Turning Raspberry PI into WIFI AP (in bridge mode)

20160514-vSRX_to_PI

Turning raspberry PI into WIFI AP: SSG5 to SRX migration (part 2)

Due to the insecure of internet platform, I have decided to run a security appliance at home to replace my SSG firewall. My newest design is to have SRX as the SSG replacment. Since SRX lacks of the feature of build-in WIFI, I have decided to use RASPBERRY PI as the WIFI AP bridge to cover the wireless access feature. In part 2 of this migration, it mainly focus on turning the RASPBERRY PI as the WIFI AP and bridge it to its ETH0 interface.

The WIFI AP elements:
– Raspberry PI model B
– 0ace:1215 ZyDAS ZD1211B 802.11g

Design for PI:
– Since the ESXi host is using trunk, the PI needs to have its NIC ready to take tagged and untag packets.
– PI turns the WIFI NIC into WIFI access point
– PI needs to bridge the ETH NIC and WIFI NIC to extend the SRX LAN boardcast domain with wireless capability.

Preparation:
– To install the following to allow PI taking tagged and untag packets, bridging multiple NIC, and turn WIFI NIC into WIFI AP.
1. apt-get install vlan # to assign subinterface for taking tagged traffics.
2. apt-get install bridge-utils # to create bridging interface to bridge multi NIC.
3. apt-get install hostapd # to turn the WIFI NIC into WIFI AP.

Configuration

1. Configure the WIFI AP service:

First, ensure the line below is under the file of “/etc/default/hostapd”.

DAEMON_CONF=”/etc/hostapd/hostapd.conf”

Second, apply the approperate values into hostapd.conf

vi /etc/hostapd/hostapd.conf

###########################################################
# Log feature: to put the logs generated by hostapd into syslog. Great for troubleshoot with.
#logger_syslog=-1
#logger_syslog_level=2
#logger_stdout=-1
#logger_stdout_level=2

# interface used by access point
interface=wlan0

# map to bridge=br1
bridge=br1

# firmware driver (In case this driver does not work with your WIFI NIC, put # in front of the driver to disable it)
driver=nl80211

# access point SSID
ssid=**********************

# 0 = to broadcast the ssid, 1 = to stop broadcasting the ssid
ignore_broadcast_ssid=0

# operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g)
hw_mode=g

# access point channel
channel=1

# ACL for WIFI client restriction based on their MAC addresses.
macaddr_acl=0

auth_algs=1

# key management algorithm
wpa_key_mgmt=WPA-PSK
wpa_passphrase=*********************
wpa=3

# set ciphers
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP

###########################################################

2. To bridge the WIFI NIC with ETH0 subinterface.

In my case, the LAN at SRX is using ge-0/0/1.32 with vlan tag 32. Therefore, PI will have the eth0.32 to take the tagged frames from ESXi. Also the wlan0 with untag traffic will be bind to the eth0.32 for wifi extension. I have group eth0.32 and wlan0 into br1. Below is the config of my “/etc/network/interfaces” for reference.
auto lo
iface lo inet loopback

## This interface is connecting to ESXi vmnic0.
## This is to bring up the eth0 only
auto eth0
iface eth0 inet manual

## This vlan2 sub interface is for managing PI.
## This interface will take and pass packets with vlan2 tag.
auto eth0.2
iface eth0.2 inet static
address 192.168.11.38
netmask 255.255.255.252
vlan_raw_device eth0

##This interface is the extension of the SRX trust broadcast domain
auto eth0.32
iface eth0.32 inet manual
vlan_raw_device eth0

## This is to bring up the wifi interface.
allow-hotplug wlan0
iface wlan0 inet manual

## This bridge is to let eth0 taking dhcp for portable access.
auto br0
iface br0 inet dhcp
hwaddress ether b8:27:eb:56:f6:f6
bridge_ports eth0
bridge_stp off
bridge_fd 0
bridge_waitport 0

## The second bridge to group eth0.32 and WIFI interface together.
## This br1 interface will take the vlan 32 tagged packets at the eth interface and pass the packets untagged via wlan0. We can think of it as trunk and access port from a switch.
auto br1
iface br1 inet static
address 192.168.168.56
netmask 255.255.255.0
network 192.168.168.0
broadcast 192.168.168.255
gateway 192.168.168.1
hwaddress ether b8:27:eb:56:f6:f6
bridge_ports eth0.32 wlan0
bridge_stp off
bridge_fd 0
bridge_waitport 0
###########################################################

Fire up hostapd:
Somehow the hostapd in my case failed to authenticate my wifi devices with WPA2. My work around is to run the service as super user and disable the hostapd to startup as a service.

