Wired to Wireless Bridge in Fedora 22 with Firewalld

I’ve been banging my head against a wall trying to get this working and am writing it down in case I need to do it again and in case it helps someone else.

I have a host ‘A’ with wifi and a cat5 ethernet port. I have other hosts (actually, a set of ¬†surveillance cameras) that are wired only. These cameras want to talk to the internet. Making that happen through the host ‘A’ wireless was the goal.

Enable Forwarding

This tells you how.

Enable DHCPD

My dhcpd.conf file is as as follows:

subnet 192.168.2.0 netmask 255.255.255.0 {
    option domain-name-servers 8.8.8.8, 8.8.4.4;
    option routers 192.168.2.1;
    option subnet-mask 255.255.255.0;
    range 192.168.2.10 192.168.2.100;
}

Note that I have google’s DNS servers in there. I would have preferred to forward the servers from the wired DHCP, but had trouble (as have others on the interweb.) You also need to bind your wired interface to 192.168.2.1 (or whatever private IP space you choose) and I forgot what I did to do that, but it’s not hard.

Mess with firewalld

(Most of the posts on the internet say to abandon it and revert to iptables. That might be the right thing to do. Certainly firewalld is badly documented.) In any event, bring up the firewall GUI.

  • Put the wireless interface in the ‘trusted’ zone. (I tried ‘external’ zone, but I think there’s other things I would need to do to get that to work.)
  • Turn on ‘Masquerade’ for the ‘trusted’ zone. This needs to be ‘permanent’. See the drop down at the top. (It’s unclear whether this actually does anything; it doesn’t seem to do anything on it’s own.)

It’s arguably easier to do both of those at the command line.

This link gave me the two crucial commands I’d been missing.

  • sudo firewall-cmd –permanent –direct –passthrough ipv4 -I FORWARD -i enp1s0 -o wlp2s0 -j ACCEPT
  • sudo firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o wlp2s0 -j MASQUERADE

‘wlp2s0’ is my wireless interace; ‘enp1s0’ is my wired interface.

(If you use the ‘–permanent’ flag you get around the issue the link has of having to run the commands after firewalld starts.)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s