我正在使用 Raspberry Pi 使用 Raspbian,它只是 Debian。
我想从连接到 Cox Cable 的主 WiFi 网络路由器桥接到我的有线路由器,以便我的子网能够获得可靠的互联网访问。
它需要是一个 WiFi 到以太网的桥接器。
我已将 /etc/networks 设置为带有外部适配器和高增益天线的 USB wlan1 的静态地址。 wpa_supplicant配置成功,可以正常登录主路由器。
现在已经设置完毕,我可以使用密码在外部 wlan1 上登录到正确的网络。静态地址在 /etc/networks 中设置。网关和名称服务器都正常。我可以浏览网页等。
缺少的链接是将其桥接到 eth0 端口,以便我的路由器也可以连接,为我的子网提供服务。
不需要任何额外的网络服务,如路由、nat 或 dhcp 等。只是一个简单的桥接器。
谁能指出我正确的方向来实现这一目标?
答案1
要配置从以太网到 wifi 的网桥,就像在您的中执行的一样简单/etc/network/interfaces
:
auto eth0
allow-hotplug eth0
iface eth0 inet manual
auto wlan0
allow-hotplug wlan0
iface wlan0 inet manual
auto br0
iface br0 inet static
bridge_ports eth0 wlan0
address 192.168.1.100
netmask 255.255.255.0
将 IP 地址替换为更适合您的网络的地址。
如果您更喜欢通过 DHCP 完成 IP 归属,请将其更改为:
auto br0
iface br0 inet dhcp
bridge_ports eth0 wlan0
更改后/etc/network/interfaces
,重新启动 Debian 或执行
service networking restart
将激活此配置。
您必须确保已bridge-utils
安装此配置。您可以使用以下命令安装它:
sudo apt install bridge-utils
有关更多信息,请参阅:
还必须配置 wlan0 接口才能连接到远程 AP,因此不能逐字使用此配置。
附加说明:将 eth0 和 wlan0 桥接在一起意味着,用外行人的话来说,br0 将把自己呈现为单个逻辑接口,包含构成桥接器一部分的接口。通常,当两者都扩展或属于同一网络时,会进行此类配置。
答案2
看https://wiki.debian.org/BridgeNetworkConnections#Bridging_with_a_wireless_NIC
与无线 NIC 桥接 正如您可以桥接两个有线以太网接口一样,您也可以在以太网接口和无线接口之间桥接。但是,大多数接入点 (AP) 将拒绝其源地址未通过 AP 进行身份验证的帧。由于 Linux 透明地进行以太网桥接(不会修改传出或传入的帧),因此我们必须设置一些规则来使用名为 ebtables 的程序来执行此操作。
有关使用代理 ARP 和路由的替代第 3 层方法,请参阅 BridgeNetworkConnectionsProxyArp。
ebtables 概述 ebtables 本质上类似于 iptables,只不过它在 OSI 模型的数据链路层的 MAC 子层上运行,而不是在网络层上运行。在我们的例子中,这允许更改所有帧的源 MAC 地址。这很方便,因为我们欺骗了 AP,让其认为所有转发的帧都来自经过 AP 身份验证的机器。
...那里的说明继续管理一侧的地址列表,我无法遵循。
评论回复:我不明白你在哪里得到 3。对于 4,这取决于你如何在 L1 和 L2 之间划分事物,如果你在无线电信号周围画一个框,指示“此 WiFi 无线电将要传输”并包括前 2 个地址...并将它们视为 L1 会话的一部分,这意味着它们在 2 个无线电之间形成物理连接。那么 L2 地址太多就没有问题了,我们安全地回到了 2。
我对描述 ebtables 如何管理所有这些地址的文档感兴趣。
答案3
我被告知,对于我们这些拥有先进硬件和固件的人来说,公认的桥接解决方案是有效的。但对我来说,使用 ath9k 的开源 Linux 固件,结合开源 atheros 高通芯片组,上述答案不起作用。因此,如果您尝试桥接并收到“不允许操作”错误......
