Route ethernet traffic through wifi

This guide will set up the pi as a router that will forward all traffic received on the ethernet interface through an existing wifi connection.

A running wifi connection is required, the pi must be connected to it.

Setting static ethernet address

First, we need to set the pi so it has a static address on the ethernet network.

You must not modify /etc/network/interfaces directly. This used to work, but the latest versions of the pi's dhcp client will ignore these modifications and set up a different address.

• Add the following lines to /etc/dhcpcd.conf:

# Settings for ethernet interface
interface eth0
    #Setting static ip address:
    static ip_address={ip address}/{netmask}

DHCP server on ethernet interface

The dhcp server will provide computers who connect on the ethernet interface with addresses.

• Install the server
  • apt install isc-dhcp-server
• Edit /etc/dhcp/dhcpd.conf according to your desired configuration. You may want to edit in particular:
  • option domain-name to what your network is called
  • option domain-name-servers to the default dns servers of your network
  • authoritative directive. The pi should be the autoritative dhcp server on the ethernet network, so uncomment it.
  • Add a subnet definition: an example one can be:

subnet 10.5.5.0 netmask 255.255.255.0 {
  range 10.5.5.20 10.5.5.30;
  option routers 10.5.5.1;
  option broadcast-address 10.5.5.255;
}

• Enable the dhcp server on the ethernet interface:
  • Edit /etc/default/isc-dhcp-server
  • Set INTERFACESv{4 or 6}="{ethernet interface name}"
• systemctl start isc-dhcp-server: make sure the ethernet interface is up and the static ip address has been assigned before running this command, otherwise it will fail
• systemctl enable isc-dhcp-server
• Make sure that incoming traffic on port 67/UDP is allowed so the server can be reached.

Forward ethernet traffic through existing connection

We set up a network. It would be nice if the pi could act as a gateway so that packets received on the network could be forwarded to the internet.

• Enable packet forwarding:
  • echo 1 > /proc/sys/net/ipv4/ip_forward
• Make that change permanent across reboots:
  • Edit /etc/sysctl.conf
  • Set net.ipv4.ip_forward=1
• Use iptables to set up NAT:
  • iptables -t filter -A FORWARD -s {ethernet ip pool} -j ACCEPT: allow traffic coming from the ethernet network to pass through.
  • iptables -t filter -A FORWARD -d {ethernet ip pool} -m state --state ESTABLISHED,RELATED -j ACCEPT: allow traffic from outside the ethernet network at destination of the ethernet network to pass through, if it is in response of an outgoing connection.
  • iptables -t nat -A POSTROUTING -s {ethernet ip pool} -j MASQUERADE: set up the address translation.

Reset the pi to a pre-routing state

If you want to reset all we did, so that your pi won't be a router anymore, follow these steps.

• Disable packet forwarding:
  • echo 0 > /proc/sys/net/ipv4/ip_forward
  • Edit /etc/sysctl.conf: set net.ipv4.ip_forward=0 (or just comment the line setting it to 1)
• Reset iptables
  • Delete the two ACCEPT rules in table filter, chain FORWARD.
  • Delete the MASQUERADE rule in table nat, chain POSTROUTING.
  • Delete the ACCEPT rule for port 67/udp in table filter, chain INPUT.
  • Eventually other rules that you may have created related to routing (e.g. in nat/prerouting)
• Reset dhcp server configuration
  • systemctl disable isc-dhcp-server to disable running at boot
  • systemctl stop isc-dhcp-server to stop it from running now
  • Eventually reset /etc/dhcp/dhcpd.conf to its default value (even though it's not necessary since the server isn't running)
  • Eventually reset /etc/default/isc-dhcp-server to its default value (even though it's not necessary since the server isn't running)
• Disable static ethernet address:
  • Edit /etc/dhcpcd.conf: delete the configuration for the ethernet interface.