User Tools

Site Tools


howtos:laptopvmrouterbridge

How To turn your laptop into a wired and virtual machine to wireless router

Introduction

Ok, so I'm weird.
A while ago I set up my laptop as a wired to wireless router.
The primary reason for this is that at work I am usually on the wireless network.
I have occasionally had need to give network access to another machine that did not have (working) wireless in a place without access to a wired network port.
This process was not all that difficult.
Recently however, I decided that it would be nice to give network access to virtual machines as well.
This required a little bit of configuration tweaking.

I'm not going to go into all the required kernel configuration or required tools (bridge-utils, etc) that are needed to do routing and bridging (at least not at the moment) since there are many pages detailing what is needed.
I'm assuming the reader already knows the basics of routing and bridging.

Networks

The wireless network (wlan0) is configured for dhcp.
A network bridge (br0) is configured that bridges the wired interface (eth0) and the set of virtual tap interfaces (qemu0-qemu9)
The network bridge (br0) is given a private address.
The network bridge (br0) has dhcpd and named running on it to give addresses to the tap interfaces (qemu0-qemu9) as well as anything connected to the wired interface (eth0).
Shorewall is configured to allow everything to talk to everything.
The machines and virtual machines in the bridge can talk to each other and can also access the external network by routing across the wireless.
Machines on the outside of the wireless should be able to access machines in the bridge if you configure shorewall to forward ports to the appropriate members, though I haven't actually tested this yet.

Scripts

startlan - configures the bridge interface and starts network services

ifconfig br0 192.168.200.1
/etc/init.d/named start
/etc/init.d/dhcpd start
/etc/init.d/shorewall start

stoplan - stops network services and resets the bridge interface back to null

/etc/init.d/named stop
/etc/init.d/dhcpd stop
/etc/init.d/shorewall stop
/etc/init.d/net.br0 restart

Configuration Files

/etc/conf.d/net - don't forget to create all the proper /etc/init.d/net.interface symlinks.

dns_domain_lo="resnet"

#config_eth0=( "dhcp" )
config_eth0=( "null" )

#this specifies that interface vbox0 will be a tap interface and use the tunctl command to generate itself
tuntap_qemu0="tap"
#ALL interfaces part of a bridge should be null, otherwise oddities may occur.
config_qemu0=( "null")
#tunctl_qemu0=("-u <user>")

tuntap_qemu1="tap"
#tunctl_qemu1=( "-u <user>" )
config_qemu1=( "null" )

tuntap_qemu2="tap"
#tunctl_qemu2=( "-u <user>" )
config_qemu2=( "null" )

tuntap_qemu3="tap"
#tunctl_qemu3=( "-u <user>" )
config_qemu3=( "null" )

tuntap_qemu4="tap"
config_qemu4=( "null" )

tuntap_qemu5="tap"
config_qemu5=( "null" )

tuntap_qemu6="tap"
config_qemu6=( "null" )

tuntap_qemu7="tap"
config_qemu7=( "null" )

tuntap_qemu8="tap"
config_qemu8=( "null" )

tuntap_qemu9="tap"
config_qemu9=( "null" )


#If you'd prefer a dynamic ip address for the machine, use
config_br0=( "null" )
bridge_br0="eth0 qemu0 qemu1 qemu2 qemu3 qemu4 qemu5 qemu6 qemu7 qemu8 qemu9"
#Make sure your baselayout is recent enough to support this
depend_br0() 
{
         need net.eth0
         need net.qemu0
         need net.qemu1
	 need net.qemu2
	 need net.qemu3
	 need net.qemu4
	 need net.qemu5
	 need net.qemu6
	 need net.qemu7
	 need net.qemu8
	 need net.qemu9
}

brctl_br0=( "setfd 0" 
"sethello 0"
"stp off" )


modules=( "wpa_supplicant" )
wpa_supplicant_wlan0="-Dwext"
mode_wlan0="managed"
config_wlan0=( "dhcp" )

/etc/conf.d/dhcpd

# If you wish to run dhcpd in a chroot, uncomment the following line
DHCPD_CHROOT="/chroot/dhcp"

# Then run emerge dhcp --config
# All file paths below are relative to the chroot.
# You can specify a different chroot directory but MAKE SURE it's empty.

# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf
DHCPD_CONF="/etc/dhcp/dhcpd.conf"

# Configure which interface or interfaces to for dhcpd to listen on.
# List all interfaces space separated. If this is not specified then
# we listen on all interfaces.
DHCPD_IFACE="br0"

/etc/conf.d/named

# Set various named options here.
#
OPTIONS=""

# Set this to the number of processors you have.
#
CPU="1"

# If you wish to run bind in a chroot, run:
# emerge --config =<bind-version>
# and un-comment the following line.
# You can specify a different chroot directory but MAKE SURE it's empty.
CHROOT="/chroot/dns"

# Default pid file location
PIDFILE="${CHROOT}/var/run/named/named.pid"

# Scheduling priority: 19 is the lowest and -20 is the highest.
#
NAMED_NICELEVEL="0"

/chroot/dhcp/etc/dhcp/dhcpd.conf - note that this is configured to send pxe clients to the ltsp pxe server running in a virtual machine

log-facility syslog;

option netbios-name-servers 192.168.200.1;
use-host-decl-names on;
option ntp-servers 192.168.200.1;
option domain-name "escapenet";
option time-servers 192.168.200.1;
option domain-name-servers 192.168.200.1;
option routers 192.168.200.1;

option log-servers 192.168.200.1;
option root-path	"192.168.200.3:/opt/ltsp/i386";

if substring ( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
filename "/ltsp/i386/pxelinux.0";
} else {
filename "/ltsp/i386/nbi.img";
}

#filename	"/lts/vmlinuz-2.4.26-ltsp-2";
next-server	192.168.200.3;


ddns-update-style interim;
ddns-updates on;
ddns-domainname "escapenet";
ddns-rev-domainname "in-addr.arpa";
deny client-updates;

subnet 192.168.200.0 netmask 255.255.255.0 {
range 192.168.200.200 192.168.200.250;

group {
    use-host-decl-names on;

    host frisbee {
	    hardware ethernet xx:xx:xx:xx:xx:xx;
	    fixed-address 192.168.200.2;
	    }

    host lernaean-hydra {
	    hardware ethernet xx:xx:xx:xx:xx:xx;
	    fixed-address 192.168.200.3;
	    }

	    
}   
     
}

/chroot/dns/etc/bind/named.conf

options {
	directory "/var/bind";

        listen-on { any; };
	allow-query { any; };
	
	// if you have problems and are behind a firewall:
	//query-source address * port 53;
	pid-file "/var/run/named/named.pid";

//I use these on my main lan router, but not on the laptop routing config since the wireless network will have it's own servers
//forwarders {
	// OpenDNS
//	208.67.222.222;
//	208.67.220.220;
//};
	
	
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "localhost" IN {
	type master;
	file "pri/localhost.zone";
	allow-update { none; };
	notify no;
};

zone "127.in-addr.arpa" IN {
	type master;
	file "pri/127.zone";
	allow-update { none; };
	notify no;
};

zone com IN { type delegation-only; };
zone net IN { type delegation-only; };

zone "escapenet" {
	type master;
	file "/var/bind/escapenet.hosts";
	allow-update {
		any;
		};
	allow-query {
		any;
		};
	allow-transfer {
		any;
		};
	};
	
zone "200.168.192.in-addr.arpa" {
	type master;
	file "/var/bind/192.168.200.rev";
	allow-update {
		any;
		};
	allow-query {
		any;
		};
	allow-transfer {
		any;
		};
	};

/etc/shorewall/interfaces - note that the lan interface is the bridge itself

#ZONE	INTERFACE	BROADCAST	OPTIONS
lan	br0		detect		
wlan	wlan0		detect		dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/masq

#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
wlan0			br0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/shorewall/policy - currently allow everyone to talk to everyone - I assume you'd need to setup port forwards in rules to allow wlan side clients to talk to machines in the bridge

#SOURCE		DEST		POLICY		LOG		LIMIT:BURST
#						LEVEL
lan		wlan		ACCEPT
wlan		lan		ACCEPT
lan		fw		ACCEPT
wlan		fw		ACCEPT		
fw		lan		ACCEPT
fw		wlan		ACCEPT
#all		all		REJECT		info
all		all		ACCEPT
#LAST LINE -- DO NOT REMOVE

/etc/shorewall/zones

#ZONE	TYPE		OPTIONS		IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
lan	ipv4
wlan	ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
howtos/laptopvmrouterbridge.txt · Last modified: 2017/07/02 10:11 (external edit)