is wpa_supplicant possible on bridged interface?

Jouni Malinen jkmaline at cc.hut.fi
Sun Feb 5 22:14:56 EST 2006


On Sun, Feb 05, 2006 at 10:02:21PM -0500, Bryan Kadzban wrote:

> I can't speak for the OP, but I do know how Linksys does this in their
> workgroup bridge + 5-port switch product (the WET54GS5).  This device
> runs Linux, and has the sources for the official Linksys firmware
> available.  They run an extra "macnat" iptables patch, which appears to
> make the device function in a similar manner to a router (i.e. all
> frames headed out its wireless interface get NATed at the MAC layer).
> But it's not exactly a router, because broadcast frames are still forwarded.

Devicescape has implemented similar (I would assume) MAC layer NAT. I
have to admit I don't remember anymore what we did with wpa_supplicant,
but I'm pretty sure this was working with WPA/WPA2, so I would assume
there is a workaround that allows bridged interface to work. If this is
indeed what is being asked here, I can do a bit cleaner implementation
of this for wpa_supplicant so that it can be used in a similar way as
the bridge option is used when hostapd is operating with the madwifi
driver.

> (However, I should note that this product seems to have issues; it seems
> to reset its wireless interface from time to time, and there may be
> other issues I'm forgetting about.  I don't know whether the issues are
> caused by the macnat stuff or not; they may be caused by a dodgy power
> supply in the two units that we bought.  But we don't use them anymore
> at work, either; we just use a "real" router instead.  We put a wireless
> NIC in the PC, and just have it route between that interface and
> anything plugged into its wired NIC.)

In theory, MAC layer NATting is doable and if the implementation is
stable, it can even work quite reliable. Though, there are some
protocols that are somewhat difficult to handle. In other words, there
may be need for protocol specific extensions in the same way as in IP
layer NAT.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list