it work! thx a lot, I can’ t say I understand everything I did to make the routing working:
ipt=/sbin/iptables
if_wan=wan
${ipt} -t nat -A POSTROUTING -o ${if_wan} -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
then I executed wifi.sh
my devices can connect to the AP and have internet access.
not the case thx. you really made a great work with that debian image. There is a way to make a little donation to you ?
Best donation is help me getting things to work 
testing different things,make reproducable reportings and try to fix
PLEASE DO NOT FOLLOW WHAT I DID HERE, FOR SOME REASON I RAN TO ISSUE, BUT KEEP READING.
Hi frank-w, I finished to configure the whole ethernet/wifi/access-point for my bpi r-2. Here is my summary:
I bridged both eth0 and eth1 together,
/etc/network/interfaces,# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
pre-up ip link set $IFACE up
post-down ip link set $IFACE down
auto eth1
iface eth1 inet manual
pre-up ip link set $IFACE up
post-down ip link set $IFACE down
auto wan
iface wan inet manual
auto lan0
iface lan0 inet manual
auto lan1
iface lan1 inet manual
auto lan2
iface lan2 inet manual
auto lan3
iface lan3 inet manual
auto br0
iface br0 inet static
address 192.168.40.1
netmask 255.255.255.0
bridge_ports wan lan0 lan1 lan2 lan3
bridge_fd 5
bridge_stp no
source-directory /etc/network/interfaces.d
/etc/dnsmasq.d/interfaces.conf,interface=wlan1
interface=ap0
no-dhcp-interface=eth0
no-dhcp-interface=eth1
dhcp-range=ap0,192.168.10.100,192.168.10.150,255.255.255.0,48h
dhcp-option=ap0,3,192.168.10.1
dhcp-range=wlan1,192.168.11.100,192.168.11.150,255.255.255.0,48h
dhcp-option=wlan1,3,192.168.11.1
start.sh script I run at boot,#!/bin/bash
ipt=/sbin/iptables
if_wan=wan
${ipt} -t nat -A POSTROUTING -o ${if_wan} -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
wifi.sh
dhclient
feel free to add it to your wiki as an example for your debian image. I will redo the whole configuration from scratch to figure if something missing
Why? Btw. Bridging wan and lan together is a very bad idea when directly connected to internet…
And you need a firewall nat is not for security
hi, it doesn’ t work anymore… I do not undertand… I got the blue plugged to lan0 and yellow to wan and got internet to the PC connected using the blue cable… no I just don’ t understand… I’ m back at the steps where I can connect internet using the the ap only…
because I want to forward internet (wan) to lanX… but anyway, as said it doesn’ t work anymore 
if you can tell me how to do it, otherwise I start to lack of idea about how to fix that…
Do only bridge lan-ports…not wan, not ethX
First test is if you got internet on r2 itself…then on client,if on r2 works and not on client,try to ping r2 from client,then traceroute/tracert.
