Ethernet plus WiFi Bridge Router and Firewall

Set up your Gentoo Linux Box as a 802.11 (WiFi) bridge router, with firewall.

Introduction
If you have a WiFi (802.11) adaptor and two Ethernet adaptors fitted to your Gentoo box, you can configure it as a bridging router and firewall.

We're going to be aiming for the following set-up (which you can easily adapt to meet your own requirements):



Specifically:


 * Your Gentoo box (henceforth, FW) will be connected on a fixed address (we'll assume 192.168.1.129) via its wan interface (which we're assuming is enp4s0 here; yours will probably differ) to your external router (ADSL, cable or whatever).
 * Instructions for connecting via DHCP will also be given.
 * The external router's gateway address will be assumed to be 192.168.1.254.
 * The FW will then provide a (firewall secured) internal network, via its WiFi adaptor (here, we've assumed wlp1s0) and the lan (here, we've assumed enp4s1) interface.
 * We'll bridge these two interfaces together (and use br0 as the bridge name).
 * The FW will provide DHCP addresses to clients that connect (whether by WiFi or Ethernet) in the range 192.168.50.151-200. Connected clients will be able to browse the web etc.
 * The FW will use Google's public DNS on 8.8.8.8, but clients will see 192.168.50.1 as the DNS address.
 * Instructions for those with no WiFi on their FW</tt> will also be given.
 * You will be able to run services on your FW</tt> (for example, ownCloud) and make these available to clients on the lan, and (with port-forwarding in your external router) to users on the internet (wan).

You can, obviously, adapt any of the above specifics to suit your own requirements. The set-up is summarized below:

Prerequisites
This article assumes that:
 * You are using OpenRC</tt>, not systemd</tt> (the instructions are easily adapted, however).
 * You are currently logged into your box using ssh</tt> via its lan Ethernet interface (enp4s0</tt> in our example).
 * You know the 'persistent device names' for your Ethernet and WiFi adaptors (we've assumed enp4s0</tt>, enp4s1</tt> and wlp1s0</tt> here; you can find the appropriate names for your system using ifconfig -a.
 * You have the necessary kernel settings in place to support these devices.
 * You have the necessary kernel settings in place to support a basic, netfilter</tt> firewall with NAT, and bridging.
 * Your primary target is IPv4. It is straightforward to extend this guide to support IPv6 also, but this is currently not covered.

Emerge Necessary Packages
The first step is to install the various packages that are required. We will use:


 * as the firewall (front-end),
 * to provide the DHCP and DNS services on the lan side,
 * to manage your WiFi adaptor as an access point,
 * for tools to let us bridge the ethernet and WiFi interfaces together.
 * to ensure we have sufficient entropy for the WiFi access point cryptography.

Note that we'll need the doc</tt> USE flag for shorewall</tt> (to ensure that we get the sample configurations), so create the following file first:

Now we can emerge</tt> the packages; issue:

Wait for the process to complete before continuing.

Configure Network
First, check your network adaptor names. Then edit accordingly; the below shows an example for our assumed names (enp4s0, enp4s1, wlp1s0 and br0):

Create a network service for the new bridge interface (br0</tt>):

and ensure that the files, and  already exist (link them to , as above, if they do not).

Ensure that, for now, only the wan Ethernet interface is set to come up on boot (we'll add the bridge, br0</tt>, later, once testing is complete):

Configure hostapd</tt>
Next, set up the WiFi adaptor as a software access point, using <tt>hostapd</tt> (users with no WiFi adaptor should skip this step). Save off the current <tt>hostapd</tt> configuration:

then put the following in its place (I'm going to assume you want an SSID (WiFi network name) of "gentoowifi" and a passphrase of "my passphrase 123"; obviously, please don't use these verbatim!):

You can find more details about what these settings mean here and here.

You'll also need to edit the <tt>INTERFACES</tt> line in, to specify that the bridge, <tt>br0</tt>, must be started prior to <tt>hostapd</tt>, so:

Leave the rest of the file as-is.

Configure <tt>dnsmasq</tt>
Next, we'll configure <tt>dnsmasq</tt>, to ensure that clients connecting to our firewall box on <tt>br0</tt> will be allocated addresses via DHCP. We'll also provide DNS services (ultimately, satisfied via Google's DNS on 8.8.8.8).

To achieve this, edit so that the following lines are at the end (and make sure all other lines in the file are commented out):

Adapt as required (see comments in the file itself for explanations of the various options available).

Configure <tt>shorewall</tt>
Next, we will set up the <tt>shorewall</tt> firewall (actually, a convenient interface to <tt>iptables</tt> / <tt>netfilter</tt>). Amongst other things, this will allow hosts on the lan side of FW to access the external internet.

Begin by copying across the two-interface configuration files; issue:

Next, we'll need to edit these baseline files to match our target configuration.

Begin with ; ensure that the last part of this file reads as follows:

Next, edit the file, which specifies the default handing for each zone-to-zone traffic category, so the bottom section reads as follows:

This logs and drops any traffic we don't explicitly allow from the <tt>net</tt> zone; allows any oubound connection from <tt>loc</tt> clients and the firewall itself (represented by the variable <tt>$FW</tt>), and rejects all other traffic.

Next, edit, to specify what interface (NB, not zone) traffic should be allowed when the <tt>shorewall</tt> firewall is in the stopped state.

What to allow here is up to you; if you wanted to leave the firewall essentially open in such a situation (all connections in and out on any interface allowed), modify the lines at the bottom of this file so they read:

Next, we need to enable any specific services we want made accessible on the firewall, via the file. This already contains a basic set (allowing <tt>ssh</tt> from the <tt>loc</tt> zone into the firewall host, for example). Add any additional services you require to the bottom of this file. You should at least allow DNS connections from the <tt>loc</tt> zone:

and optionally, allow <tt>ssh</tt> connections from the wan (<tt>net</tt> zone):

Add stanzas for any additional services you wish to expose (such as HTTP, HTTPS etc.), and leave the rest of the file unchanged.

By default, the file refers to the external interface as <tt>eth0</tt>; fix that now:

Finally, you need to make a change to. Modify the <tt>STARTUP_ENABLED</tt> line as follows:

You may also wish to modify the <tt>DISABLE_IPV6</tt> line as follows (if not using IPv6 services externally; this will not block localhost IPv6 traffic however):

Leave the rest of the file as-is.

Testing
Now we can start the various services, to ensure that they work. Issue:

At this point, external clients should be able to see the "gentoowifi" WiFi network. However, it will have no DHCP, and nor will connections be able to access the external internet. Let's fix that next:

Now check that your connected device (e.g. an iPad, or whatever) can browse the web successfully.

Enabling
When you are happy that all is working correctly, set the services up to start on boot:

Reboot your firewall host, and you should be done!