a WiFi network (offering internet access) and “bridge” that using the ethernet port of the RPi to the WAN port of a WiFi router to act as a gateway for local endpoint devices. It is also possible to “bridge” the RPi ethernet port directly to a switch where other devices can get network access using an ethernet cable (or a single computer directly connected to the ethernet port of the RPi).


“Schematics” for communication/setup:

Internet > WiFi access point > WLAN NIC on RPi > Ethernet NIC on RPi > WAN port of a WiFi router > local WLAN (or ethernet ports) of the WiFi router > local endpoint devices/clients

or, for a switch:

Internet > WiFi access point > WLAN NIC on RPi > Ethernet NIC on RPi > switch port > local endpoint devices/clients via ethernet cable


Things needed:

  • Raspberry Pi (either an older one without onboard WLAN NIC or one with an onboard WLAN NIC)

  • Raspberry Pi OS Lite, latest version available

  • A USB WLAN NIC (if not using a RPi with an onboard WLAN NIC)

  • Ethernet cable (between the RPi and the WAN port of the router, or the switch)

  • A power adapter for the RPi

  • A WiFi router w/ power adapter, or a switch w/ power adapter

  • Keyboard and screen to use for the first steps of the RPi setup (when the SSH daemon is active on the RPi, it is easier to use a PC to connect to the RPi via SSH to do the rest of the setup)



HowTo


Download and flash the latest available Raspberry Pi OS Lite to an SD card


Boot Raspberry Pi OS and make the “usual” changes with raspi-config

  • password

  • hostname

  • network (wifi network + wifi country)

  • timezone

  • keyboard layout

  • SSH daemon enabled

  • expand filesystem (should normally be done automatically at first boot)


Reboot


Check keyboard layout and wifi network access

(if network access isn’t working, check and change /etc/wpa_supplicant/wpa_supplicant.conf and reboot once again)


Upgrade Raspberry Pi OS (sudo apt update && upgrade)


Note: To add more WiFi networks, see “Add WiFi Networks” at the end of this instruction. Remember to add “scan_ssid=1” if connecting to a wireless network that has a hidden SSID.


A switch to SSH can be made at this point in the instruction, i.e. shut the RPi down and make it “headless” and boot it up again and connect to the RPi using SSH from another PC to do the rest of the setup. It’s easier to copy/paste commands and file content using a PC and SSH rather than typing on a locally attached keyboard on the RPi. Typing it all letter by letter also increases the risk of misspelling (and such) resulting in problems and unnecessary troubleshooting.


Now a DHCP server is needed for the ethernet NIC of the RPi in order to be able to provide the WAN port of the router with an IP address (or switch attached client devices).


First configure the ethernet NIC of the RPi to use a static IP address. It is also time to decide the IP address range that will be used for the “inside” network, i.e. the IP range from which the DHCP server will hand out leases of IP addresses to internal devices. It has to be an IP range that is taken from the non routable IP address ranges

https://en.wikipedia.org/wiki/Private_network


Chosen range for this configuration: 172.22.11.0/24


Edit /etc/dhcpcd.conf to make the address of the eth0 NIC static (no DHCP)

sudo nano /etc/dhcpcd.conf


Add the following to the bottom of the file:

interface eth0

static ip_address=172.22.11.1/24

#static routers=172.22.11.1

static domain_name_servers=1.1.1.1 8.8.8.8

nohook wpa_supplicant


Reboot the Rpi (or restart the nework service)

sudo reboot


Check using ifconfig to see that the eth0 interface has gotten its static IP address


Install the DHCP server/daemon (dnsmasq):

sudo apt install dnsmasq


Stop the service for dnsmasq while configuring

sudo systemctl stop dnsmasq


Configure the DHCP service

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

sudo nano /etc/dnsmasq.conf


Add the following to the file. Make sure to use a DHCP address lease range from the same range that was previously defined in /etc/dhcpcd.conf


interface=eth0

dhcp-range=172.22.11.100,172.22.11.199,255.255.255.0,24h


The above is sufficient but the following might be added as well:

listen-address=172.22.11.1

bind-interfaces

domain-needed # Don’t forward short names

bogus-priv # Drop the non-routed address spaces


Start up the dnsmasq service again
sudo systemctl start dnsmasq


Check that dnsmasq is running

journalctl -u dnsmasq.service


Check that the dnsmasq configuration file has correct syntax

dnsmasq --test


Head over to configure Network Address Translation (NAT). Setting up NAT will allow multiple clients to connect to the LAN and have all the communication routed through the single “outside” IP.


sudo nano /etc/sysctl.conf


Uncomment the line

#net.ipv4.ip_forward=1

so that it looks like

net.ipv4.ip_forward=1


This will start IPv4 forwarding on boot up.


Add a masquerade for outbound traffic on wlan0 + other rules needed (3 in total)


sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT


You can check to see what is in the tables with:

sudo iptables -t nat -S

sudo iptables -S


Note: If the wireless interface is connected to a public unsafe network, yet another iptables rule might be good for security measures. The rule will drop any attempt to access the wireless interface from the outside.

sudo iptables -A INPUT -i wlan0 -j DROP


To make the above iptables rules happen on reboot, run:

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"


Edit /etc/rc.local and add the line below just above "exit 0" to install these rules on boot

sudo nano /etc/rc.local

add:

iptables-restore < /etc/iptables.ipv4.nat


Please note that the above iptables rules do not necessary offer a bullet proof and full blown “firewall” if not set up with knowledge and care. Further IPtables config may be needed for this to happen.


Reboot the RPi

sudo reboot


Check that the iptables rule and IPv4 forwarding works (i.e. just surf the web from a client connected to the newly created setup, and if that works, everything is fine).


---------


Add WiFi Networks


To add additional WiFi networks, edit the wpa_supplicant.conf file

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf


The settings used in this configuration file may vary depending on how the wireless network is set up, the below is for a network using WPA2-PSK and AES. In most cases though, only the SSID and the psk is needed to connect.


network={

ssid=”SSID of the network”

psk=”the password/passphrase to connect to the network”

proto=RSN

key_mgmt=WPA-PSK

pairwise=CCMP

auth_alg=OPEN

id_str="home"

}

Popular posts from this blog

Hak5 Cloud C2 on a Raspberry Pi

Hak5 Cloud C2 as a Windows service

Project name: WEIRDFEED