Routing the IP packets from the station (STA) to another node that’s connected over USB/ethernet

Posted on

Problem :

I have a setup where a station is configured via wpa supplicant to connect to an AP (over wlan0 interface) and node B is connected to the station via USB (or maybe ethernet), which needs access as well.

Would bridging wlan0 and the USB interface (usb0) work in the sense that the IP packets received by the station could be forwarded to node 1 as well?

If bridging should work, I can’t seem to add wlan0 to the bridge. Running brctl addif bridge0 wlan0 usb0 results in an error Operation not supported.

Also, seemingly wlan0 can’t be bridged, which might be why i’m getting the error above.

One limitation is I’m using an a-grade Linux which doesn’t have all the features that a full-blown Linux would

Solution :

Station interfaces cannot be bridged, because they cannot send a spoofed MAC address – the same field is used to mean both the “originating device MAC” and “transmitting radio MAC”, so if you tried to send a frame on behalf of the USB ‘node1’ it would be dropped as not being from an associated station.

(The same applies in the other direction, but on top of that, the AP doesn’t have the capability to learn more than 1 MAC address per associated station like true bridges would; it assumes that the station MAC is the receiving device’s MAC.)

Technically, this can be allowed by enabling the ‘4addr’ mode on Linux via iw – and the same on AP side, more commonly called “WDS bridging” everywhere else – however, most “normal” APs do not support it (with some exceptions). APs which don’t support this mode will ignore your 4-address frames, and won’t be able to send you the correct frames for the bridged node1 either.

So 4addr/WDS mode is only an option if the AP is made with that in mind – e.g. if it is a “point-to-point” or “PtMP” or “WISP” bridge, rather than a typical client-device AP.

(Some systems, such as many popular “wireless extenders”, or the bridging feature found in VirtualBox, cheat by implementing NAT for MAC addresses – they actually rewrite sent frames’ MAC addresses to look like the host’s, just like a router would do for IP addresses. However, standard Linux bridging does not support this ‘arpnat’ feature, thankfully.)

For everything else, you will need layer-3 routing, rather than layer-2 bridging. You will need the USB link to use a different network number than the Wi-Fi link, enable IP forwarding on the ‘station’, and configure routes on the AP-side router to know where the USB subnet should be routed.

If both sides must use the same subnet number (or if you can’t configure any routes on the main network), that’s not really nice but can still be handled using Proxy-ARP (and Proxy-NDP for IPv6). The ‘station’ still needs IP forwarding enabled, and it needs to run something like parpd or parprouted to spoof the necessary ARP replies to make other devices think they’re all on a single bridged subnet (though only as far as IPv4 is concerned).

Leave a Reply

Your email address will not be published.