Hack 64. Bridge Your Linux AP

Make a simple Ethernet bridge with Host AP and one other network interface.

"Build Your Own Access Point with Linux" [Hack #63] covers all the basics of building your own Linux-based access point. Since, by default, each network interface in Linux must be part of a different subnet, you'll have to enable IP routing, and possibly Network Address Translation (NAT), if you want to make full use of your new access point.

However, what if you want your wireless clients to be on the same IP subnet as your access point? This hack shows how to do that by enabling wireless-to-wired bridging.

5.3.1. Bridge Setup

Bridging is straightforward to implement, and support for bridging has been integrated into later 2.4.x and all 2.6 kernel releases. In order to set up and maintain bridges, you will need the Bridge Utilities software. Debian and Ubuntu users can install this with apt-get install bridge-utils, while Fedora and Red Hat users can do yum install bridge-utils. A package is available for just about any other distribution you care to name.

The basic procedure for configuring a bridge is to remove any existing IP configuration on the devices you want to bridge, and then create a logical bridge device with the interfaces you want to bridge together. Finally, you configure an IP address and routes for the logical bridge device, so you can still use the network from the bridge device itself (as well as access any services provided by the bridge device from the rest of the network).

In our example, we want to bridge a Prism card running HostAP (wlan0) with the first Ethernet device (eth0). Execute these commands from the local machine console:

ifconfig eth0 0.0.0.0 ifconfig wlan0 0.0.0.0 brctl addbr br0 brctl addif br0 eth0 brctl addif br0 wlan0 ifconfig br0 192.168.3.2 netmask 255.255.255.0 route add default gw 192.168.3.1

When you first create the bridge device, it takes a moment or two for the bridge to "learn" the layout of your network. It can take several seconds for traffic to begin to pass through the bridge when first brought up, so don't panic if you don't immediately see traffic.

If you have only one bridge on your network, you can also safely turn off Spanning Tree:

brctl stp br0 off

This prevents the bridging code from needlessly sending 802.1d negotiation traffic to nonexistent bridges. You can see the configuration of your bridge at any time by using brctl show:

brctl show bridge name bridge id STP enabled interfaces br0 8000.00026f018574 no eth0 wlan0

If you are interested in which MACs have been found on the bridge interfaces, use brctl showmacs :

brctl showmacs br0 port no mac addr is local? ageing timer 2 00:02:6f:01:aa:ff yes 0.00 1 00:03:93:6c:11:99 no 135.69 2 00:30:65:03:00:aa no 0.08 1 00:40:63:c0:aa:bb no 0.16 1 00:a0:24:ab:cd:ef yes 0.00

Generally, bridges are set and forget devices. Once configured, your bridge maintains itself, barring a huge amount of traffic or untoward miscreants fiddling with it. Be sure to read the documentation available at http://bridge.sourceforge.net, as well as the documents listed at the end of this hack.

5.3.2. Caveats

Not all network devices allow bridging. Specifically, some radio cards (notably, the Lucent/Orinoco/Avaya/Proxim Gold and Silver cards) prohibit Ethernet bridging in the radio firmware. If you need to bridge, we highly recommend upgrading these cards to a Prism II card or Atheros card. These cards not only allow bridging, but the drivers supporting them are also much more powerful.

Also keep in mind that, as easy as a simple bridge is to configure, it isn't the most secure device on the planet. If you have any interest in controlling the packets that flow across your bridge (and you should), you will want to implement some firewalling on your bridge. But unfortunately, standard netfilter commands don't work with bridges under Linux 2.4. Be sure to read "Protect Your Bridge with a Firewall" [Hack #65] if you need more control over your bridge.

5.3.3. See Also

Категории