The Goal of This Post:
This post is an extension to Jacob Salema’s Guide that was picked up by Lifehacker. My main issue with his post is that he refers to the end result as a wireless router, which is not entirely accurate. This device is not meant to be internet-facing and is really more of a wireless/ethernet bridge with the configurations provided.
My goal here was to extend what was provided in his initial post and make it suitable for placing a Raspberry Pi directly behind a cable modem and fully exposed to the internet.
- Raspberry Pi B (gen 2 model) any Raspberry Pi could potentially work here though
- Edimax EW-7811Un
- Short piece of Ethernet (to connect to cable modem)
- Power Adapter and cord for Pi
- SD card with Raspbian installed
- (Optional) USB Keyboard and HDMI Monitor to access the PI. All of these steps can be performed over SSH with a little creativity however.
The Raspberry Pi’s performance is limited by the USB throughput of the WLAN adapter; which on the Raspberry Pi is a USB2.0 hub limited to a theoretical maximum of 480mbps, so you’ll never be able to pull gigabit ethernet here but this will get the job done for small sites. However if you have really crappy broadband like I do in this location the chokepoint will be the crappy broadband and not the Raspberry Pi.
I have maxed out my crappy broadband connection with the following speedtest.net performance results:
A BLAZING — 2.78mbps download
A SIMILARLY BLAZING — 1.28mbps upload
I repeated the same speedtest.net tests using a top-notch Lenovo X1 Gen3 laptop and got the exact same results so there is no lag using the raspberry pi here (for this crappy broadband connection). Since my broadband is so crappy here I’m using 802.11G wifi which won’t choke anything.
Note: I probably wouldn’t trust this for anything over 10mbps. I think the Raspberry Pi 2 with 802.11n wifi could handle a standard 40mbps connection based on some of the numbers I’m seeing here.
1). Required Installs:
Perform these first before any of the other steps.
sudo apt-get update -y sudo apt-get install rfkill zd1211-firmware hostapd hostap-utils iw dnsmasq bridge-utils -y
2). Interfaces Configuration (/etc/network/interfaces):
Modify the interfaces file (/etc/network/interfaces) as shown below.
allow-hotplug wlan0 allow-hotplug eth0 auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto wlan0 iface wlan0 inet static address 192.168.2.1 netmask 255.255.255.0
3). DNSmasq Configuration (/etc/dnsmasq.conf):
Modify the DNSmasq configuration file to look exactly like what you see below.
Feel free to modify your domain.
domain=example.com bogus-priv no-resolv server=184.108.40.206 server=220.127.116.11 cache-size=10000 interface=wlan0 dhcp-range=192.168.2.2,192.168.2.254,12h
4). HostAPD Configuration (/etc/hostapd/hostapd.conf):
Modify the configuration file for hostapd to have the following content.
Notice we’re using the “hw_mode=g” option here this is because my limited internet connection couldn’t support max throughput of a wifi-N connection so there would be minimal benefit. If you’re interested in N and have a Raspberry Pi2 and a faster internet connection it may make sense to enable that in your scenario.
Also feel free to modify the SSID to whatever you like and modify the password too, you’ll need at least 8 characters for the password. The channel can also be set to any value between 1-14 (1,6,11,14 are common in the USA)
interface=wlan0 driver=rtl871xdrv country_code=US ctrl_interface=wlan0 ctrl_interface_group=0 ssid=NETWORKNAME hw_mode=g channel=1 wpa=3 wpa_passphrase=password wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP beacon_int=100 auth_algs=3 macaddr_acl=0 wmm_enabled=1 eap_reauth_period=360000000
5). HostAPD Default Configuration (/etc/default/hostapd):
Modify the defaults file for hostapd (/etc/default/hostapd) to have the same DAEMON_CONF line. The type of quotes used to surround the /etc/hostapd/hostapd.conf file are mission critical; if you use the wrong kind of quotes, hostapd will not start. You can debug the start of hostapd with the command “hostapd -d /etc/hostapd/hostapd.conf” which puts it into debugging mode.
