![\"20160514-vSRX_to_PI\"](\"https:\/\/networkingnotesblog.files.wordpress.com\/2016\/05\/20160514-vsrx_to_pi.jpg\")
\nTurning raspberry PI into WIFI AP: SSG5 to SRX migration (part 2)
\nDue to the insecure of internet platform, I have decided to run a security appliance at home to replace my SSG firewall. My newest design is to have SRX as the SSG replacment. Since SRX lacks of the feature of build-in WIFI, I have decided to use RASPBERRY PI as the WIFI AP bridge to cover the wireless access feature. In part 2 of this migration, it mainly focus on turning the RASPBERRY PI as the WIFI AP and bridge it to its ETH0 interface.
\nThe WIFI AP elements:
\n– Raspberry PI model B
\n– 0ace:1215 ZyDAS ZD1211B 802.11g
\nDesign for PI:
\n– Since the ESXi host is using trunk, the PI needs to have its NIC ready to take tagged and untag packets.
\n– PI turns the WIFI NIC into WIFI access point
\n– PI needs to bridge the ETH NIC and WIFI NIC to extend the SRX LAN boardcast domain with wireless capability.
\n
\nPreparation:
\n– To install the following to allow PI taking tagged and untag packets, bridging multiple NIC, and turn WIFI NIC into WIFI AP.
\n1. apt-get install vlan # to assign subinterface for taking tagged traffics.
\n2. apt-get install bridge-utils # to create bridging interface to bridge multi NIC.
\n3. apt-get install hostapd # to turn the WIFI NIC into WIFI AP.
\nConfiguration
\n1. Configure the WIFI AP service:
\nFirst, ensure the line below is under the file of “\/etc\/default\/hostapd”.
\nDAEMON_CONF=”\/etc\/hostapd\/hostapd.conf”
\nSecond, apply the approperate values into hostapd.conf
\nvi \/etc\/hostapd\/hostapd.conf
\n###########################################################
\n# Log feature: to put the logs generated by hostapd into syslog. Great for troubleshoot with.
\n#logger_syslog=-1
\n#logger_syslog_level=2
\n#logger_stdout=-1
\n#logger_stdout_level=2
\n# interface used by access point
\ninterface=wlan0
\n# map to bridge=br1
\nbridge=br1
\n# firmware driver (In case this driver does not work with your WIFI NIC, put # in front of the driver to disable it)
\ndriver=nl80211
\n# access point SSID
\nssid=**********************
\n# 0 = to broadcast the ssid, 1 = to stop broadcasting the ssid
\nignore_broadcast_ssid=0
\n# operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g)
\nhw_mode=g
\n# access point channel
\nchannel=1
\n# ACL for WIFI client restriction based on their MAC addresses.
\nmacaddr_acl=0
\nauth_algs=1
\n# key management algorithm
\nwpa_key_mgmt=WPA-PSK
\nwpa_passphrase=*********************
\nwpa=3
\n# set ciphers
\nwpa_pairwise=TKIP CCMP
\nrsn_pairwise=CCMP
\n###########################################################
\n2. To bridge the WIFI NIC with ETH0 subinterface.
\nIn my case, the LAN at SRX is using ge-0\/0\/1.32 with vlan tag 32. Therefore, PI will have the eth0.32 to take the tagged frames from ESXi. Also the wlan0 with untag traffic will be bind to the eth0.32 for wifi extension. I have group eth0.32 and wlan0 into br1. Below is the config of my “\/etc\/network\/interfaces” for reference.
\nauto lo
\niface lo inet loopback
\n## This interface is connecting to ESXi vmnic0.
\n##\u00a0This is to bring up the eth0 only
\nauto eth0
\niface eth0 inet manual
\n## This vlan2 sub interface is for managing PI.
\n## This interface will take and pass packets with vlan2 tag.
\nauto eth0.2
\niface eth0.2 inet static
\naddress 192.168.11.38
\nnetmask 255.255.255.252
\nvlan_raw_device eth0
\n##This interface is the extension of the SRX trust broadcast domain
\nauto eth0.32
\niface eth0.32 inet manual
\nvlan_raw_device eth0
\n## This is to bring up the wifi interface.
\nallow-hotplug wlan0
\niface wlan0 inet manual
\n## This bridge is to let eth0 taking dhcp for portable access.
\nauto br0
\niface br0 inet dhcp
\nhwaddress ether b8:27:eb:56:f6:f6
\nbridge_ports eth0
\nbridge_stp off
\nbridge_fd 0
\nbridge_waitport 0
\n## The second bridge to group eth0.32 and WIFI interface together.
\n## This br1 interface will take the vlan 32 tagged packets at the eth interface and pass the packets untagged via wlan0. We can think of it as trunk and access port from a switch.
\nauto br1
\niface br1 inet static
\naddress 192.168.168.56
\nnetmask 255.255.255.0
\nnetwork 192.168.168.0
\nbroadcast 192.168.168.255
\ngateway 192.168.168.1
\nhwaddress ether b8:27:eb:56:f6:f6
\nbridge_ports eth0.32 wlan0
\nbridge_stp off
\nbridge_fd 0
\nbridge_waitport 0
\n###########################################################
\nFire up hostapd:
\nSomehow the hostapd in my case failed to authenticate my wifi devices with WPA2. My work around is to run the service as super user and disable the hostapd to startup as a service.
\n1. The “rc.local” file is similar to Windows startup folder. Putting the second command to execute hostapd as super user during the PI starts.
\nvi \/etc\/rc.local
\nsudo \/usr\/sbin\/hostapd \/etc\/hostapd\/hostapd.conf &
\nReboot the PI
\nAfter the PI boots up, there will be a new NIC created called “mon.wlan0”.
