Bridging network adapters in Linux

Discussion in 'Network Routers' started by kiloVolts, Nov 21, 2008.

  1. kiloVolts

    kiloVolts Guest

    * * * Cross Posted * * *

    comp.os.linux.networking, alt.comp.networking.routers,

    Hi All,

    Tuesday I purchased an Acer Aspire One with Linpus Linux preinstalled and I
    am not disappointed. Wednesday I discovered how to open a terminal window.

    The Aspire One has a competent 11g wireless adapter. This is an
    accomplishment in a university village environment with many 11n routers
    nearby. I would like to bridge the wireless adapter and the Ethernet adapter
    on my Aspire One so I can connect to my Dlink DI604 wired router and feed
    Internet connectivity to all my other gear. This is easily done by mouse
    clicks in MS Vista. I presume the command line and some file editing is
    involved in Linux. Could someone please give me a head start on the

    Thanks in advance.
    kiloVolts, Nov 21, 2008
    1. Advertisements

  2. kiloVolts

    Cork Soaker Guest

    This any help?

    Linpus is Fedora based.
    Cork Soaker, Nov 21, 2008
    1. Advertisements

  3. kiloVolts

    kiloVolts Guest

    Thank you for the link and the additional information. I've printed the
    document which I will study.

    The problem that I have encountered with ICS in the MS Windows world (I
    assume similar conditions apply in the Linux world) is the assumptions it
    works under and how it is implemented. In MS Windows, ICS assumes your PC is
    connected directly to an ISP and is given a real world IP address. ICS then
    works just like a router dies and creates a subnet in the 192.168.x.y
    address domain. The problem occurs when the primary assumptions are not
    fulfilled when your PC is already in a 192.168.x.y address domain created by
    a router. This is my situation. Before I stumbled across network adapter
    bridging I tried to set up ICS within my subnet. I could not resolve the IP
    address conflicts and I could get it to work. Another option I looked into
    was routing tables, but that was way too much bit-fiddling for me and I
    could not understand it. Furthermore, with routing tables, each network
    adapter retains its own identity and requires an IP address either acquired
    via DHCP or static IP assignment. The beauty of network adapter bridging is
    that the bridge needs only one IP address for your PC which is conflict free
    (in principle).

    I came across this article:

    which may be relevant to this discussion. I have not had the time to absorb
    this yet but it may be of interest to readers. Any further comments would be
    kiloVolts, Nov 22, 2008
  4. Hello,

    kiloVolts a écrit :
    Unfortunately bridging is known not to work on many wireless adapters,
    because of firmware limitations. You may have better luck with IP
    routing and, if necessary, masquerading.
    These assumptions (I'd rather refer to them as arbitrary stupid
    limitations) are irrelevant in the Linux world. Connection sharing with
    Linux is much more flexible than with Windows ICS. You can setup any
    subnet you want on any side and use any kind of interface.
    Pascal Hambourg, Nov 22, 2008
  5. Execute the following commands as root user:

    brctl addbr br0
    brctl addif $wlandev
    brctl addif $ethdev

    with $wlandev being the name of your WLAN adapter and $ethdev
    being the name of the ethernet adapter. On my systems those
    would be "wlan0" and "eth0".

    You can get the names of the avaliable devices with

    ip link show

    Then if you're using DHCP, execute some DHCP client on the newly
    created bridge (dhclient, dhcpcd, pump, udhcp, it depends on
    what you've got installed).

    dhclient br0
    dhcpcd br0

    In case of static addressing, give the bridge device a static
    address with

    ip addr add $address/$netbits dev br0
    ip addr add dev br0

    and assign a route.

    Either a default route

    ip route add default via $gateway_address dev br0
    ip route add default via dev br0

    and/or static routes

    ip route add $network/$netbits via $gateway
    ip route add via

    But eventually you don't want your bridge participate in the
    network at all, but just pass data between ports as if it were a
    switch. This is done easily with:

    brctl addbr br0
    brctl addif $wlandev
    brctl addif $ethdev

    for dev in $intif, $extif ; do ip link set $dev up ; ip link \
    set $dev promisc on ; ip link set $dev arp on ; done

    Note that you asked for a bridge, i.e. a device that will connect
    two network devices assuming, that the physical networks it
    bridges are in the same logical address space, thus forming a
    single subnet in the IP sense. So you need unique IP addresses
    for every device in the network. The good thing is, that if
    configured correctly, DHCP will work through the bridge. So if
    you're on a campus network, where students can simply attach
    their devices and don't worry about correct configuration it
    will work.

