Bridge and NAT with Raspberry problem

Question

I have a RPI3 with 2 external WLANs (wlan0 and wlan1) which work perfectly as WLAN Repeater (wlan0 gets signal from router) and wlan1 is set as hostAP...done via NAT iptables. no bridge in interfaces.config.

Now I need to add an ethernet client to the eth0 of the RPI which gives me massive problems....not sure if I do it all right but no packets sent to eth0 or the client connected to eth0.

My feeling is that if I do NAT via iptables and in parallel setup a bridge br0 between wlan0 and eth0....still IPtables will decline packets to be sent within the bridge....

Can anyone help with an example how this would work if wlan0 is from 192.168.1.x network....so the client behind eth0 should also receive a dhcp address from the router. and wlan1 is an AP that spans a new network (NATed) 172.16.1.x...which also holds a seperate isc-dhcp-server.

Thanks for some feedback and maybe hints how this would work togehter....if at all i still need the br0 or in the case of existing iptables between wlan0 and wlan1 i only have to extend iptables rules to make the bridge between wlan0 and eth0 work. Regards Norbert

Answer 1

To complete the answer from @TheDiveO, it is possible to bridge wifi interfaces on OSI layer 2. This is done with WDS (Wireless Distribution System) which most wifi router support. But as told you need 4 address fields enabled in the ip header instead of 3. This is done with:

rpi3 ~$ sudo iw dev wlanX set 4addr on

but is not supported by Raspberry Pi. There are workarounds on OSI layer 3 with NAT (Network Address Translation) and Proxy ARP. Further information you can find at Raspberry Pi WiFi to Ethernet Bridge.

Answer 2

My limited understanding is that you can't do this with a single Pi and without a wired connection to your upstream router/access point. The reason why requires some deeper explanation of the Wifi 802.11 technology...

At the moment, you route (NAT) at the IP layer between wlan0 and wlan1. As you said, there's no bridging present. It is highly important to understand that this configuration works, as the wifi client side has just a single MAC address. As another small side note, this isn't a (Wifi) repeater, as a repeater works on the MAC layer.

The problem with your intended system configuration is that you want to have multiple stations behind a Wifi station ("client"). Even if you put a bridge br0 into play and connect the upstream wlan0 to it, as well as eth0, with br0 going into the IP stack for routing, it won't work (to the best of my knowledge).

The reason lies hidden in how Wifi IEEE 802.11 works: it currently has a 3 MAC address model only. And having only three addresses means that you can connect multiple stations to an access point, but you cannot put a bridge behind a (non-access point) station. That is, because on the wireless medium you need two MAC addresses, one for the radio (!) sender, one for the radio (!) receiver. Please don't mix up radio sender/receiver MAC addresses with the end-to-end source/destination MAC addresses.

This leaves us only a third address, which can be either a source or destination address in a larger, bridged IEEE 802.1 network. For bridging to work on a non-access point station, we would need a four MAC address configuration, with source/dest MACs as usual so we can address individual destinations beyond a single radio receiver/station. Unfortunately, that's reserved and unspecified IEEE 802.11 territory.

I'm afraid you cannot achieve what you want with a single Pi. Could you use a second, separate Pi that just bridges your Wifi and which you have wired up via eth0 to your upstream router/access point in order to monitor traffic?