# Defaults for hostapd initscript # # See /usr/share/doc/hostapd/README.Debian for information about alternative # methods of managing hostapd. # # Uncomment and set DAEMON_CONF to the absolute path of a hostapd configuration # file and hostapd will be started during system boot. An example configuration # file can be found at /usr/share/doc/hostapd/examples/hostapd.conf.gz # DAEMON_CONF="/etc/hostapd/hostapd.conf" # Additional daemon options to be appended to hostapd command:- # -d show more debug messages (-dd for even more) # -K include key data in debug messages # -t include timestamps in some debug messages # # Note that -B (daemon mode) and -P (pidfile) options are automatically # configured by the init.d script and must not be added to DAEMON_OPTS. # #DAEMON_OPTS=""
6). Reboot the Pi
Reboot the Pi to apply the interfaces config, start the hostapd daemon, start dnsmasq daemon. After the reboot you should see your new wireless SSID being broadcast and you should be able to login to it too with your provided password. At this point we need to proceed with the IP tables configuration to setup routing and PAT (port address translation).
7). Enable NAT and Routing Non-Persistently
Execute the following commands to enable NAT and routing for this particular session (we will make these settings persistent across reboots in steps 9 and 10).
#Enable Routing sudo sysctl -w net.ipv4.ip_forward=1 #Apply the NAT/PAT config sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Routing allows the Pi to move (or “route”) packets between the two interfaces (Wlan0 and Eth0). Making the Pi a Router allows packets which come in on the Wlan interfaces to be forwarded through the Pi and out the Eth0 port.
NAT stands for Network Address Translation. In this case we’re technically performing PAT or Port Address Translation because we are aggregating the connections and streams of multiple downstream/client IP addresses across a single public IP address using different source ports. As a result packets will be re-written as they pass through a NAT router to be sourced from the public IP address of the NAT router. This re-write hides the original source IP address of the client which generated the traffic. In order to keep track of which stream should be returned to which client, the NAT router keeps a table that maps the Egress destination port to an client IP and source port. This table is called a NAT translation table. You can view the content of the Translation table at any time with the following command:
8). IP Tables Configuration:
IPtables is a program which interacts with the networking stack in the Linux kernel and tells the kernel how to handle incoming network traffic. There are all kinds of customizations that can be made to an internet facing router. What I show below are pretty basic and generally recognized as safe defaults.
Apply the default config by pasting the following commands into the command line on your device:
#allow incoming traffic from the localhost sudo iptables -A INPUT -i lo -j ACCEPT #explicitly allow all icmp/ping traffic sudo iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT #explicitly allow all traffic that is already established sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow new traffic only from the local/WLAN network sudo iptables -A INPUT -i wlan0 -m state --state NEW -j ACCEPT #Drop all other new traffic sudo iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP< #Drop all fragments sudo iptables -A INPUT -f -j DROP # Drop XMAS packets sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Drop NULL packets sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #allow our dns traffic sudo iptables -A INPUT -i wlan0 -p udp -m udp --sport 53 -j ACCEPT #log everything else that is about to get dropped. sudo iptables -A INPUT -j LOG --log-prefix "IPTABLES Dropped: " --log-level 7 #drop everything else that has made it this far down and not matched. sudo iptables -A INPUT -j DROP
You can see the presently applied iptables rules using the “iptables-save” command with sudo.
pi@raspberrypi:~ $ sudo iptables-save # Generated by iptables-save v1.4.21 on Thu Dec 24 17:37:34 2015 *nat :PREROUTING ACCEPT [7039:855804] :INPUT ACCEPT [1138:80267] :OUTPUT ACCEPT [1167:81793] :POSTROUTING ACCEPT [21:3945] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Thu Dec 24 17:37:34 2015 # Generated by iptables-save v1.4.21 on Thu Dec 24 17:37:34 2015 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [444346:360889024] :OUTPUT ACCEPT [4390:510099] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i wlan0 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -f -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A INPUT -i wlan0 -p udp -m udp --sport 53 -j ACCEPT -A INPUT -j LOG --log-prefix "IPTABLES Dropped: " --log-level 7 -A INPUT -j DROP COMMIT # Completed on Thu Dec 24 17:37:34 2015
Once you’ve setup the rules you’d like, and you’ve tested that they behave as expected, proceed to step 8 to save the IP tables rules.
9). Make the IPtables Settings Persistent
During the installation of the iptables-persistent program it will ask you if you want to save the presently applied rules, select YES.
sudo apt-get install iptables-persistent -y
Once the rules are saved, they can be edited at the /etc/iptables/rules.v4 (for normal IPv4 traffic). If you’re testing your iptables changes by applying the rules directly using the iptables syntax in step 7 then as you make changes, they can be made persistent by writing the output of the “iptables-save” command directly to the rules.v4 file like so.
sudo iptables-save > /etc/iptables/rules.v4
10). Enable Routing Persistently
The following change allows the Raspi Router to move packets from one interface (wlan0) to another (eth0) by making the device a router.
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf