Not a solution: NAT

To connect two networks to Internet, the simplest solution is to use Network Address Translation: NAT in short. NAT is supported by any router and does not require any special treatment. Let’s look at a possible configuration:

Internet access with Network Address Translation

The main issue with this solution is to be able to communicate between the two networks. The computers on the network cannot directly print on the network for example. Same applies for file exchange.

Simple but does not fit my needs.

Best solution: WDS

Wireless Distribution System: WDS in short. In this mode, the wireless card can act as an access point while being connected to another access point. Each frame embeds the MAC address of the client across all links. This is an IP Layer 2 (Data-link) bridge which is completely transparent:

Bridge using WDS 4 address mode

In this configuration, each machine is part of the same sub-net and see all the others. The printer is shared without any extra effort. The main problem with WDS is that it’s unsupported on most of the routers in the market. It’s the best solution if you control each sides of the network.

To get much more details on that topic, you can consult this blog entry:

Poor man solution: Proxy-ARP

In my case, I have strictly no control on the router provided by my ISP. Still, I’m interested to have all the machines in the same network to simplify the sharing of the printer and transfer files between the wired and wireless part of my network.

Address Resolution Protocol ARP in short, is used to convert IP address to MAC addresses. A Proxy ARP answers the queries of a network for network addresses that are not on that network. In my case, the proxy will handle all requests by forwarding them to the network of the wireless card. It replies to all requests with it’s own MAC address.

This is an IP Layer 3 solution (Network layer).

Debian has already an excellent article on the topic: BridgeNetworkConnectionsProxyArp which is slightly outdated.

The main differences in my setup is to reproduce the same functionality for 3 NIC instead of 1 as described in this schema:

Bridge ARP proxy

Configuring Debian Stretch to act as an ARP-proxy

Install packages

First install the required packages if it’s not already done. Log as root or use sudo

[sudo] apt-get install avahi-daemon wpasupplicant net-tools parprouted dhcp-helper psmisc

Configure the wireless network

Edit /etc/wpa_supplicant/wpa_supplicant.conf.

The content could look like this:

    ssid="<your network name here>"
    psk=<your PSK here (see below)>
Edit the content to match your network settings:
  • ssid is your wireless network name, do not forget the quotes “
  • psk must be computed using wpa_passphrase <your network name again>
  • proto is either WPA or RSN for WPA2 networks
  • key_mgmt is WPA-PSK almost for sure.
  • pairwise is the cipher it can be CCMP or TKIP other are too weak.

Do not forget to make it readable by root only for security reasons:

chmod 600 /etc/wpa_supplicant/wpa_supplicant.conf

Find the name of your wireless card with


In my case, it’s wlx38d5470a3982 (thanks to systemd the interfaces names are not difficult to remember).

Edit /etc/network/interfaces and add the following lines (replace everywhere wlx38d5470a3982 by the name of you interface):

auto wlx38d5470a3982
allow-hotplug wlx38d5470a3982
iface wlx38d5470a3982 inet dhcp
  wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

ifup wlx38d5470a3982

should bring the wireless network up now.

Enable IP Forwarding

The simplest is to edit /etc/sysctl.d/99-sysctl.conf.

# Decomment the following line:
# -->

DHCP Relay

As DHCP is an IP Layer 2 protocol it does no go through the bridge. DHCP helper will catch the requests and forward them to the “real” DHCP server.

Edit /etc/default/dhcp-helper.

# Change eth0 by the name of your wireless interface
# -->
DHCPHELPER_OPTS=" -b wlx38d5470a3982"

Configure AVAHI

Avahi mDNS daemon implements Apple’s Zeroconf. By enabling “reflector mode” it will allow the clients to browse all the services connected to the bridge.

Edit /etc/avahi/avahi-daemon.conf:

# Change the following line
# to -->

Final step

Edit /etc/network/interfaces and configure each ethernet interface in “manual” mode. In my case: enp1s0, enp2s0, enp3s0. Comment all the other lines that could concern these interfaces.

auto enp1s0
allow-hotplug enp1s0
iface enp1s0 inet manual

auto enp2s0
allow-hotplug enp2s0
iface enp2s0 inet manual

auto enp3s0
allow-hotplug enp3s0
iface enp3s0 inet manual

Modify the previous wireless configuration to:

auto wlx38d5470a3982
allow-hotplug wlx38d5470a3982
iface wlx38d5470a3982 inet dhcp
  wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
  post-up /usr/sbin/parprouted enp1s0 enp2s0 enp3s0 wlx38d5470a3982
  post-down /usr/bin/killall /usr/sbin/parprouted
  post-up /etc/init.d/dhcp-helper restart
  pre-up /sbin/ifup enp1s0
  post-up /sbin/ip addr add $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp1s0
  pre-down /sbin/ip addr del $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp1s0
  post-down /sbin/ifdown enp1s0
  pre-up /sbin/ifup enp2s0
  post-up /sbin/ip addr add $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp2s0
  pre-down /sbin/ip addr del $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp2s0
  post-down /sbin/ifdown enp2s0
  pre-up /sbin/ifup enp3s0
  post-up /sbin/ip addr add $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp3s0
  pre-down /sbin/ip addr del $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp3s0
  post-down /sbin/ifdown enp3s0

You’re done. @ next reboot, you should get connected to the same network on all your clients. The configuration can easily be trimmed to support just enp1s0.

Have fun!