    So far we've only set up the interfaces, but you'll also want
    some address resolver. If using DHCP the nameservers will be
    automatically put into /etc/resolv.conf ; if you're static, then
    ask your administrator for the nameserver addresses and put them
    into /etc/resolv.conf like the following:

    echo "nameserver $ns1" > /etc/resolv.conf
    echo "nameserver $ns2" >> /etc/resolv.conf

    (note the double '>', i.e. '>>' in the second command). $ns1 and
    $ns2 are the addresses of your local network's DNS caches. (If
    there are no local caches, you could setup your own cache,
    resolving against the global root servers, but that's a whole
    different story, normally you don't need it).

    If what you want is internet connection sharing over a single IP
    address, then you've got a whole different deal. It's called
    network address translation (NAT) and gets configured in a whole
    different way.

    First you set up you two devices as usual. The external device is
    either dynamically or statically configured

    if dynamic
    dhclient $extif
    dhclient eth0

    if static
    ip addr add $extip/$ext_netbits dev $extif
    ip addr add dev eth0

    and don't forget the default route (if static)

    ip route add default via $gateway_address dev $extif
    ip route add default via dev eth0

    Now set up the internal interface $intif. We're choosing some
    private address range for that, but make sure, that it doesn't
    clash with your $extif address space - however if your $extif is
    in a private address space, you could just go for bridging like
    outlined above, and be fine. You've to do NAT only, if you got
    just one global IP address assigned. However NAT works well,
    even if you're NAT-ing a private net into another NAT-ed private

    ip addr add $intip/$int_netbits dev $intif
    ip addr add dev wlan0

    Here comes the tricky part: You've to tell your Linux box, that
    it shall forward/route packets between wlan0 and eth0, but apply
    a NAT in the process. This is done using the iptables mechanism.
    First you've to enable forwarding at all:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    (you can set this permanently in /etc/sysctl.conf)

    However with that setting it will just route packets between the
    two networks, but since the external network knows nothing about
    the structure and addresses in your internal networks, the
    packets will make it never beyond the first router. So the
    packet's addresses must be rewritten to appear as if they
    originated from your NAT forwarding router:

    First load the required iptables modules:

    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ip_conntrack_irc
    modprobe iptable_nat
    modprobe ip_nat_ftp
    modprobe ip_nat_irc

    should cover the basics (those protocol specific nat and
    conntrack modules are neccesary, since some protocols will open
    additional connections or even open listening ports, which
    relate to existing a existing connection and thus need matching
    NAT rules applied, the conntrack modules take the required

    Now put the iptables into a "sane" state (depending on the
    desired configuration, "sane" might look different):

    iptables -P INPUT ACCEPT
    iptables -F INPUT
    iptables -P OUTPUT ACCEPT
    iptables -F OUTPUT
    iptables -P FORWARD REJECT
    iptables -F FORWARD
    iptables -t nat -F

    -P sets a default policy, -F empties the table, so that only the
    default policy applies. Which means for the forwarding table:
    Don't route anything yet. But you want some routing possible,
    but only for connections from the internal network to the
    external, and incoming connections only if they relate to
    existing ones (you remember the conntrack modules above):

    iptables -A FORWARD -i $extif -o $intif -m state --state \
    iptables -A FORWARD -i $intif -o $extif -j ACCEPT


    iptables -A FORWARD -i eth0 -o wlan0 -m state --state \
    iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

    Now tell iptables, that the packets routed between $intif and
    $extif should be NAT-ed

    iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    That about does it. Now on your internal side, you can either
    configure hosts per DHCP, which requires you to setup a DHCP

    Or configure them statically: For that you select IP addresses
    from the same address range in which the internal interface of
    your router is configured, e.g. 192.168.1.x/24 and tell the
    devices, that the router (in this example is the
    default gateway. Since there's no DHCP internally (yet), you
    must tell the clients also the nameserver addresses. That's just
    like in the bridging case. Even if the clients are NAT-ed, you
    tell them the nameserver addresses on the external network.

    Now you might wonder: "Do I've to type that stuff myself every
    time I boot the system?". The answer is "No!" Most distributions
    have a standard way to store such configuration. And even if
    they don't you can put all those commands into a shell script to
    automate things (a shell script is kinda a DOS/Windows .bat
    file, but a lot more powerfull, there are tons of tutorials on
    shell scripting out there).


    Wolfgang Draxinger
    Wolfgang Draxinger, Nov 23, 2008
  6. kiloVolts

    Cork Soaker Guest

    Yeah, Micro-guess-who intentionally limits Windows ICS to use set IPs -
    so that you'll pay stupid money to buy their server crap.

    Linux, of course, is not limited by such stupidity.
    Cork Soaker, Nov 23, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.