Arch Linux

avojevlavo

Member

Registered: 2010-05-27

Posts: 40

[solved] arch router configuration WAN+LAN+WLAN iptables+dhcpd+hostapd

Good day everyone, please advise.
I am trying to build myself a simple router on arch.
So far my machine has 3 interfaces:

1gb ethernet WAN
(goes to internet modem provided to me by my ISP, that modem provides ip address to this interface, I configured dhcpcd on this interface)

1gb ehternet LAN
(goes to my main machine, I used https://wiki.archlinux.org/index.php/Internet_sharing to configure static ip, packet forwarding, iptables and dhcpd from https://wiki.archlinux.org/index.php/Dhcpd)

ip link set up dev LAN
ip addr add 139.96.30.100/24 dev LAN

after that i created a network profile so this became persistent, then went on to configure packet forwarding

/etc/sysctl.d/30-ipforward.conf

net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

next step, iptables

iptables -t nat -A POSTROUTING -o WAN -j MASQUERADE
iptables -A FORWARD -i LAN -o WAN -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

after that dhcpd server

/etc/dhcpd.conf

option domain-name-servers 8.8.8.8;
option subnet-mask 255.255.255.0;
option routers 139.96.30.100;
subnet 139.96.30.0 netmask 255.255.255.0 {
  range 139.96.30.150 139.96.30.250;
}

/etc/systemd/system/dhcpd4@.service

[Unit]
Description=IPv4 DHCP server on %I
Wants=network.target
After=network.target

[Service]
Type=forking
PIDFile=/run/dhcpd4.pid
ExecStart=/usr/bin/dhcpd -4 -q -pf /run/dhcpd4.pid %I
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target

systemctl start dhcpd4@LAN.service
systemctl start dhcpd4@WLAN.service

after reboot it works, I can now reach Internets from my main machine connected to LAN

However I need help with my third interface:
ath9k wifi WLAN
I want to use as an AP soI installed hostapd from arch repos and configured it as in example from official web http://wireless.kernel.org/en/users/Doc … on/hostapd
I am able to connect to it successfully and get an ip from dhcpd4@WLAN.service. But I cannot connect to WAN as i dont have iptables configured properly for WLAN.

Can someone explain to me how to configure iptables for another interface, because just adding

iptables -A FORWARD -i WLAN -o WAN -j ACCEPT

doesnt work.

Do I need to run two dhcpd services for both interfaces? (i know i dont have to run it for LAN as I have only one machine that can be easily configured as static, however I want to as I might buy a switch somewhere in the future)
How would I run one dhcpd service for WLAN and LAN but not WAN?
Can WLAN and LAN have the same IP address and range for dhcpd?
And what is the difference between dnsmasq and dhcpd? Which one is better for my use? As I found dnsmasq recommended in https://wiki.archlinux.org/index.php/Router.

Thanks for any help, any other improvements are also welcomed.

Last edited by avojevlavo (2014-04-24 10:53:43)

branch

Member

Registered: 2014-03-16

Posts: 209

Re: [solved] arch router configuration WAN+LAN+WLAN iptables+dhcpd+hostapd

You need to configure the WLAN interface with a static address on its own subnet, for example 139.96.31.100/24, and let dhcpd4 serve a range from this subnet also. Or, you can bridge the WLAN and LAN interfaces.

avojevlavo

Member

Registered: 2010-05-27

Posts: 40

Re: [solved] arch router configuration WAN+LAN+WLAN iptables+dhcpd+hostapd

You need to configure the WLAN interface with a static address on its own subnet, for example 139.96.31.100/24, and let dhcpd4 serve a range from this subnet also. Or, you can bridge the WLAN and LAN interfaces.

Thanks branch, i guess I would rather have both WLAN and LAN on the same range with one dhcpd.service.

