Bridge wifi to ethernet to add POE device to network

grh · May 13, 2021, 7:14pm

Hello,

I need to be able to connect a POE device to my ethernet port and have it identify/register on the wifi network. I have tried various iterations w/ routing and nat, based on this article:

Sharing internet connection from a linux machine over Ethernet

I have been able to connect a device to ethernet and ping other hosts on the wifi network, but I can’t reach the ethernet device from the wifi-network hosts.

Thoughts? Help is appreciated…

henrique.tx · May 17, 2021, 9:18pm

Hi, @grh!

Please, add some more information to your question:

What operating system are you using? What version? (TorizonCore? Custom?)
What carrier board are you using? What version?

And, about your setup:

How is assembled your network architecture? Which device with which Operating System is connected to which network or device?
How are the IP addresses set up? Which IP and subnet mask for each device?
Perhaps a dumb question: can’t you use a router? This would make your life easier

Also, when you say you can’t reach the device from the wifi, what have you tried? Ping? SSH? TCP or UDP connection using some programming language?

Best regards!

grh · May 17, 2021, 10:04pm

Hi, here’s the info:

Operating system: Linux, based off the tdx-reference-multimedia-image from the tdx-xwayland distro
Carrier board: custom
Network stuff:

So, here’s a summary of the network layout:

-The board is connected to our 192.168.20.0/24 net via wifi.
-We want to be able to plug a POE device to the ethernet port and have it identify on the network just the same as plugging it into the router directly
-I can “bridge” the ethernet and wifi interfaces using forwarding and nat, but that only works one way: I can ping from the ethernet connected device to other connected devices, but not from other connected devices to the ethernet connected device.
-The above is valid only if I subnet the ethernet connected device to the 192.168.21.0/24 network. When I assign it an IP on the 192.168.20.0/24 net, I can’t ping in either direction, either to or from.

Hope this helps.

grh

henrique.tx · May 20, 2021, 11:16pm

Hi @grh

Sorry for the delay.

If I understood correctly, you want to bidirectionally bridge both of the module’s network interfaces.

Doing some tests I came to this: you need POSTROUTING rules, FORWARD rules, enabling IP forwarding and route configurations.

Let’s say the enp4s0 is the module’s interface connected to another device (the POE device in your case, let’s say a network 10.0.0.0/24, where the module has IP 10.0.0.1) and the wlan0 is the module’s interface connected to your wifi network (192.168.20.0/24 as in your case, supposing IP 192.168.20.1 for the module).

I assume your wifi network already has a DHCP server, which gives an IP for the wifi interface. I also assume that you have correctly set the IP for the cabled devices.

We need to make these rules on the module (ref: askubuntu):

# Allow traffic to be forwarded from wlan0 to enp4s0
sudo iptables -A FORWARD -i wlan0 -j ACCEPT
# Allow traffic to be forwarded from enp4s0 to wlan0
sudo iptables -A FORWARD -i enp4s0 -j ACCEPT

And, also on the module:

sudo iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE

We also need IP forwarding on the module (ref: enable IP forwarding on developer):

sudo sysctl -w net.ipv4.ip_forward=1

Then we need to set the route for the devices:

Those on the ethernet side (which will communicate through module’s enp4s0 interface) need to have the module’s enp4s0’s IP as route

sudo ip route add default via 10.0.0.1

Those on the wifi side (which will communicate through module’s wlan0 interface) need to have the module’s wlan0’s IP as route

sudo ip route add default via 192.168.20.1

This worked for me both when testing on a module and on notebooks.

I suppose that what is missing for you are these routings.

Let me know if this works for you.

grh · June 1, 2021, 3:56pm

Ok, sorry for the delay, but have now been able to turn my attention to this finally! It worked, sort of. I needed a bit of tweaking, and I have some follow-on items that I am not sure are possible, but I will ask anyway. Here is a summary of my findings:

1- I created the following setup:

module->has IP 192.168.20.5 on the 192.168.20.0/24 net via wifi interface mlan0

ethernet-> manually assigned IP 192.168.21.10, and has interface eth0

2- I ran the following steps according to your answer above:

On the module->

$ iptables -A FORWARD -i mlan0 -j ACCEPT
$ iptables -A FORWARD -i eth0 -j ACCEPT
$ iptables -t nat -A POSTROUTING -o mlan0 -j MASQUERADE
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ sysctl -w net.ipv4.ip_forward=1

3- I manually assigned an IP of 192.168.21.20 to my ethernet-connected device, with a default gateway of 192.168.21.10 (module’s eth0 IP), and then connected it to the module’s ethernet port