\nInterface status:
\n$ ifconfig
\nbr0 Link encap:Ethernet HWaddr b8:27:eb:56:f6:f6
\ninet addr:192.168.0.52 Bcast:192.168.0.255 Mask:255.255.255.0
\ninet6 addr: fe80::ba27:ebff:fe56:f6f6\/64 Scope:Link
\nUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
\nRX packets:3231 errors:0 dropped:0 overruns:0 frame:0
\nTX packets:5432 errors:0 dropped:0 overruns:0 carrier:0
\ncollisions:0 txqueuelen:0
\nRX bytes:193178 (188.6 KiB) TX bytes:2100634 (2.0 MiB)
\nbr1 Link encap:Ethernet HWaddr b8:27:eb:56:f6:f6
\ninet addr:192.168.168.56 Bcast:192.168.168.255 Mask:255.255.255.0
\ninet6 addr: fe80::b425:a8ff:fef0:9157\/64 Scope:Link
\nUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
\nRX packets:290 errors:0 dropped:0 overruns:0 frame:0
\nTX packets:162 errors:0 dropped:0 overruns:0 carrier:0
\ncollisions:0 txqueuelen:0
\nRX bytes:40771 (39.8 KiB) TX bytes:19282 (18.8 KiB)
\neth0 Link encap:Ethernet HWaddr b8:27:eb:56:f6:f6
\nUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
\nRX packets:3550 errors:0 dropped:0 overruns:0 frame:0
\nTX packets:6027 errors:0 dropped:0 overruns:0 carrier:0
\ncollisions:0 txqueuelen:1000
\nRX bytes:216448 (211.3 KiB) TX bytes:2269173 (2.1 MiB)
\neth0.2 Link encap:Ethernet HWaddr b8:27:eb:56:f6:f6
\ninet addr:192.168.11.38 Bcast:192.168.11.39 Mask:255.255.255.252
\ninet6 addr: fe80::ba27:ebff:fe56:f6f6\/64 Scope:Link
\nUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
\nRX packets:92 errors:0 dropped:0 overruns:0 frame:0
\nTX packets:145 errors:0 dropped:0 overruns:0 carrier:0
\ncollisions:0 txqueuelen:0
\nRX bytes:4764 (4.6 KiB) TX bytes:33108 (32.3 KiB)
\neth0.32 Link encap:Ethernet HWaddr b8:27:eb:56:f6:f6
\nUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
\nRX packets:227 errors:0 dropped:0 overruns:0 frame:0
\nTX packets:449 errors:0 dropped:0 overruns:0 carrier:0
\ncollisions:0 txqueuelen:0
\nRX bytes:16862 (16.4 KiB) TX bytes:63309 (61.8 KiB)
\nlo Link encap:Local Loopback
\ninet addr:127.0.0.1 Mask:255.0.0.0
\ninet6 addr: ::1\/128 Scope:Host
\nUP LOOPBACK RUNNING MTU:65536 Metric:1
\nRX packets:12 errors:0 dropped:0 overruns:0 frame:0
\nTX packets:12 errors:0 dropped:0 overruns:0 carrier:0
\ncollisions:0 txqueuelen:0
\nRX bytes:1500 (1.4 KiB) TX bytes:1500 (1.4 KiB)
\nmon.wlan0 Link encap:UNSPEC HWaddr 00-1D-0F-BB-A6-5B-00-00-00-00-00-00-00-00-00-00
\nUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
\nRX packets:58862 errors:0 dropped:0 overruns:0 frame:0
\nTX packets:0 errors:0 dropped:0 overruns:0 carrier:0
\ncollisions:0 txqueuelen:1000
\nRX bytes:14925259 (14.2 MiB) TX bytes:0 (0.0 B)
\nwlan0 Link encap:Ethernet HWaddr 00:1d:0f:bb:a6:5b
\nUP BROADCAST DEBUG RUNNING MTU:1500 Metric:1
\nRX packets:307 errors:0 dropped:0 overruns:0 frame:0
\nTX packets:334 errors:0 dropped:0 overruns:0 carrier:0
\ncollisions:0 txqueuelen:1000
\nRX bytes:46548 (45.4 KiB) TX bytes:54455 (53.1 KiB)
\nPilot test:
\nI have captured the following fugures for my reference only. (I might perform some more iperf tests on the PI WIFI capability when i m free) The following figures are generated from 1 wifi client (IPHONE4S) downloading 60MB of upgrades from the internet via PI connected to my SRX (SRX s throughput is 50M and above).
\nWhen IPHONE4S is downloading around 10.5Mbps, the PI is consumpting 23.2% for ksoftirqd, 16.9% for hostapd, and around 18% for kworker.
\nPID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
\n3 root 20 0 0 0 0 S 23.2 0.0 1:14.17 ksoftirqd\/0
\n3138 root 20 0 5188 3232 2948 S 16.9 0.7 8:18.95 hostapd
\n4189 root 20 0 0 0 0 S 9.1 0.0 0:04.97 kworker\/0:0
\n4186 root 20 0 0 0 0 S 7.8 0.0 0:14.92 kworker\/0:2
\niftop capture:
\n17.253.85.202 => 192.168.0.50 10.5Mb 10.5Mb 6.92Mb
\n<= 159kb 111kb 71.2kb
\nConclusion:
\nRaspberry PI can be set as a WIFI AP and bridge the WIFI NIC to a sub interface of the Ethernet NIC successfully. I will update the more percise data when i m free to perform some stress tests on the throughput.
\nReference
\nFor more detail on debian\/raspberry PI network setting, please visit “https:\/\/wiki.debian.org\/NetworkConfiguration”<\/p>\n","protected":false},"excerpt":{"rendered":"