Multi-Interface Router
This lab extends the routing configuration from the previous lab so the Raspberry Pi can route traffic from multiple local networks to the internet.
In the routing lab, the Raspberry Pi forwarded traffic from:
wlan1(hotspot network)- to
wlan0(internet connection)
Now we will add Ethernet (eth0) as a second LAN interface.
This makes the Raspberry Pi behave more like a real router capable of connecting multiple local networks to a single upstream connection.
We will:
- add
eth0as a second LAN interface - configure a new subnet for Ethernet clients
- extend DHCP configuration
- extend routing rules
- verify multi-interface routing
- test routing between LAN interfaces
- experiment with packet isolation using firewall rules
Router model
Previously, the Raspberry Pi routed traffic from one LAN:
wlan1 → router → wlan0
Now the Pi will route traffic from two LAN interfaces:
eth0 →\
→ Linux router → wlan0 → Internet
wlan1 →/
This is a multi-interface router, similar to many real networking devices that connect multiple LANs to one WAN.
Network architecture
flowchart TD
A[Ethernet client] --> B[eth0]
C[Wi-Fi client] --> D[wlan1 AP]
B --> E[Linux routing]
D --> E
E --> F[iptables NAT]
F --> G[wlan0]
G --> H[Internet]
Step 1 — Configure Ethernet interface
Assign a gateway address to eth0.
This creates a second local network connected to the router. The Ethernet interface now represents a new LAN separate from the wireless hotspot network.
Step 2 — Update DHCP configuration
Edit:
sudo vim /etc/dnsmasq.d/hotspot.conf
Update to include both LAN interfaces:
interface=wlan1
dhcp-range=192.168.10.50,192.168.10.150,12h
interface=eth0
dhcp-range=192.168.20.50,192.168.20.150,12h
Restart dnsmasq:
The DHCP server now serves two independent subnets. Each interface must use a different network range so the router can correctly forward packets between networks.
Step 3 — Add forwarding rules for Ethernet
sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
These rules allow Ethernet traffic to be routed through the Raspberry Pi to the internet, just like the wireless hotspot traffic in the previous lab.
Step 4 — NAT remains unchanged
Network Address Translation still occurs only when packets leave via the WAN interface (wlan0). Both LAN networks share this single upstream connection.
Verification
Plug a device into the Raspberry Pi Ethernet port.
Check the assigned IP:
192.168.20.x
Test connectivity:
Inter-LAN routing test
Devices connected via Ethernet should be able to communicate with devices connected via Wi-Fi.
Example:
Ethernet client:
192.168.20.50
Wi-Fi client:
192.168.10.60
Test from Ethernet:
Test from Wi-Fi:
The Raspberry Pi routes packets between the Ethernet and wireless LAN networks. NAT is not used here because both networks are local. NAT only occurs when traffic leaves via the WAN interface (wlan0).
Testing specific interfaces
When a system has multiple network interfaces, the ping command can specify which interface to use.
Example:
The -I option forces ping to use a specific interface. This helps verify routing behaviour in multi-interface systems.
What we built
The Raspberry Pi now acts as a multi-interface router.
| Interface | Role | Network |
|---|---|---|
| wlan1 | Wi-Fi LAN | 192.168.10.0/24 |
| eth0 | Ethernet LAN | 192.168.20.0/24 |
| wlan0 | WAN | eduroam |
Both LAN networks are routed through the same gateway.
Inspecting the routing table
The Linux routing table determines how packets are forwarded between interfaces.
Display the routing table:
You should see entries similar to:
192.168.10.0/24 dev wlan1 proto kernel scope link
192.168.20.0/24 dev eth0 proto kernel scope link
default via <eduroam-gateway> dev wlan0
The routing table shows that the Raspberry Pi has two directly-connected local networks and one default route through wlan0. When packets arrive on one LAN destined for another LAN, the kernel forwards them using these routes.
Observing traffic with tcpdump
We can observe packets moving between interfaces using tcpdump.
Open two terminals on the Raspberry Pi.
Monitor Ethernet traffic:
Monitor Wi-Fi LAN traffic:
Now generate traffic from a client:
ping 8.8.8.8
You should see packets appear on both interfaces.
tcpdump allows us to observe packets entering and leaving network interfaces. When a client sends traffic to the internet, packets arrive on the LAN interface and are then forwarded to the WAN interface by the router.
Optional observation: inter-LAN routing
Run:
Then from a Wi-Fi client:
ping 192.168.20.1
You should see ICMP packets routed between networks.
This demonstrates that the Raspberry Pi is forwarding packets between LAN interfaces, not just between LAN and WAN.
Firewall targets explained
Before continuing, we need to understand how iptables targets control packet behaviour, see the man iptables for more information:
DROP silently discards a packet. The sender receives no response, which usually appears as a timeout.
RETURN stops processing rules in the current chain and resumes processing in the calling chain.
Isolation experiment preview
sudo iptables -A FORWARD -i wlan1 -o eth0 -j DROP
sudo iptables -A FORWARD -i eth0 -o wlan1 -j DROP
These rules prevent communication between the Ethernet LAN and the Wi-Fi LAN while still allowing both networks to access the internet.
Router model
eth0 →\
→ Linux router → wlan0 → Internet
wlan1 →/
Inspecting the routing table
Observing traffic with tcpdump
Summary
The Raspberry Pi now acts as a multi-interface router connecting two LAN networks to one WAN connection. This configuration mirrors real router behaviour, where several LAN interfaces connect through one WAN interface. Firewall rules can now be used to control communication between networks.