1. The “rc.local” file is similar to Windows startup folder. Putting the second command to execute hostapd as super user during the PI starts.
vi /etc/rc.local
sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf &

Reboot the PI

After the PI boots up, there will be a new NIC created called “mon.wlan0”.

Interface status:

$ ifconfig
br0 Link encap:Ethernet HWaddr b8:27:eb:56:f6:f6
inet addr:192.168.0.52 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::ba27:ebff:fe56:f6f6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3231 errors:0 dropped:0 overruns:0 frame:0
TX packets:5432 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:193178 (188.6 KiB) TX bytes:2100634 (2.0 MiB)

br1 Link encap:Ethernet HWaddr b8:27:eb:56:f6:f6
inet addr:192.168.168.56 Bcast:192.168.168.255 Mask:255.255.255.0
inet6 addr: fe80::b425:a8ff:fef0:9157/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:290 errors:0 dropped:0 overruns:0 frame:0
TX packets:162 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:40771 (39.8 KiB) TX bytes:19282 (18.8 KiB)

eth0 Link encap:Ethernet HWaddr b8:27:eb:56:f6:f6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3550 errors:0 dropped:0 overruns:0 frame:0
TX packets:6027 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:216448 (211.3 KiB) TX bytes:2269173 (2.1 MiB)

eth0.2 Link encap:Ethernet HWaddr b8:27:eb:56:f6:f6
inet addr:192.168.11.38 Bcast:192.168.11.39 Mask:255.255.255.252
inet6 addr: fe80::ba27:ebff:fe56:f6f6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:92 errors:0 dropped:0 overruns:0 frame:0
TX packets:145 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4764 (4.6 KiB) TX bytes:33108 (32.3 KiB)

eth0.32 Link encap:Ethernet HWaddr b8:27:eb:56:f6:f6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:227 errors:0 dropped:0 overruns:0 frame:0
TX packets:449 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:16862 (16.4 KiB) TX bytes:63309 (61.8 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1500 (1.4 KiB) TX bytes:1500 (1.4 KiB)

mon.wlan0 Link encap:UNSPEC HWaddr 00-1D-0F-BB-A6-5B-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:58862 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14925259 (14.2 MiB) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 00:1d:0f:bb:a6:5b
UP BROADCAST DEBUG RUNNING MTU:1500 Metric:1
RX packets:307 errors:0 dropped:0 overruns:0 frame:0
TX packets:334 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:46548 (45.4 KiB) TX bytes:54455 (53.1 KiB)

Pilot test:
I have captured the following fugures for my reference only. (I might perform some more iperf tests on the PI WIFI capability when i m free) The following figures are generated from 1 wifi client (IPHONE4S) downloading 60MB of upgrades from the internet via PI connected to my SRX (SRX s throughput is 50M and above).

When IPHONE4S is downloading around 10.5Mbps, the PI is consumpting 23.2% for ksoftirqd, 16.9% for hostapd, and around 18% for kworker.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3 root 20 0 0 0 0 S 23.2 0.0 1:14.17 ksoftirqd/0
3138 root 20 0 5188 3232 2948 S 16.9 0.7 8:18.95 hostapd
4189 root 20 0 0 0 0 S 9.1 0.0 0:04.97 kworker/0:0
4186 root 20 0 0 0 0 S 7.8 0.0 0:14.92 kworker/0:2

iftop capture:
17.253.85.202 => 192.168.0.50 10.5Mb 10.5Mb 6.92Mb
<= 159kb 111kb 71.2kb

Conclusion:
Raspberry PI can be set as a WIFI AP and bridge the WIFI NIC to a sub interface of the Ethernet NIC successfully. I will update the more percise data when i m free to perform some stress tests on the throughput.

Reference
For more detail on debian/raspberry PI network setting, please visit “https://wiki.debian.org/NetworkConfiguration&#8221;

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s