TwinDad
Posts: 7
Joined: Wed Jan 16, 2019 6:58 pm

Odd wireless bridge application?

Mon Feb 04, 2019 8:43 pm

I apologize if this turns out to be well-answered. I'm not /quite/ versed enough in the terminology to properly google it. The situation may require a bit of explaining.

I have a "house" network, let's say it's 192.168.x.x for discussion
There's also an associated wireless network "Skynet"

Now, I have three industrial monitoring devices. Each one has a configurable Ethernet port but no wireless capability. At the moment, they are connected to each other on a private network, 169.254.1.x. I need to make them accessible to the "house" network. I *could* solve this quite easily by running a cable from the nearest "house" router to this private network and reconfigure the devices onto the 192.168.x.x network. But for ... reasons ... this is not an option.

Also, I need for applications running on the house network to be able to reach these devices, so any NAT stuff (if needed) needs to work both ways...

I'd like to try to use a Raspberry Pi (3B) to take the place of the cable that I cannot run.

I have two thoughts...

1) Configure the Pi's wlan0 port to connect to "Skynet", connect the eth0 port to the monitoring devices. Give the wlan0 port, say, 192.168.2.1, the eth0 port 192.168.2.2, and the devices all 192.168.2.x addresses. Enable IP forwarding (or something??) and cross my fingers. Not sure if this is even possible.

2) Configure the pi's wlan0 to 192.168.1.2 and its eth0 port to 169.254.1.1, enable IP forwarding and set up a bridge and NAT between wlan0 and eth0 -- essentially configure the Pi as a router with "full cone" NAT, but with wlan0 as the WAN port.

I'm having trouble finding answers because this is rather backwards to the usual arrangement. About 99% of the stuff I've found assumes you want to configure a traditional router situation with the WAN interface on eth0 and setting up wlan0 as a wireless AP. But I need for wlan0 to be the WAN and eth0 to be the subnet. AND I don't really need to even *have* a subnet. There's no reason I can't put the devices on the house network (192.168.x.x) except that I can't physically get a cable to the location.

I'd appreciate some help here, just getting the right terminology in place describing what I'm trying to do. And further if possible the best way to set it up. Much obliged!!

mattmiller
Posts: 2079
Joined: Thu Feb 05, 2015 11:25 pm

Re: Odd wireless bridge application?

Mon Feb 04, 2019 9:32 pm

I'd forget about using a pi and get a pair of mains network extenders and connect your router to one and your devices to the other

TwinDad
Posts: 7
Joined: Wed Jan 16, 2019 6:58 pm

Re: Odd wireless bridge application?

Mon Feb 04, 2019 10:30 pm

mattmiller wrote:
Mon Feb 04, 2019 9:32 pm
I'd forget about using a pi and get a pair of mains network extenders and connect your router to one and your devices to the other
Thank you for what would be an excellent, plug-and-play solution, except...

1) IT won't allow those on our network (perceived security issues)
2) There's no common mains power between the IT system and the area where the monitors are (they are powered by the supply for the equipment being monitored, which is on a different mains supply).

mattmiller
Posts: 2079
Joined: Thu Feb 05, 2015 11:25 pm

Re: Odd wireless bridge application?

Tue Feb 05, 2019 7:02 am

Sorry - I thought this was in your own house

User avatar
DougieLawson
Posts: 35533
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Odd wireless bridge application?

Tue Feb 05, 2019 7:51 am

TwinDad wrote:
Mon Feb 04, 2019 10:30 pm
mattmiller wrote:
Mon Feb 04, 2019 9:32 pm
I'd forget about using a pi and get a pair of mains network extenders and connect your router to one and your devices to the other
Thank you for what would be an excellent, plug-and-play solution, except...

1) IT won't allow those on our network (perceived security issues)
2) There's no common mains power between the IT system and the area where the monitors are (they are powered by the supply for the equipment being monitored, which is on a different mains supply).
So you are trying to break their rules using a Raspberry. It won't end well.

Go and speak to the IT department about your problems.
Note: Having anything remotely humorous in your signature is completely banned on this forum. Wear a tinfoil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

TwinDad
Posts: 7
Joined: Wed Jan 16, 2019 6:58 pm

Re: Odd wireless bridge application?

