Not a solution: NAT
To connect two networks to Internet, the simplest solution is to use Network Address Translation: NAT in short. NAT is supported by any router and does not require any special treatment. Let’s look at a possible configuration:
The main issue with this solution is to be able to communicate between the two networks. The computers on the network 10.0.0.1/24 cannot directly print on the network 192.168.0.1/24 for example. Same applies for file exchange.
Simple but does not fit my needs.
Best solution: WDS
Wireless Distribution System: WDS in short. In this mode, the wireless card can act as an access point while being connected to another access point. Each frame embeds the MAC address of the client across all links. This is an IP Layer 2 (Data-link) bridge which is completely transparent:
In this configuration, each machine is part of the same sub-net and see all the others. The printer is shared without any extra effort. The main problem with WDS is that it’s unsupported on most of the routers in the market. It’s the best solution if you control each sides of the network.
To get much more details on that topic, you can consult this blog entry: https://re.builtfromscrat.ch/posts/2017/jan/13/debian-based-wireless-access-point-with-4addr-mode-wds/
Poor man solution: Proxy-ARP
In my case, I have strictly no control on the router provided by my ISP. Still, I’m interested to have all the machines in the same network to simplify the sharing of the printer and transfer files between the wired and wireless part of my network.
Address Resolution Protocol ARP in short, is used to convert IP address to MAC addresses. A Proxy ARP answers the queries of a network for network addresses that are not on that network. In my case, the proxy will handle all requests by forwarding them to the network of the wireless card. It replies to all requests with it’s own MAC address.
This is an IP Layer 3 solution (Network layer).
Debian has already an excellent article on the topic: BridgeNetworkConnectionsProxyArp which is slightly outdated.
The main differences in my setup is to reproduce the same functionality for 3 NIC instead of 1 as described in this schema:
Configuring Debian Stretch to act as an ARP-proxy
Install packages
First install the required packages if it’s not already done. Log as root or use sudo
[sudo] apt-get install avahi-daemon wpasupplicant net-tools parprouted dhcp-helper psmisc
Configure the wireless network
Edit /etc/wpa_supplicant/wpa_supplicant.conf.
The content could look like this:
network={
ssid="<your network name here>"
psk=<your PSK here (see below)>
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
}
- Edit the content to match your network settings:
- ssid is your wireless network name, do not forget the quotes “
- psk must be computed using wpa_passphrase <your network name again>
- proto is either WPA or RSN for WPA2 networks
- key_mgmt is WPA-PSK almost for sure.
- pairwise is the cipher it can be CCMP or TKIP other are too weak.
Do not forget to make it readable by root only for security reasons:
chmod 600 /etc/wpa_supplicant/wpa_supplicant.conf
Find the name of your wireless card with
/sbin/iwconfig
In my case, it’s wlx38d5470a3982 (thanks to systemd the interfaces names are not difficult to remember).
Edit /etc/network/interfaces and add the following lines (replace everywhere wlx38d5470a3982 by the name of you interface):
auto wlx38d5470a3982
allow-hotplug wlx38d5470a3982
iface wlx38d5470a3982 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
ifup wlx38d5470a3982
should bring the wireless network up now.
Enable IP Forwarding
The simplest is to edit /etc/sysctl.d/99-sysctl.conf.
# Decomment the following line:
#net.ipv4.ip_forward=1
# -->
net.ipv4.ip_forward=1
DHCP Relay
As DHCP is an IP Layer 2 protocol it does no go through the bridge. DHCP helper will catch the requests and forward them to the “real” DHCP server.
Edit /etc/default/dhcp-helper.
# Change eth0 by the name of your wireless interface
#DHCPHELPER_OPTS=" -b eth0"
# -->
DHCPHELPER_OPTS=" -b wlx38d5470a3982"
Configure AVAHI
Avahi mDNS daemon implements Apple’s Zeroconf. By enabling “reflector mode” it will allow the clients to browse all the services connected to the bridge.
Edit /etc/avahi/avahi-daemon.conf:
# Change the following line
#enable-reflector=no
# to -->
enable-reflector=yes
Final step
Edit /etc/network/interfaces and configure each ethernet interface in “manual” mode. In my case: enp1s0, enp2s0, enp3s0. Comment all the other lines that could concern these interfaces.
auto enp1s0
allow-hotplug enp1s0
iface enp1s0 inet manual
auto enp2s0
allow-hotplug enp2s0
iface enp2s0 inet manual
auto enp3s0
allow-hotplug enp3s0
iface enp3s0 inet manual
Modify the previous wireless configuration to:
auto wlx38d5470a3982
allow-hotplug wlx38d5470a3982
iface wlx38d5470a3982 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
post-up /usr/sbin/parprouted enp1s0 enp2s0 enp3s0 wlx38d5470a3982
post-down /usr/bin/killall /usr/sbin/parprouted
post-up /etc/init.d/dhcp-helper restart
pre-up /sbin/ifup enp1s0
post-up /sbin/ip addr add $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp1s0
pre-down /sbin/ip addr del $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp1s0
post-down /sbin/ifdown enp1s0
pre-up /sbin/ifup enp2s0
post-up /sbin/ip addr add $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp2s0
pre-down /sbin/ip addr del $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp2s0
post-down /sbin/ifdown enp2s0
pre-up /sbin/ifup enp3s0
post-up /sbin/ip addr add $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp3s0
pre-down /sbin/ip addr del $(/sbin/ip addr show wlx38d5470a3982 | perl -wne 'm|^\s+inet (.*)/| && print $1')/32 dev enp3s0
post-down /sbin/ifdown enp3s0
You’re done. @ next reboot, you should get connected to the same network on all your clients. The configuration can easily be trimmed to support just enp1s0.
Have fun!