WiFi 和以太网无法通过包含 brctl 的 Debianbridge-utils 软件包直接桥接,因为 3 级软件包协议不同。 WiFi 假设每个数据包都来自另一个源并包含该信息,而以太网则不然。欺骗/作弊方法是存在的,但它们被外界认为是威胁并被阻止。
您必须重建第 3 级包,通过名为 dnsmasq.service 的 Linux 服务将以太网标头转换为 WiFi 标头,该服务会伪装包,从而重建第 3 级标头。将要发生的事情的声明可以通过 Linux iptables 创建,其中可以使用称为网络地址转换的过程。
#!/bin/bash
#
# wifi2eth
#
# Tested on Debian GNU/Linux bullseye/sid system.
# Used to connect a Magic Jack Ethernet device so that I may use a corded telephone through the computer which connects to a cellular to WiFi hot-spot device (the MiFi-8000).
# There are certain numbers which, when dialed out, where I can hear the person I called, but they cannot hear me. The problem was resolved by adding UNTRACKED to the list of packets which should be forwarded from WiFi to Ethernet (the telephone).
# When an incoming packet is marked as UNTRACKED, then the state mechanism is broken. I have no problem yet, but if UNTRACKED is used by a sender which is not part of VOIP, then that will create a browsing problem. I would prefer my computer disrespect UNTRACKED requests.
#
# This program creates a functioning WiFi to Ethernet 'bridge'
#
# Step 0: Reset
{ # the redirect of this block also hides bash -x
sudo ifdown --all
for zUp in $(ip addr show | sed -nEe 's/[0-9]+: ([^:]+).* UP .*/\1/p' | tr '\n' ' '); do
sudo ip link set "$zUp" down # force interface down which ifdown was unable to bring down
done
sudo iptables -F
sudo iptables -t nat -F
sudo systemctl stop dnsmasq.service
sudo systemctl disable dnsmasq.service
} &> /dev/null
sudo ifup --all
sudo ifup wlNet 2>&1 | grep -Ee "^Listening on" -e "^DHCPDISCOVER" -e "^bound to"
if [[ $(ip link show wlNet) = *' state DOWN '* ]]; then
echo "$(tput setaf 1)!!! $(basename "$0"): Could not ifup wlNet !!!$(tput sgr0)"
exit
fi
# Step 1: Create the iptables
aEthernet="enTele" # the Ethernet output I want for magicJack
aWireless="wlNet" # the functioning wireless input
aNext=192.168.2 # the next subnet after 192.168.1
aIp_address="$aNext.1" # use the next subnet to create internal network
aNetmask="255.255.255.0" # the network mask
# aNetwork="$aNext.0" # the external inet representing the internal block
# aBroadcast="$aNext.255" # the broadcast IP
aDhcp_range_start="$aNext.50" # inet addresses to be available in subnet
aDhcp_range_end="$aNext.100" # inet addresses to be available in subnet
aDhcp_time="12h" # address lease duration
sudo iptables --flush
sudo iptables -F
sudo iptables -A FORWARD -i $aWireless -o $aEthernet -m state --state RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
sudo iptables -A FORWARD -i $aEthernet -o $aWireless -j ACCEPT
sudo iptables -t nat -F
sudo iptables -t nat -A POSTROUTING -o $aWireless -j MASQUERADE
# Step 2: Turn on IP forwarding.
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo ifconfig $aEthernet $aIp_address netmask $aNetmask
# May also have to uncomment net.ipv4.ip_forward=1 in /etc/sysctl.conf
# Remove possible default route created by dhcpcd.
# Hide error if route does not exist.
sudo ip route del 0/0 dev $aEthernet &> /dev/null
# Step 3: Reconfigure and restart domain name masquerade.
sudo systemctl stop dnsmasq
cat - > /tmp/custom-dnsmasq.conf <<-EOF
interface=$aEthernet
bind-interfaces
server=1.1.1.1
domain-needed
bogus-priv
dhcp-range=$aDhcp_range_start,$aDhcp_range_end,$aDhcp_time
EOF
sudo rm -r /etc/dnsmasq.d/*
sudo mv /tmp/custom-dnsmasq.conf /etc/dnsmasq.d/custom-dnsmasq.conf
sudo systemctl start dnsmasq
# Show off what we did
sudo iptables-save | grep --no-group-separator -e '^-A' -e '^*' | grep -ve '^#'
