Raspberry Pi Ethernet to Wifi Bridge

I have a test network of various Raspberry Pies, devices, and other computers and networking equipment, they're all managed by a Ubiquity firewall/router and I want to have it connected to the internet so I can pull updates, software, etc. Unfortunately, it's located in a part of my garage / workshop where there is no ethernet jack or cable to connect to, so using a Raspberry Pi I created a Bridge to connect the firewall to the existing Wireless network in my house. It took a couple of days of struggling and trying different approaches so I hope this Instructable saves you some time and frustration!

A lot of the instructions and how-tos out on the internet were for the other way: connecting to a wired network and then creating a wireless network for all the devices to connect to. That's a perfectly good use case but the key problem with my situation was I didn't have that wired connection to the internet available, I didn't want to put jacks in the wall or run long cables to do so, and I had a perfectly good wireless network with strong signal to connect to!

The parts where pretty simple, a Pi, I put a POE hat on it so that I could reduce the number of wires and clutter, I also opted to use an external USB wifi adapter because I wanted the AC600 capabilities and was connecting to a Wireless AC600 network.

• Raspberry Pi 3 B+ Case, and SD Card (https://amzn.to/2LHzkmy)
• Raspberry Pi POE Hat (https://amzn.to/2q0ZMzG)
• Alfa AWUS036ACS 802.11ac AC600 Wi-Fi USB Wireless Network Adapter (https://amzn.to/2rp7UuM)
• POE Switch (https://amzn.to/2siIuyE)
• Ethernet Cables (https://amzn.to/2P9Urjf)

And in case you are curious this is the networking equipment I use for my home, which I think is just awesome

• Ubiquiti UniFi Cloud Key (https://amzn.to/38q04BE)
• Ubiquiti Unifi Security Gateway (USG) (https://amzn.to/35crkSe)
• Ubiquiti UniFi AP AC PRO 802.11ac Scalable Enterprise Wi-Fi Access Point (https://amzn.to/2siIqPr)
• Ubiquiti UniFi Switch 8 60W (https://amzn.to/36fibs6)

First we'll need to download a few things:

One is the OS for our Raspberry Pi and we're going to use Raspbian, because it's popular and easy to use (which is why it's probably so popular). You can grab the image here, https://www.raspberrypi.org/downloads/raspbian/, we're going to use the "Raspbian Buster with desktop" image so we have a GUI Desktop to make things a little easier and since we're setting this Pi up to be a bridge and not for everyday use, we don't need all the extra recommended software.

Two is we're also going to use Etcher to flash our SD Card. It's free and so easy to use, download and learn more about it here: https://www.balena.io/etcher/

Insert the SD card into the computer (I use a Mac and I'm assuming your laptop/computer has a SD Card reader, otherwise get one like this https://amzn.to/2YLesjD).

To transfer the image to the SD Card we first Unzip the downloaded image which is a ZIP file, then in Etcher select that .img file, make sure to select the right SD card as the destination (I do this by verifying size, 32 GB in this case, and I usually disconnect or remove any other USB or SD cards before launching Etcher), and select Flash. It'll go pretty quick with writing and verifying the image, once that is complete you can remove the SD card and close Etcher.

Connect the Power, HDMI Monitor, and a keyboard and mouse to the Pi. You can also connect the USB wifi adapter but there are some more steps later that are required to make it work.

Insert the SD card and power on the Pi.

The initial setup is pretty easy, in the guided install:

• Step 1, we set the proper locations, language.
• Step 2, we set a password.
• Step 3, we select the existing wifi network and put in the passphrase. Now we are on the network.
• Step 4, we patch and update.
• Step 5, we select the resolution options, my display has the black border, hence the check mark.
• Step 6, we select "later" rather than reboot.
• Step 7, we open the raspberry pi configuration and turn on SSH and VNC to make remote management easier.
• Step 8, then we reboot.

