Ethernet LAN to WLAN Router

Overview

The problem: connect a WLAN-only LTE router to an Ethernet-only appliance, with remote access.

The LTE-Router is a generic mobile access point.
- It has a Wi-Fi interface, but not Ethernet
- It provides a basic service (no custom routing table, no public IP address).
The Client is a cloud managed appliance monitoring.
- It has a wired Ethernet interface only
The Roupi is a Raspberry-Pi Zero W based router with USB Ethernet interface.
- It provide internet access to the client via the LTE-Router Wi-Fi interface.
- It also has an OpenVpn client connected to a public VPN server
  (this allows to remote connect to this device via ssh or http)
- It can also be used to read attached sensors (temperature sensor...)

Basic configuration

Update system

sudo apt update
sudo apt upgrade

System settings

sudo raspi-config

Set the following:

Change user 'pi' password
Set the hostname
not using predictive network adapter names
locale/timezone
enable ssh, i2c, ... interfaces
Set wifi country, SSID annd password

Setup interfaces

Configure WLAN (as a station)

Raspberry Pi stores known APs SSID via WPA Supplicant configuration file

sudo vim /etc/wpa_supplicant/wpa_supplicant.conf

network={
  ssid="ssid"
  psk="password"
}

Configure Ethernet LAN

LAN will use 192.168.88.0/24 network range

eth0 interface uses fixed IP address 192.168.88.1

sudo vim.tiny /etc/dhcpcd.conf

#interface eth0
#static ip_address=192.168.0.10/24
interface eth0
static ip_address=192.168.88.1/24

Router configuration

DHCP server and DNS proxy

dnsmasq provides a DHCP server and DNS proxy on eth0 interface:

sudo apt install dnsmasq
#sudo apt install isc-dhcp-server

sudo vim /etc/dnsmasq.conf

#interface=
interface=eth0

#dhcp-range=192.168.0.50,192.168.0.150,12h
dhcp-range=192.168.88.10,192.168.0.20,12h

sudo service dnsmasq restart

cat /var/lib/misc/dnsmasq.leases
cat /var/log/syslog | grep dnsmasq

Now, client and router should be able to ping each others

IP forwarding:

In order for Pi-Router to forward traffic between interfaces:

sudo vim /etc/sysctl.conf

#net.ipv4.ip_forward=1
net.ipv4.ip_forward=1

NAT router

Now, device from LAN can reach the internet, however, response cannot be sent back since 4G router does not know about 192.168.88.x network.

Solution is to implement NAT on Pi-Router (so that it relays requests using it's own source IP address)

sudo iptables -A FORWARD -i eth0 -j ACCEPT
sudo iptables -A FORWARD -o eth0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

To make iptables rules persistent between reboots:

sudo apt-get install iptables-persistent
sudo netfilter-persistent save

Note: if iptables does not support masquerade, use legacy one:

iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables v1.8.2 (nf_tables): Chain 'MASQUERADE' does not exist
Try `iptables -h' or 'iptables --help' for more information.

sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
* 0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Press <enter> to keep the current choice[*], or type selection number: 1
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode

Remote access

Since the 4G router does not provide any remote access capability, PiRouter will intiate a VPN connection to a public OpenVPN server.
That way, pi is accessible (ssh, http) from the outside.

OpenVPN configuration | html
SSH server configuration | html
HTTP server configuration | html

29-Nov-2019