#################
# End Of Code
#################
#
# The iptables language:
#
# iptables understands ipv4 (ip6tables understand ipv6 (not used))
# apt-get install iptables # comes preinstalled with debian
#
# An iptable stores a chain of rules which redirects packets.
# The first match in a chain determines the packet destination.
# The iptables table name determines when and how the table is used.
# An iptables name is not random or arbitrary.
#
# --table 'filter' is the default and is for firewall creation
# --table 'mangle' is for chaning packet headers (TTL values...)
# --table 'nat' is for routing packets to different hosts via Network Address Translation
# --table 'raw' is a stateful firewall (knows if packet is part of a new or existing connection...)
#
# Chains of a table determine the inspection point.
# PREROUTING chain is for arriving packets in tables 'nat', 'mangle' and 'raw'.
# INPUT is chain for packets going to local process in tables 'mangle' and 'filter'.
# OUTPUT is chain for packets from a process in tables 'raw', 'mangle', 'nat', and 'filter'.
# FORWARD is chain for packets routed through localhost in tables 'mangle', 'filter'.
# POSTROUTING is chain for exiting packets in tables 'nat', 'mangle'.
# MASQUERADE chain...
# When it receives a datagram from a computer on the LAN
# it takes note of the type of datagram it is, "TCP," "UDP," "ICMP," etc.
# and modifies the datagram so that it looks like it was generated by the router machine itself
# and remembers that it has done so.
# It then transmits the datagram onto the Internet with its single connected IP address.
# When the destination host receives this datagram,
# it believes the datagram has come from the routing host and sends any reply datagrams back to that address.
# When the Linux masquerade router receives a datagram from its Internet connection,
# it looks in its table of established masqueraded connections
# to see if this datagram actually belongs to a computer on the LAN,
# if it does, it reverses the modification it did on the forward path
# and transmits the datagram to the LAN computer.
#
# The target of a rule defines what happens to matched packets.
# ACCEPT is the default which forwards or allows the packet.
# DROP acts as if the packet did not exist.
# REJECT responds with an error (then drop).
# LOG creates a kernel log entry (in /var/log/syslog or /var/log/messesages) (then drop).
#
# The iptables interface:
#
# sudo iptables
# -L|--list -v|--verbose list current ip table entries (no --table shows filter table)
# -F|--flush empty all ip table entries (no --table flushes filter table)
# -A|--append creates a new rule
# -j|--jump where to send the packet if the packet matches the rule
# -i|--in-interface where packet must come for for a match
# -o|--out-interface where packet must be going to for for a match
# -m|--match state list,of,states allowed or a match
# note: see man iptables for many other types of matching rules
#
# Packets have a state:
# NEW for the very first packet of a connection
# ESTABLISHED for packets that are part of an existing connection
# RELATED for packets related to another established connection (ftp)
# INVALID for packets whose state is unknown or improper
# UNTRACKED for packets specifically exempted from connection tracking
# DNAT for packets whose destination address was changed by the table
# SNAT for packets whose source address was changed by the table
#
# Anything you block on the INPUT chain, you can’t access either.
# --state RELATED,ESTABLISHED --jump ACCEPT declares "allow existing connections to continue"
#
# Save/restore iptables:
# Once declared, iptables may be saved and restored to/from files of your choice.
# $ sudo iptables-save > iptables.rules # write current rules to configuration file
# $ sudo iptables-restore < iptables.rules # restore rules from configuration file
# $ sudo apt-get install iptables-persistent # package for automated iptables-save/restore
上面是一个需要 chmod +x 的程序,它在执行时会创建 NAT 转发“桥”。重新启动时它不会自动创建“桥”。
注意:像network-manager、wicd、connman 等包都做自己的事情。这些包添加了配置、GUI 和控制层,在我看来,这些只会让一切变得复杂。将它们全部卸载。此方法仅使用实际执行所需任务的包:dnsmasq、iptables 和 wpasupplicant。您的系统越简单,您的解决方案就越容易理解和可靠。
基本命令:
$ ip addr show # list every network interface and its current situation
$ sudo ifup INTERFACE # raise interface declared in /etc/network/interfaces
$ sudo ifdown INTERFACE # lower interface declared in /etc/network/interfaces
衷心祝愿您保持完全开源。