Tue Feb 05, 2019 9:36 am

DougieLawson wrote:
Tue Feb 05, 2019 7:51 am
TwinDad wrote:
Mon Feb 04, 2019 10:30 pm
mattmiller wrote:
Mon Feb 04, 2019 9:32 pm
I'd forget about using a pi and get a pair of mains network extenders and connect your router to one and your devices to the other
Thank you for what would be an excellent, plug-and-play solution, except...

1) IT won't allow those on our network (perceived security issues)
2) There's no common mains power between the IT system and the area where the monitors are (they are powered by the supply for the equipment being monitored, which is on a different mains supply).
So you are trying to break their rules using a Raspberry. It won't end well.

Go and speak to the IT department about your problems.
No, that's not at all what I said.

I've already consulted IT... they're fine with the Pi solution if I can get it to work. They'd actually slightly prefer it because it would put these devices on the same subnet as a bunch of other related devices that are already on the "Skynet" wifi. It's the power line gear they won't allow.

Getting them to expend resources to help me implement it is an entirely different matter. Their response is basically "That's OK if you want to try it, but we're busy. Just drop a lan cable and be done with it." They're not terribly concerned about the budget implications of that choice since this is coming out of my pocket not theirs (because of location etc. lots of labor costs to pull the cable vs. an already paid for Pi).

TwinDad
Posts: 7
Joined: Wed Jan 16, 2019 6:58 pm

Re: Odd wireless bridge application?

Fri Feb 08, 2019 4:40 pm

Well, it's actually probably a good thing that there was little response... I now know a LOT more about routers and NAT and such than I ever did.

I've got it working now. I set up the Pi with the wlan0 port connected to the "Skynet" network, and the eth0 port as 169.254.1.1. Configured the devices in the equipment to be on the 169.254.1.x network with the Pi as their gateway. I enabled ip forwarding, and built a NAT table with iptables to forward specific ports on the wlan0 interface to specific address/ports on the devices. I mangled the device's address into the Pi's port number for human readability So for example...

Device 1's webserver; 169.254.1.4:80 maps to 192.168.1.pi:480
Device 1's FTP server: 169.254.1.21 maps to 192.168.1.pi:421
Device 2's webserver: 169.254.1.5:80 maps to 192.168.1.pi:580
Device 2's FTP server: 169.254.1.21 maps to 192.168.1.pi:521

... and so on.

I would really have liked to have done a "full cone NAT" so that 169.254.1.4 <-> 192.168.1.4 and so on directly, which I could have done if the Pi's WAN interface had been the hard-wired port. But since the WAN interface was wireless, and talking through a WAP, it was only seeing traffic for its specific IP address, not for the rest of the subnet (as far as I can tell).

But the port-mapping solution works well enough to solve the problem, given that there are only a small handful of devices involved. It certainly doesn't scale very well, but it doesn't have to.

mattmiller
Posts: 2079
Joined: Thu Feb 05, 2015 11:25 pm

Re: Odd wireless bridge application?

Fri Feb 08, 2019 5:26 pm

I now know a LOT more about routers and NAT and such than I ever did.
Always the best way :)

Now teach us exactly what you did so the next person doesn't have to go thru it again :)
I enabled ip forwarding, and built a NAT table with iptables to forward specific ports on the wlan0 interface to specific address/ports on the devices. I mangled the device's address into the Pi's port number for human readability
Could you post the config files you changed to achieve this?

TwinDad
Posts: 7
Joined: Wed Jan 16, 2019 6:58 pm

Re: Odd wireless bridge application?

Fri Feb 08, 2019 9:55 pm

Sure! Now, granted, this is very much a kluged up solution by a guy who doesn't really know what he's doing and just follwed google results and studied man pages till he got something to work... I'm certain there are better, cleaner, more efficient ways to set this up. But this DOES work (for me, for now).

This was done on a fully updated version of Raspbian 8 (Jesse). I'm fairly certain this would work with only small changes on Stretch. Older releases, I have no idea.

Step 0 update the OS

Code: Select all

sudo apt-get update
sudo apt-get upgrade
First, enable ip forwarding... edit /etc/sysctl.cfg and uncomment the line that says:

Code: Select all

net.ipv4.ip_forward=1
Second, setup the interfaces in /etc/network/interfaces

Code: Select all

auto eth0
iface eth0 inet static
	address 169.254.1.1
	netmask 255.255.255.0
	
auto wlan0
allow-hotplug wlan0
iface wlan0 inet static
	address 192.168.1.90
	netmask 255.255.255.0
	gateway 192.168.1.1
	wpa-conf /etc/wpa-supplicant/wpa-supplicant.conf
(also put your wireless network SSID and password etc. in wpa-supplicant.conf. There's a thousand tutorials on this online so I'll leave that part as an exercise for the reader)

Third, set up the iptables. So this part I'm *sure* could be done cleaner, but here it is.