4- On a separate device connected to the wifi network, I found that if I added the default route in the way you suggested, I lost any other routing for normal network operations (i.e., if I wanted to search Google for something, the new default route “overrode” the normal default route?) In any case, I deleted your default route and added the following route instead:

$ sudo ip route add to 192.168.21.0/24 via 192.168.20.5

Doing the above, and I am successfully able to ping the ethernet connected device at 192.168.21.20 from another wifi device on the 192.168.20.0/24 net. However, a few things I noticed:

5- On the ethernet connected device, I can only ping to the 192.168.20.0/24 net. I cannot reach anywhere outside that net, say to the larger Internet, etc. This is true whether or not I assign a route or not, whether or not I have the DNS servers configured properly or not, etc. Clearly I’m missing something there…

6- Is there a way to automate all this in a way that I don’t have to manually assign a route or IP on the wifi side of things for each subnet on each module? I’d like to get to the point where I can just “plug and play”…

7- How about if I don’t want to subnet off the ethernet port? Perhaps I want it so that when I connected my ethernet device, it becomes part of the same network that the wifi devices are on?

grh · June 4, 2021, 7:47pm

@henrique.tx A further note:

I believe it should be possible to do what I want using a combination of ip / iw commands. However, this requires that WDS mode (i.e, 4addr) be set on the wifi card. Something like this:

$ iw dev mlan0 set 4addr on
$ ip link add br0 type bridge
$ ip link set eth0 master br0
$ ip link set mlan0 master br0

When I do this, it cannot set 4addr mode on for the wifi card:

$ iw dev mlan0 set 4addr on
command failed: Operation not supported (-95)
$

I think this is required to be able to add the mlan0 interface to the bridge. As it stand now, I get the following when I attempt to do so:

$ ip link set mlan0 master br0
Error: Device does not allow enslaving to a bridge.
$

Thoughts?

Edward · June 6, 2021, 3:08pm

Hi @grh,

unfortunately not all cards or perhaps just drivers support 4addr. Old rtl8187 seems supporting it, mt7601u seems supporting it as well. The rest of cards I tried don’t support 4addr.

THIS looks promising for the rest of the WiFi cards.

Edward · June 7, 2021, 10:22am

Hi @grh,

I tried parprouted way. It’s working very well. Here list of URL’s I found:
Bridge wireless cards | Shadows of epiphany
BridgeNetworkConnectionsProxyArp - Debian Wiki
Wireless to ethernet bridge with an ARP proxy - PGeiser.com
parprouted(8): Proxy ARP IP bridging daemon - Linux man page
Bridge wireless cards | Shadows of epiphany

and the best one

https://raspberrypi.stackexchange.com/questions/88954/workaround-for-a-wifi-bridge-on-a-raspberry-pi-with-proxy-arp

Yocto seems not providing parprouted. Git sources I used are these

git clone https://github.com/Adellica/parprouted.git

git clone https://github.com/Adellica/dhcp-helper.git

dhcp-helper works well. parprouted requires some patching. First of all it expects /bin/ip and we have it at /sbin/ip. And the second, it defines some struct which conflicts with new kernel? headers. See attached.

As I said it works very well, except that parprouted takes ages to shutdown. Some fixing is required. Perhaps there’s well maintained GIT for it.

arp.c and parprouted.c diffs

henrique.tx · June 7, 2021, 9:43pm

Hi @grh

About 5:
The default route kicks in only if the package can not be sent through the other routes.

About 6:
You can try to set your DHCP server (if it is a Linux machine) to give a route to the requesting device. Take a look at the Options section from dhcp man page

About 7:
You can try to use dhcrelay, which allows the DHCP requests to “flow through” Linux.

grh · June 24, 2021, 2:12pm

@henrique.tx @Edward ,

We ended up taking a different to accomplish almost the same thing: we utilized port forwarding from wifi to the ethernet subnet. So, for a wifi device with IP 192.168.20.5, that has an ethernet subnet of 10.0.0.1, we fired up a udhcp daemon on the wifi device, plugged in an ethernet device (say IP 10.0.0.20), and then created port forwarding rules. For example, a request over wifi to the wifi device at 192.168.20.5:7201 might get forwarded to the ethernet device with address 10.0.0.20:80.

Crude, but it works, and I think is simpler?

Edward · June 25, 2021, 6:12am

This won’t equal to bridge. Forwarding each possible port of one client IP to each possible port of “fake IP”…
Just compiling and launching parprouted + dhcp-helper isn’t difficult. Creating 1 or 2 systemd services isn’t difficult either. In result you get fully functional WiFi STA to ethernet bridge (actually router, since traceroute will list that “bridge” as a forwarding node). Solution is nice since it will work with any AP your STA may need to connect, not all AP’s and WiFi routers support WDS and even STA 4addr mode.