Raspberry as Pi Ethernet-WiFi-Bridge

From Wurst-Wasser.net
Jump to navigation Jump to search

The Challenge

I wanted to set up my Raspberry Pi 3 as Webcam, intranet server, and Ethernet-WiFi-Bridge. In the long run I want to use some kind of QOA/shaping on the Pi to manage my really bad internet connection (yes, 6MBit/s in a country where 82 million people live on 356 thousand square-kilometers (about 230 people per square-km).


Install additional software

apt-get install hostapd bridge-utils dhcp-helper dnsutils traceroute

What do they do?

  • hostapd: A daemon that sets up your WiFi as a access point, so anyone can join. Please note, that this means WiFi only. No DHCP, and therefore no DNS.
  • bridge-utils: These provide the bridging you need to "connect" the ethernet and WiFi interfaces.
  • dhcp-helper: DHCP uses a broadcast to the network (address) to reach the DHCP-server. Since broadcasts stay in the broadcast-domain with a TTL of 1, they won't get bridged. This is where dhcp-helper comes in. It forwards the broadcasts in all other nets (except the one specified with -b, obviously because there is the dhcp-server...).
  • dnsutils: Just to do a nslookup from time to time. You can test your DNS-setup as well as lookup with nslookup[1]
  • traceroute: Might come in handy if you have networking problems (and you WILL have :) )


vi /etc/sysctl.conf

and set

net.ipv6.conf.all.disable_ipv6 = 1

Explanation: Disable IPv6 (to KISS) and enable forwarding for IPv4[2].

vi /etc/default/hostapd 

and set:


Explanation: The hostapd reads the configfile, to find this configfile. I don't get what this is good for. I think I'm just net getting the whole concept. If anyone cares to enlighten me, please do. :)

vi /etc/hostapd/hostapd.conf

and set something like this:


Explanation: hostapd creates the WiFi-Access Point and creates a bridge-device br0, which he ties (only) wlan0 to[3].

vi /etc/dhcpcd.conf

and set something like this:

nohook wpa_supplicant
denyinterfaces wlan0

Explanation: I omit /etc/wpa_supplicant/wpa_supplicant.conf for wlan0. It is essential that there remains only one layer3-active (meaning using IP) interface, and that is br0. Otherwise you get a routing mess. Since br0 and eth0 are not omitted (denied), they get IPAs from the DHCP-Server. That's necessary for br0, and not for eth0 (but when I omitted eth0, the bridge didn't come up. So I removed the IPA later (see below).

vi /etc/network/interfaces

Don't touch this file. dhcpcd gets jealous...

vi /etc/default/dhcp-helper

and set:


Explanation: dhcp-helper will now forward all DHCP-related broadcasts to this interface (and none coming from there to the other interfaces).

vi /etc/avahi/avahi-daemon.conf

and set:


Explanation: Enable mDNS relaying.

As mentioned before, the br0-device is only tied to wlan0, so we must take care of this. You might want to do this with a script in /etc/network/if-up.d/ like (WORK-IN-PROGRESS!):
# only do it, if necessary
/sbin/brctl show | /bin/grep eth0 && exit 0
/bin/sleep 1
# Remove IPA from eth0
ip addr flush dev eth0

Known issues

  • After br0 is set up and this appears in the log:
Feb  5 11:59:10 pi3 kernel: [   46.256296] br0: port 2(eth0) entered blocking state
Feb  5 11:59:10 pi3 kernel: [   46.256321] br0: port 2(eth0) entered disabled state
Feb  5 11:59:10 pi3 kernel: [   46.257064] device eth0 entered promiscuous mode
  • DNS-lookups fail (and therefore everything else, like pings to external hosts or apt-get)
  • the Pi can't be reached by ssh or any other service

Thinking out loud: br0 linkes eth0 and wlan0 on layer 2. Thus can't have an IPA. But br0 can. I hope. :-)

[SOLVED] - The reason was the IPA on eth0, which is no layer3 interface anymore. Removing the IPA did the trick.


Since you use a DHCP server and you manually set IPAs, you might want to reserve those IPAs in your DHCP-server configuration. This might become handy:

systemd-resolve --status

Displays your DNS-setup

nslookup www.wurst-wasser.net

Displays queried servers and queries (really!)

brctl showstp br0

Shows forwarding state

brctl showmacs br0

Shows all MACs displays something like arp -a does, the MACs of the machines using the bridge.

The Next Step

Since the Pi has some issues, the worst beeing its performance (or lack of), I decided to move the functionality to a Lenovo Thinkpad T60 (Model #2008): T60 as Pi Ethernet-WiFi-Bridge. The Pi often had a load of 3 when it shovelled 30.000 packets per minute through the bridge.

  1. or dig
  2. Which is quite unnecessary ;), since we bridge at layer 2...
  3. Check with: brctl show