Pierre Palatin random posts.

Configuration of my network through an ALIX

Posted at — Jan 1, 2009

That’s old and completely obsolete.

My Media Center is located in the living room. Until now, to have networking on it, there was an old fashionned network cable between the office and the living room, which prevented the door to be closed. So, I’ve configured on of my Alix to serve as a kind of wifi bridge for the media center.

The PC Engines / ALIX is a small box, with a x86 geode processor in it, a wifi card and a network plug (some model have several network plugs).

There’s no hard disk on it, but a flash card. I’ve installed Voyage Linux on it. While I usually don’t like to install niche linux distributions, having a flash card as disk means modifying a lot of things to avoid disk writes. Voyage linux has the advantage of being based on a regular Debian. so there’s still access to all the classical packages and configuration system. So far, I’m happy with it. Everything is read-only by default and you can easily remount the disk as read/write when needed.

My first aim was to have the ALIX act as a pure level-2 bridge, so the media center would have been able to talk directly with the dhcp server and so on. However, my wifi router is most probably crappy, and it was not possible; packets were discarded at its level. I suspect that it didn’t like seeing several mac address on a WPA authenticated connection.

To circumvent this problem, I’ve choosed (well, not much choice :) to have the alix act as a router. But to make the access of the media center possible and transparent from the main network, the ALIX box do a 1:1 NAT between the IP of the media center on the media center network, and a “visible” IP on the main network.

In practice the ALIX has:

So, here is the /etc/network/interfaces on the alix:

# Because we always need a loop back :)
auto lo iface lo inet loopback

# The network interface on the private part, which act
# as a router. Nothing fancy here, static IP.
auto eth0 iface eth0 inet static address netmask broadcast

# The wifi interface, which is an atheros card, hence
# the name. auto ath0
# It absolutely needs to be in manual mode to have wpa-*
# stanzas working. It is possible to still have dhcp on top
# of that with a default interface, but I don't need it
# here.
iface ath0 inet manual

# Atheros network interfaces need to be
# instanciated from the generic wifi0 card. We want
# to be in managed mode (aka client of an access # point), so wlanmode is 'sta'.
pre-up wlanconfig ath0 create wlandev wifi0 wlanmode sta

# We now configure a regular wpa_supplicant with
# the following two stanzas. That's an atheros
# card, so the driver is madwifi. All wpa
# configuration (essid, passphrase and so on) is
# in the wpa_supplicant.conf file.
wpa-driver madwifi wpa-roam /etc/wpa_supplicant.conf

# On a 'up' event (see 'man interfaces'), assign a
# static address. That's the 'public' address of the
# ALIX, the one I use to connect by ssh on it.
up ifconfig ath0

# Since I'm in manual mode, I add the default
# gateway, which is my wifi router.
up route add -net default gw ath0

# And when trying to ifdown this interfaces, clean
# everything.
down route del -net default gw ath0 post-down wlanconfig ath0 destroy

# And now, create a virtual interface on the wifi side,
# which will be the visible IP of the media center.
auto ath0:42 iface ath0:42 inet static

# Regular and boring static configuration of this
# IP.
address netmask broadcast

# And now, the interesting part. Those 4 commands
# tell iptables to forward everything that is
# coming for .1.42 to .2.42 and viceversa. So, at
# the IP level, access to the media center is
# completely transparent, as if it was on the main
# network. Since it's 1:1 NAT, we're using iptables
# in stateless mode, as we don't care about
# connection tracking.
# For that to work, you need to have
# /proc/sys/ipv4/ip_forwarding set to 1; it's the
# default on voyage linux, but ymmv.
post-up iptables -t nat -A PREROUTING -d -j DNAT \
         --to-destination post-up iptables -t nat -A PREROUTING -d -j DNAT \
         --to-destination post-up iptables -t nat -A POSTROUTING -s -j SNAT \
         --to-source post-up iptables -t nat -A POSTROUTING -s -j SNAT \

And that’s it. I’ve just configured the media center to use with as gateway and everything went well.