Route traffic between networks using a Pi
Sean Conway provides the network theory along with all the configuration details to turn a Pi into a router, keeping you busy during lockdown.
A deep-dive into Pi networking solutions resulted in this tutorial. The goal was to uncover a Pi configuration that would enable the routing of network traffic from a wired network to a wireless network. The aim is to build a network router using a Raspberry Pi. The Pi router would be responsible for moving network traffic between a wired Ethernet network and a wireless Wi-Fi network.
The Ethernet network is a local area network (LAN) with hosts (PCs) connected. The Wi-Fi connects to a larger network via a network access point (AP). A router is required to move traffic between the two networks. We’re going to build that routing device while exploring the network theory. Strap in, people!
The Pi router will use a number of networking services. The LAN side of the Pi will require DHCP services to provide host’s private IP addresses when they connect. The Wi-Fi side of the Pi will need to be configured to connect to an AP in the other network. Because the wired and wireless networks are separate, the Pi needs to route traffic between these two networks interfaces. The network address translation (NAT) service will be used to route the LAN network traffic back and forth to the Wi-Fi network.
Internet protocol (IP) basics
Before examining the Pi configuration, let’s review some of the networking theory involved. We’ll start by introducing some IP address concepts. An IP address is the convention used to identify (address) devices in a network that uses the transport control protocol/internet protocol (TCP/ IP). The IP address provides the same function for network devices that your postal address provides for delivering a letter or parcel. Each device on a network must have a unique IP address and each network will have a unique network number, if the network traffic is to be transported correctly.
The TCP/IPv4 standard specifies that each device in a network be identified by a unique 32-bit binary number. Computers start counting from zero (0), and 0-31 bits totals 32 bits. The 32-bit binary number is broken into four eight-bits groups called octets. To overcome the difficulty of trying to use a binary address for an address, the IP address uses integer numbers zero to nine, in a format called dotted decimal notation.
The 32 bits are divided into two components: network ID bits and a host ID bits. The subnet mask address masks out the bits that represent the network ID part of the binary number. The remaining bits represent the host ID.
Key devices on a network
Networking devices are designed to operate on the Protocol Data Unit (PDU) found at a specific layer of the OSI network model. IP addressing is the address format for PDUs found at the network layer. Routers look at the IP address to determine where to route PDUs. A router that’s responsible for getting PDUs in and out of the local network is called the default gateway.
Routers are only interested in finding networks, not the hosts in the networks. When a router receives a PDU the router uses the subnet mask to determine what network the PDU is destined for. The combination of IP address and the subnet mask that identifies the network portion of the IP address enables the network traffic to be routed correctly across different networks.
A router finds other networks by talking to other routers. Routers talk to each other using a routing protocol. Using this protocol the routers exchange details about the networks they know about. The routes (the path to take from source to destination) are stored in a routing table. When a router receives the PDU it uses the routing tables to determine the best route to use for delivering the PDU to the destination.
There are two addressing mechanisms in play to move a PDU’s from source to destination. We’ve already introduced IP addressing. The second is media access control (MAC) addressing. In some circles, MAC is referred to as physical addressing because it can physically be found on network interfaces. IP addressing operates at the network layer of
the OSI model. MAC addressing operates at the data-link layer.
The diagram shows only the addressing headers associated with a PDU. The goal is to move a PDU from Host_ X (green IP address) on one network to Host_Y (blue IP address) in another network. Two routers are in place between the networks. They’ve been exchanging their routing tables long before our PDUs have arrived. The routers know about each other and how to move network traffic through the information in the routing tables. The different colours are used to define the source and destination addressing in the different PDU layer found in the PDU header as they move across the networks.
The physical address (MAC) of the PDU changes as the data unit moves through routers, but the network PDU IP address remains the same. The network interface cards in each unit are working the physical address to move the PDU. The IP address remains the same to ensure the PDU is delivered from the source to the destination.
The routers are only examining the IP address and consulting their routing tables to see what’s the next action the PDU needs to take to get it one network closer to arrive at the host’s network.
The PDU that contains the physical address are called a frame. The PDU that contain the IP address are called a packet. It’s not uncommon for documentation to refer to all PDUs as packets. This can add confusion. Frames are moved across a network. There are different kinds of frames depending on the technology used in the physical network. Inside the frames are packets that the routers examine to route.
Managing network traffic
Dynamic host configuration protocol (DHCP) is a service that automates the management of IP addressing. DHCP distributes IP addresses and other IP details, like the default gateway IP address, to hosts on a network. Remember that the default gateway is the router that hosts use to get out of their network. The majority of local area networks (LAN) today rely on DHCP to provide IP configuration details to hosts.
PDUs for delivery are tagged with a source and destination IP addresses, packaged in a PDU with MAC addresses and then transmitted over the network. Routers along the network path from source to destination are responsible for checking the destination address of the PDU and performing routing to ensure the data is delivered to the correct final destination. At the destination address the data is removed from the packaging and delivered.
A DHCP server assigns unique IP addresses to hosts (i.e. devices) that make requests. DHCP provides the IP address of the default-gateway for the network and the IP address for the DNS servers that will take responsibility for changing human readable addresses into IP addresses that are used to move the PDU.
To enable network PDU traffic to move between network interfaces in our Pi, forwarding would need to be enabled. Having a device span multiple networks is not a good idea because it creates a network security concern. If the device becomes compromised by bad guys, then they’ll have access to those networks.
Security on a network
Enabling forwarding on a device that spans networks requires a special router called a firewall. A firewall placed between the networks provides some isolation, and is a service that uses a set of defined rules to determine if traffic (PDUs) is allowed to pass. A default gateway on a network may also be a firewall. Since this device manages network traffic in and out of the network, it can use the rules to filter undesirable traffic.
In this Pi project we’re using the firewall service called iptables. This is a firewall utility built for Linux operating systems. iptables comes pre-installed with Raspbian O/S. Remember, PDUs are moving through networks carrying user data. iptables is a command-line firewall service that uses policy chains containing rules to filter incoming and outgoing data PDUs.
We’ll use the command line to configure iptables. There are GUI tools that can be used to configure iptables, but Raspbian doesn’t support a GUI so this tutorial will provide a few of the commands needed to establish a configuration for the Pi project. You need to be