We need to build and install the kernel module to make our USB work. This can be a little complicated but luckily for us there is a person in the UK on the Raspberry Pi forums named MrEngman who compiles several wifi drivers for Raspbian, and in this case he has one for our Alfa USB wireless card. You can see this thread here (https://www.raspberrypi.org/forums/viewtopic.php?t=192985)

To use his script we download it and run it as the superuser (which can be dangerous from a security perspective, but after reviewing what we are grabbing we know it's safe this time).

sudo wget http://fars-robotics.net/install-wifi -O /usr/bin/install-wifi
sudo chmod +x /usr/bin/install-wifi

What this script is doing is identifying which module/driver is needed, grabbing that from the internet, unpacking it and moving it to the right path for the OS to find it (such as in /lib/modules/), and setting the proper permissions. We could go through these steps ourselves, but using MrEngman's script takes out some of the guesswork and manual steps making the process easier for us.

Because we are using the external wifi, we don't need to use the onboard one. For simplicity we just disable it in the OS. This is easy on the Pi since the wifi drivers are unique:

blacklist brcmfmac 
blacklist brcmutil

Since we have two networks, the test network and the regular network connected to the internet, we want the Pi to check the wireless network first, rather than the wired, which is opposite to the default. We can use the metric parameter and set it for the devices, where the lower the number the higher the priority.

And we aren't using ipv6 on either network so we just turn it off for simplicity sake.

Edit the file /etc/dhcpcd.conf, add the lines near the bottom.

interface eth0
metric 300

interface wlan0 
metric 200

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

We need some firewall rules to take the traffic and forward it from the wired network over to the wireless network. These are pretty standard, we use iptables on the Pi and we create a few files and rules to make sure that everything keeps after a reboot.

The rules are simple one to accept and one to forward from the wired to the wireless.

# Create a directory where we will store our `iptables` forwarding rules.
mkdir -p /etc/iptables

# Create `iptables` rules by running this command to generate a `rules.v4` file
cat <<'EOF' >/etc/iptables/rules.v4
*nat
:PREROUTING ACCEPT [98:9304]
:INPUT ACCEPT [98:9304]
:OUTPUT ACCEPT [2:152]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT


*filter
:INPUT ACCEPT [791:83389]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [333:34644]
-A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
COMMIT

EOF

# Load our `iptables` forwarding rules at each boot
cat <<'EOF' >/etc/network/if-up.d/iptables
#!/bin/sh
iptables-restore < /etc/iptables/rules.v4
EOF

chmod +x /etc/network/if-up.d/iptables

# Enable persistent `ipv4` forwarding for each system boot
# <a href="http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/"> http://www.ducea.com/2006/08/01/how-to-enable-ip-...</a>
sed -i'' \
  s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/ \
  /etc/sysctl.conf

Now for DHCP on that wired interface, we set a static address of 10.1.1.1 and then setup the DHCP to serve out addresses in that IP block.

# Create a static IP address configuration. The `eth0` adapter will use a
# static IP of `10.1.1.1` on this new subnet.
cat <<'EOF' >/etc/network/interfaces.d/eth0
auto eth0
allow-hotplug eth0
iface eth0 inet static
  address 10.1.1.1
  netmask 255.255.255.0
  gateway 10.1.1.1
EOF

# Create a `dnsmasq` DHCP config at `/etc/dnsmasq.d/bridge.conf`.
# The Raspberry Pi will act as a DHCP server to the client connected over
# ethernet. The DNS server will be `8.8.8.8` (Google's DNS) and the
# range will start at `10.1.1.2`.
cat <<'EOF' >/etc/dnsmasq.d/bridge.conf
interface=eth0
bind-interfaces
server=8.8.8.8
domain-needed
bogus-priv
dhcp-range=10.1.1.2,10.1.1.254,12h
EOF

After getting things set we can then test the connection on one of the devices and sure enough we can hit the internet and everything works! We can also log in to our Ubiquity cloud key and check the configuration there as well. Screenshot shows this.

Finally we reboot just to make sure everything comes back up as expected again!

Enjoy.