NixOS Wiki

Internet Connection Sharing: Difference between revisions

← Older edit
Visual
imported>Onny
mNo edit summary
Raboof (talk | contribs)
15 edits
Share via ethernet: sharing with NetworkManager: very easy, as long as you update the firewall accordingly
 
(8 intermediate revisions by 6 users not shown)
Line 11: Line 11:
sudo create_ap wlan0 eth0 MyAccessPoint
sudo create_ap wlan0 eth0 MyAccessPoint
</syntaxhighlight>
</syntaxhighlight>
Here <code>eth0</code> is the ethernet interface connected to the internet, and <code>wlan0</code> is the wifi interface to share the internet connection with a wifi hotspot. However, these names may not be the same on your system. To check the name of your hardware interface use the command <code>ifconfig</code> or <code>ifconfig | grep ^[^:]*:</code> It will list network adapters on your system. Then modify command accordingly <code>sudo create_ap <wifiInterfaceName> <ethernetInterfaceName> MyAccessPoint <Password></code>


=== Configuration ===
=== Configuration ===


Persistent share an existing internet connection of a wired interface <code>eth0</code> using a wifi hotspot on <code>wlan0</code> with the access point name <code>My Wifi Hotspot</code>. The network is protected with a simple WPA2 pre-shared key <code>12345678</code>.
Persistently share an existing internet connection of a wired interface <code>eth0</code> using a wifi hotspot on <code>wlan0</code> with the access point name <code>My Wifi Hotspot</code>. The network is protected with a simple WPA2 pre-shared key <code>12345678</code>.


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 30: Line 32:
== Share via ethernet ==
== Share via ethernet ==


=== Usage ===
=== Method 1: NetworkManager ===
In NetworkManager, you can share an existing internet connection of a wireless interface <code>wlan0</code> to clients connected on a ethernet device <code>eth0</code> by setting the connection type of the <code>eth0</code> interface to 'Shared'. This will start a dnsmasq DHCP server. You'll have to expose ports 53 and 67 in <code>networking.firewall.allowedUDPPorts</code>, and then you can connect using regular DHCP from the device connected via the cable in <code>eth0</code>.


Share an existing internet connection of a wireless interface <code>wlan0</code> to clients connected on a ethernet device <code>eth0</code>.
=== Method 2: manual setup ===
 
Share an existing internet connection of a wireless interface <code>wlan0</code> to clients connected on a ethernet device <code>eth0</code>. Make sure you've got TCP and UDP port <code>53</code> for the dnsmasq DHCP server opened in your [[Firewall]].


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
Line 43: Line 48:


# Enable NAT for leaving packets
# Enable NAT for leaving packets
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
nft add table ip nat
nft add chain ip nat POSTROUTING { type nat hook postrouting priority 100 \; }
nft add rule nat POSTROUTING oifname wlan0 masquerade


# Start dnsmasq for DHCP
# Start dnsmasq for DHCP
Line 53: Line 60:
ip addr del 10.0.0.1/24 dev eth0
ip addr del 10.0.0.1/24 dev eth0
ip link set down eth0
ip link set down eth0
iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
# Get handle_number with: nft -a list table nat
nft delete rule nat POSTROUTING handle <handle_number>
</syntaxhighlight>
 
=== Method 3: declarative setup ===
 
Persistently share an existing internet connection on interface <code>wlan0</code> to clients connected on an ethernet interface <code>eth0</code>. Tested where <code>wlan0</code> is a wireless interface, but it should work with a different ethernet interface as well. You do not need to manually open port 53.
 
<syntaxhighlight lang="nix">
# Set a static IP on the "downstream" interface
networking.interfaces."eth0" = {
  useDHCP = false;
  ipv4.addresses = [{
    address = "10.0.0.1";
    prefixLength = 24;
  }];
};
networking.firewall.extraCommands = ''
  # Set up SNAT on packets going from downstream to the wider internet
  iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
 
  # Accept all connections from downstream. May not be necessary
  iptables -A INPUT -i enp2s0 -j ACCEPT
'';
# Run a DHCP server on the downstream interface
services.kea.dhcp4 = {
  enable = true;
  settings = {
    interfaces-config = {
      interfaces = [
        "eth0"
      ];
    };
    lease-database = {
      name = "/var/lib/kea/dhcp4.leases";
      persist = true;
      type = "memfile";
    };
    rebind-timer = 2000;
    renew-timer = 1000;
    subnet4 = [
      {
        id = 1;
        pools = [
          {
            pool = "10.0.0.2 - 10.0.0.255";
          }
        ];
        subnet = "10.0.0.1/24";
      }
    ];
    valid-lifetime = 4000;
    option-data = [{
      name = "routers";
      data = "10.0.0.1";
    }];
  };
};
</syntaxhighlight>
 
For nftables, the equivalent of the iptables rules in <code>networking.firewall.extraCommands</code> above is the following.
 
<syntaxhighlight lang="nix">
networking.nftables.ruleset = ''
  table ip nat {
    chain POSTROUTING {
      type nat hook postrouting priority 100;
      oifname "wlp2s0" counter masquerade
    }
  }
  table ip filter {
    chain INPUT {
      iifname "enp3s0" counter accept
    }
  }
'';
</syntaxhighlight>
</syntaxhighlight>


[[Category:Networking]]
[[Category:Networking]]
[[Category:Tutorial]]
Retrieved from "https://wiki.nixos.org/wiki/Internet_Connection_Sharing"