This article directory
The current wireless routers are very cheap, so in fact, except for special requirements such as building a VPN, no one will use a Raspberry Pi or other hosts with Linux systems installed to configure them as wireless routers. There are some old-fashioned devices without a wireless network card or a USB interface, so you cannot simply expand a wireless network card through the USB interface, and you can only access the Internet through a wired network card. However, wireless routers are usually installed in places where it is not convenient to connect to network cables, so we sometimes need to share wireless networks or convert wireless networks into wired Ethernet networks. As shown below:
+- RPi -------+ +- old pc1----+
| Eth0+----------+ Eth0 |
+- Router ----+ | DHCP server| | 10.0.0.10 |
| Firewall | | 10.0.0.1 | | |
(Internet)---WAN-+ DHCP server +-WLAN AP-+-))) (((-+ WLAN | +-------------+
| 192.168.3.1 | | |
+-------------+ | |
| |
| |
+-------------+
It is equivalent to adding a wireless network card to an old-fashioned device.
It boils down to the following 4 steps:
- Enable IP forwarding function
- Enable SNAT/IP masquerading
- Configure a static IP for the network card
- Enable DHCP and DNS
The method described in this document has been tested on the latest Raspberry Pi OS bullseys + Raspberry Pi zero W.
1. Preparation
- Administrator privileges on the Raspberry Pi
- Preferably, by directly connecting the screen and keyboard to the Raspberry Pi's local access mode (so as not to interrupt the ssh connection due to the change of ip during the setup process)
- The Raspberry Pi is connected to Ethernet and boots normally
- Upgrade to the latest Raspberry Pi OS, and if you installed a package during this configuration, remember to restart the Raspberry Pi to make sure the installation completed correctly.
- The current network configuration is:
- IP configuration of the Ethernet network connected to the Raspberry Pi:
The IP network 10.10.0.1/24 is configured on the Ethernet LAN, and the Raspberry Pi will be connected to the wireless network of 192.168.3.1/24. - Have a wired Ethernet client device ready, such as a laptop, smartphone, etc., for testing.
2. Install DNS and configuration management software
- In order to provide network management services (DNS, DHCP) to older wired Ethernet clients, the Raspberry Pi needs to install the package dnsmasq:
sudo apt install dnsmasq
- Install netfilter-persistent and its plugin iptables-persistent. These two programs are used to save firewall rules and restore them when the Raspberry Pi boots:
sudo apt install -y netfilter-persistent iptables-persistent
3. Set the network routing function
In this configuration, the Raspberry Pi provides routing functions between the wireless network and the Ethernet network, accesses the wireless network, and converts the wireless network into a wired network, or shares the wireless network with wired clients, providing limited clients with internet access.
3.1, Raspberry Pi's wired network interface IP configuration
The Raspberry Pi runs a DHCP server for the wired network; the wired NIC eth0 of the Raspberry Pi needs to be configured with a static IP. At this time, the Raspberry Pi is used as a router on this new network, and it is generally configured as the first IP address in this IP subnet: 10.0.0.1.
We need to modify the configuration file dhcpcd:
sudo vi /etc/dhcpcd.conf
Add the following at the end of the file:
interface eth0
static ip_address=10.0.0.1/24
3.2. Enable routing and IP masquerading
Configure the Raspberry Pi so that wired clients can access computers on the main network or access the Internet over the wireless network. We need to enable IP forwarding (allowing traffic to flow from one network to another in the Raspberry Pi), create a file with the following command:
sudo vi /etc/sysctl.d/routed-ap.conf
The content of the file is as follows (enable the forwarding function of IPv4)):
# Enable IPv4 routing
net.ipv4.ip_forward=1
After the IP forwarding function is enabled, because we cannot modify the configuration of the main router, in order to allow the wired terminals of the 10 network segment to access the external network, the Raspberry Pi needs to enable the IP "masquerade" function, and replace the IP address of the wired terminal with its own in the wireless network. IP address 192.168.3.xx on the network.
- From the upstream direction, the Raspberry Pi will replace all the data from the wired terminal with the IP address of its own WLAN, so for the main router, it only sees the data of the IP address of the Raspberry Pi.
