# Wireless Accespoint, Bridge and routing

## Ryan@warpfive

Hello all,

For my Christmas project this year I'm trying to setup a Linux box which will replace my broadband router and wireless access point. I've purchased a Conexant based PCI ADSL card and have that working perfectly. Tonight I will be able to swap my Netgear WG311v3 PCI wireless network card for a WG311v1 and will follow the guide at http://gentoo-wiki.com/HOWTO_Building_a_Wireless_Access_Point_With_Gentoo to get it working as an access point.

The physical network will look like this:

```

Desktop <-----> (eth0) Linux Box (ppp0) <-----> Internet

                          (wlan0)

                            |

                            |

                    Laptop & Guest Devices

NOTE: The link between the desktop and Linux box will be with a cross-over cable. 

```

Getting ahead of my self a bit if I bridge the wired Ethernet port (eth0) to the wireless lan (wlan0 ??), as detailed in the How-To, so my laptop can see my desktop PC on the same subnet. How do I setup iptables to forward the required packets out on the Internet via ppp0.

Also with iptables which happens first, FORWARD or the INPUT rule. The reason I ask is the ppp0 interface will have an IP ending in x.x.x.206 but the box internally is known as 10.10.12.5 with and had external ip address of x.x.x.205 so I will need to create a rule to do the translation as well as allow web and e-mail connecions.

Many thanks for any help and Merry Christmas

Ryan

----------

## MEW

You can find the information about NAT and packet forwarding in the Gentoo Home Router guide

AFAIK, a packet cannot be matched by both the INPUT and FORWARD chains. The INPUT chain matches only packets destined for the box that iptables is running on, OUTPUT matches only packets generated by that box, and FORWARD matches packets passing through (e.g. from WAN to LAN or LAN to WAN).

[/url]

----------

## daeghrefn

AFAIK you cannot bridge a wireless card with a wired one... I don't think the bridge tools support it.  To bridge wireless & wired you need a winxp box...

However, the best thing to do is set up IPtables with masquerade and NAT, set up a routing table, and run hostapd on the wireless card.  Set it up on a separate subnet than the wired box and route traffic between the two subnets.  Also, set up DHCP on the "router" box in the middle to serve both subnets.  This way, as you add wired or wireless clients, it is easy to serve them IP addresses.

Personally I use ShoreWall to manage the routing tables.  By using ShoreWall's zones, I have a zone set up for each branch of the network: the internet (inet), the wired lan (lan) and the wireless lan (wlan).  This allows me to configure my default policies and rules to allow only the traffic that I want between the wired and wireless (you can even have different rules for each direction) and the traffic between the net and each of the local subnets.

The guides referenced above will work fine for you.  Enjoy, it is a fun project.

Oh, and a quick word of advice if you haven't really messed with setting up hostapd before... get it working without encryption first, then setup the wpa_supplicant and encryption.  It'll save you on hours of troubleshooting.  Good luck!

----------

## MEW

I haven't tried this (I just use a "canned" router from D-Link), but according to this guide, you can bridge wired and wireless.

----------

## daeghrefn

I stand corrected.  It would be interesting to try.  Personally, I like keeping it routed.

----------

## nielchiano

 *daeghrefn wrote:*   

> AFAIK you cannot bridge a wireless card with a wired one... I don't think the bridge tools support it.  To bridge wireless & wired you need a winxp box...

 

I see no reason why this shouldn't work... Am I missing something?

Anyway, security-wise it's better to route+firewall it.

----------

## daeghrefn

Yeah, I thought you couldn't do it before.  Apparently now you can... not sure if I was just wrong before or if things have changed.

I agree that the best control comes from creating two subnets, then routing the packets back and fourth, and firewalling the connection between the subnets.  This provides the best security and control.  Plus you can then implement QoS if you like.  I know that a lot of people like to leave their wireless segment open to the public, with limited internet access, and require wireless users to connect to lan services via VPN.  That's not terribly difficult to set up.

----------

## TerranAce007

I did something very similar to this with my school computer and my laptop. My desktop's wifi card uses the rtw2500 drivers, so it doesn't work very well as an access point, but I connect my laptop to it in ad-hoc just fine. Use can setup the bridging easily using firestarter, which allows you to share connections AND configure the firewall. I'd look into firestarter...

----------

## Ryan@warpfive

Thanks for all the info, links etc. 

I've finished the project   :Very Happy:  and have it all working. I've detailed my results in a new topic https://forums.gentoo.org/viewtopic-p-2995435.html#2995435

I hope this helps you if you are interested.

Thanks again

Ryan

----------