3a: Create a file called /etc/network/if-up.d/router . and fill it with this:

Code: Select all

#!/bin/bash
iptables -F
iptables -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A PREROUTING -t nat -d 192.168.1.90 -p tcp --dport 480 -j DNAT --to-destination 169.254.1.4:80
iptables -A PREROUTING -t nat -d 192.168.1.90 -p tcp --dport 421 -j DNAT --to-destination 169.254.1.4:21
iptables -A PREROUTING -t nat -d 192.168.1.90 -p tcp --dport 580 -j DNAT --to-destination 169.254.1.5:80
iptables -A PREROUTING -t nat -d 192.168.1.90 -p tcp --dport 521 -j DNAT --to-destination 169.254.1.5:21
iptables -A POSTROUTING -t nat -s 169.254.1.4 -p tcp --dport 80 -j SNAT --to-source 192.168.1.90:480
iptables -A POSTROUTING -t nat -s 169.254.1.4 -p tcp --dport 21 -j SNAT --to-source 192.168.1.90:421
iptables -A POSTROUTING -t nat -s 169.254.1.5 -p tcp --dport 80 -j SNAT --to-source 192.168.1.90:580
iptables -A POSTROUTING -t nat -s 169.254.1.5 -p tcp --dport 21 -j SNAT --to-source 192.168.1.90:521
iptables -A FORWARD -i eth0 -j ACCEPT
The first line allows this to be run as an executable shell script
The next two lines flush and delete any existing nat table entries
The next four lines set up (restore) routing for the local loopback interface
The four PREROUTING lines map stuff coming from the WAN to the right port on the right 169.254.1.x device.
The four POSTROUTING lines map stuff coming from 169.254.1.x to look like specific ports on 192.168.1.90

If I didn't need external network computers to be able to initiate connections with the 169.254.1.x devices, I could have done this with one(?) line using -j MASQUERADE instead of -j SNAT / -j DNAT, instead of the eight SNAT/DNAT lines. And if I wasn't working with a wireless WAN interface (192.168.1.x) I could have done all of it with a single pair of -j NETMAP lines.

3b: make the router file executable

Code: Select all

chmod +x /etc/network/if-up.d/router
Since the "router" file is in /etc/network/if-up.d and is executable, it will get auto-run when the network interface(s) are brought up. There are other, perhaps more canonical ways to configure the iptables on boot, but this works.

So now, when I need to access the device 169.254.1.4's web server from the company network, I point my browser to 192.168.1.90:480 and voia! There it is.

Credit: I consulted several sources in figuring this out, including a bunch of "What is SNAT?" and "How does DNAT work?" type articles. For actual implementation, https://sirlagz.net/2012/08/11/how-to-u ... er-part-3/ was the main contrubutor...
Last edited by TwinDad on Sat Feb 09, 2019 1:15 am, edited 1 time in total.

mattmiller
Posts: 2079
Joined: Thu Feb 05, 2015 11:25 pm

Re: Odd wireless bridge application?

Sat Feb 09, 2019 12:29 am

Thanks very much but
This was done on a fully updated version of Raspbian 8 (Jesse)
Why Jessie???????? :)

TwinDad
Posts: 7
Joined: Wed Jan 16, 2019 6:58 pm

Re: Odd wireless bridge application?

Sat Feb 09, 2019 3:00 am

mattmiller wrote:
Sat Feb 09, 2019 12:29 am
Thanks very much but
This was done on a fully updated version of Raspbian 8 (Jesse)
Why Jessie???????? :)
It's a repurposed Pi that had Jessie installed when Jessie was new. I didn't want to take the time to upgrade to Stretch for this experiment.

I may yet take it down, upgrade it, and redo the router configuration now that I know how. OTOH, it ain't broke, why fix it?

mattmiller
Posts: 2079
Joined: Thu Feb 05, 2015 11:25 pm

Re: Odd wireless bridge application?

Sat Feb 09, 2019 12:38 pm

OTOH, it ain't broke, why fix it?
I'm with you on that :)

Return to “Networking and servers”