- From the perspective of the downlink direction, the Raspberry Pi will replace the external data back to the IP address of each wired terminal, and send the data to the wired terminal
We need to enable IP masquerading on the Raspberry Pi, which is the NAT function:
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
Save and automatically enable this IP masquerading function at system startup through the netfilter-persistent service
sudo netfilter-persistent save
Note that this NAT rule is saved in the directory /etc/iptables/.
3.3. Configuring DHCP and DNS services for wired networks
The dnsmasq installed earlier provides DHCP and DNS services. The default configuration file template is very large, but we only need a small function in it, so here we choose to add configuration from an empty file, which is easier.
Back up the original configuration template file and create an empty configuration file:
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
sudo vi /etc/dnsmasq.conf
Add the following to the file and save it:
interface=eth0 # Listening interface
dhcp-range=10.0.0.2,10.0.0.20,255.255.255.0,24h
# Pool of IP addresses served via DHCP
domain=eth0 # Local wireless DNS domain
address=/gw.eth0/10.0.0.1
# Alias for this router
The Raspberry Pi will choose an IP between 10.0.0.2 and 10.0.0.20 to provide an IP address for the wired terminal, and the lease time is 24 hours.
4. Run
Reboot the Raspberry Pi and test if the wired access point is available.
sudo systemctl reboot
After the Raspberry Pi is restarted, the wired client will be automatically assigned an IP address of 10 network segments. You can also access the Internet normally.
5. Advanced – add two Ethernet ports to the same bridge
Our Raspberry Pi has two Ethernet ports, as shown in the figure below, so a better solution that is more consistent with a home router is:
- Use both network cards, in order to allow blind insertion of the two Ethernet cards, any network port connected to it can be assigned the IP address of the 10.0.0.0/24 network segment.
- Let the two network cards join the bridge, and the data between each other can be forwarded directly on the second layer, which is equivalent to forming two LAN ports, so that the two LAN ports can have a layer-2 switching function.
The topology diagram is as follows:
+- RPi -------+ +- old pc1----+
| Eth0+----------+ Eth0 |
+- Router ----+ | DHCP server| | 10.0.0.10 |
| Firewall | | 10.0.0.1 | | |
(Internet)---WAN-+ DHCP server +-WLAN AP-+-))) (((-+ WLAN | +-------------+
| 192.168.3.1 | | |
+-------------+ | | +- old pc2----+
| Eth1+----------+ Eth0 |
| | | 10.0.0.4 |
+-------------+ | |
+-------------+
- Add the two network cards eth0 and eth1 to the bridge br0
and put the following three files in the /etc/systemd/network directory
ls -l /etc/systemd/network/br*
-rw-r--r-- 1 root root 40 May 22 21:19 /etc/systemd/network/br0-menber-eth0.network
-rw-r--r-- 1 root root 40 May 22 21:19 /etc/systemd/network/br0-menber-eth1.network
-rw-r--r-- 1 root root 30 May 22 21:19 /etc/systemd/network/bridge-br0.netdev
The contents of the files are:
cat /etc/systemd/network/br0-menber-eth0.network
[Match]
Name=eth0
[Network]
Bridge=br0
cat /etc/systemd/network/br0-menber-eth1.network
[Match]
Name=eth1
[Network]
Bridge=br0
cat /etc/systemd/network/bridge-br0.netdev
[NetDev]
Name=br0
Kind=bridge
- Start the systemd/networkd service
sudo systemctl enable systemd-networkd
- Let the dhcp server work on the virtual br0 interface
Add the following content to the /etc/dhcpcd.conf file
denyinterface eth0
denyinterface eth1
interface br0
static ip_address=10.0.0.1/24
Add the following to the /etc/dnsmasq.conf file
cat /etc/dnsmasq.conf
interface=br0 # Listening interface
dhcp-range=10.0.0.2,10.0.0.10,255.255.255.0,24h
# Pool of IP addresses served via DHCP
domain=br0 # Local wireless DNS domain
address=/gw.br0/10.0.0.1
# Alias for this router
After restarting, you can upgrade to the high-level bridge solution.