So just to be sure I have to create bridge for WLAN and LAN with netctl

/etc/netctl/bridge

Description="Example Bridge connection"
Interface=br0
Connection=bridge
BindsToInterfaces=(LAN WLAN)
IP=139.96.30.100 (arbitrary IP)

disable all previous dhcpd and start new one for bridge

systemctl disable dhcpd4@LAN.service
systemctl disable dhcpd4@WLAN.service
systemctl start dhcpd4@BRIDGE.service

and after that set up iptables like this so it forward WAN to br0

iptables -t nat -A POSTROUTING -o WAN -j MASQUERADE
iptables -A FORWARD -i br0 -o WAN -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Also:
Do I need to delete network profile for LAN?
Hostapd does have bridge option in its configuration. Can I use that somehow instead of creating that br0 with netctl? I would think if I set it to bridge=LAN it should work, because WAN to LAN iptables works ok. Or do I have to create a br0 with netctl and than edit thist hostapd option to br0?

branch

Member

Registered: 2014-03-16

Posts: 209

Re: [solved] arch router configuration WAN+LAN+WLAN iptables+dhcpd+hostapd

You do not need to delete the LAN profile, disabling it and enabling the bridge profile is sufficent.

I think

systemctl start dhcpd4@BRIDGE.service

should be

systemctl start dhcpd4@br0.service
systemctl enable dhcpd4@br0.service

Some wireless interfaces need to be specially configured for use in a bridge, in which case it must be added to the bridge by hostapd instead of netctl. If you set the bridge in hostapd.conf then delete WLAN from the BindsToInterfaces in the bridge netctl profile.

Then you just need to make sure systemd starts netctl@bridge.service before hostapd.service and dhcpd4@br0.service

avojevlavo

Member

Registered: 2010-05-27

Posts: 40

Re: [solved] arch router configuration WAN+LAN+WLAN iptables+dhcpd+hostapd

SOLVED

First I configured WAN interface to use dhcpcd to get ip from router.

Then created netctl bridge profile as in https://wiki.archlinux.org/index.php/Bridge_with_netctl

/etc/netctl/bridge

Description="Example Bridge connection"
Interface=br0
Connection=bridge
BindsToInterfaces=(LAN WLAN)
IP=static
Address=('139.96.30.100/24')

than configured dhcpd service as in https://wiki.archlinux.org/index.php/Dhcpd

/etc/dhcpd.conf

# Using the google's dns in the example.
# Change it to 139.96.30.100 if you have a dns server installed
option domain-name-servers 8.8.8.8;
option subnet-mask 255.255.255.0;
option routers 139.96.30.100;
subnet 139.96.30.0 netmask 255.255.255.0 {
  range 139.96.30.150 139.96.30.250;
}

after that I created Service file as in https://wiki.archlinux.org/index.php/Dhcpd to enable dhcpd server only on one interface

 /etc/systemd/system/dhcpd4@.service

[Unit]
Description=IPv4 DHCP server on %I
Wants=network.target
After=network.target

[Service]
Type=forking
PIDFile=/run/dhcpd4.pid
ExecStart=/usr/bin/dhcpd -4 -q -pf /run/dhcpd4.pid %I
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target

Next I configured hostapd

/etc/hostapd/hostapd.conf
interface=wlan
bridge=br0

stop and disable wlan and lan interfaces with netctl (if they are loaded) then start your bridge hostapd and dhcpd for your bridge

netctl start bridge
netctl enable bridge
ip link set up dev br0 (if its not already up)
systemctl start hostapd.service
systemctl enable hostapd.service
systemctl start dhcpd4@br0.service
systemctl enable dhcpd4@br0.service

check if its ok with

ip addr

heureka br0 should be UP at 139.96.30.100
at this point you should be able to connect to wifi and lan and get yourself nice IP address from dhcpd4@br0.service

last step is configuring ip tables to forward traffic from WAN to br0
just follow https://wiki.archlinux.org/index.php/Internet_Sharing
mainly section Enable packet forwarding and Enable NAT
just substitute example interfaces when setting up iptables

# iptables -t nat -A POSTROUTING -o WAN -j MASQUERADE
# iptables -A FORWARD -i br0 -o WAN -j ACCEPT
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

WHAT AM I NOT SURE OF:
#1 whether it is necessary to configure br0 bridge both in hostapd.conf and /etc/netctl/bridge or if only one is sufficient
#2 this setup works for me (I can connect to internets via WLAN wifi) even when i configured iptables forward to LAN instead of br0:

iptables -A FORWARD -i LAN -o WAN -j ACCEPT