ok
yes I can ping 8.8.8.8
traceroute results:
[user@motorhead ~]$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 _gateway (192.168.10.1) 1.707 ms 1.741 ms 2.182 ms
2 * * *
3 10.170.192.53 (10.170.192.53) 39.722 ms 39.647 ms 39.944 ms
4 135.0.255.17 (135.0.255.17) 39.663 ms 135.0.255.5 (135.0.255.5) 39.879 ms 38.959 ms
5 te0-0-1-0.nr11.b029490-1.ymq02.atlas.cogentco.com (38.104.154.105) 40.502 ms 39.896 ms 39.871 ms
6 te0-0-2-2.agr11.ymq02.atlas.cogentco.com (154.24.16.53) 40.697 ms te0-0-2-2.agr12.ymq02.atlas.cogentco.com (154.24.16.57) 32.577 ms te0-0-2-2.agr11.ymq02.atlas.cogentco.com (154.24.16.53) 27.217 ms
7 be3381.rcr21.ymq02.atlas.cogentco.com (154.54.41.221) 27.115 ms 27.064 ms 27.015 ms
8 tata.ymq02.atlas.cogentco.com (154.54.10.206) 23.460 ms 31.679 ms 30.983 ms
9 209.85.149.230 (209.85.149.230) 32.247 ms 32.207 ms 32.143 ms
10 108.170.251.49 (108.170.251.49) 32.066 ms 31.957 ms 108.170.251.1 (108.170.251.1) 31.954 ms
11 108.170.231.61 (108.170.231.61) 32.733 ms 108.170.231.63 (108.170.231.63) 32.693 ms 108.170.231.65 (108.170.231.65) 11.397 ms
12 dns.google (8.8.8.8) 15.495 ms 24.930 ms 24.197 ms
Then I disconnected from ap0 and connect to br0
user@motorhead ~]$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 motorhead.local (192.168.40.132) 3034.332 ms !H 3034.232 ms !H 3034.178 ms !H
note: I did the tests with different laptops, you see motorhead was used here to make easy to copy+paste…
does that talk to you? coz I’ m lost…
r2 pingable from br0-client? Have you a default-route on your clients (dhcp?)? As you ping ip it is no dns-problem
yes I can pin R2 from br0-client. I can also ssh to it
[user@motorhead ~]$ ip route # client ip is 192.168.40.132
default via 192.168.40.10 dev enp0s25 proto dhcp metric 20100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.40.0/24 dev enp0s25 proto kernel scope link src 192.168.40.132 metric 100
[user@satyricon ~]$ ip route # client ip is 192.168.10.125
default via 192.168.10.1 dev wlp3s0 proto dhcp metric 600
192.168.10.0/24 dev wlp3s0 proto kernel scope link src 192.168.10.125 metric 600
from r2 itself:
root@bpi-r2:~# ip route
default via x.0.x.113 dev wan
x.0.x.112/28 dev wan proto kernel scope link src x.0.x.117
x.0.x.112/28 dev br0 proto kernel scope link src x.0.x.115
x.0.x.112/28 dev lan0 proto kernel scope link src x.0.x.115
192.168.10.0/24 dev ap0 proto kernel scope link src 192.168.10.1
192.168.40.0/24 via 192.168.40.1 dev br0
note: about R2’s routing table, I don’t have experience of dealing with that, but I have the feeling the problem comes from here, I tried a lot ip route add so if there is anything which look weird it may be because of me…
Are first 3 entries of r2 routing table same subnet (they should not).else i wonder about entry with lan0 i expect this is in the bridge…
How looks “ip a” on r2?
possibly I mangled the route table…
I rebooted,
ip route show command:root@bpi-r2:~# ip route show
default via XYZ.ABC.DEF.209 dev wan
XYZ.ABC.DEF.208/28 dev wan proto kernel scope link src XYZ.ABC.DEF.218
192.168.10.0/24 dev ap0 proto kernel scope link src 192.168.10.1
192.168.40.0/24 dev br0 proto kernel scope link src 192.168.40.1
ip a command:root@bpi-r2:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:02:02:02:02:02 brd ff:ff:ff:ff:ff:ff
inet6 fe80::2:2ff:fe02:202/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fe:cc:99:08:3f:ca brd ff:ff:ff:ff:ff:ff
inet6 fe80::fccc:99ff:fe08:3fca/64 scope link
valid_lft forever preferred_lft forever
4: wan@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether fe:cc:99:08:3f:ca brd ff:ff:ff:ff:ff:ff
inet XYZ.ABC.DEF.218/28 brd 255.255.255.255 scope global dynamic wan
valid_lft 2696sec preferred_lft 2696sec
inet6 fe80::fccc:99ff:fe08:3fca/64 scope link
valid_lft forever preferred_lft forever
5: lan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
link/ether 02:02:02:02:02:02 brd ff:ff:ff:ff:ff:ff
6: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br0 state LOWERLAYERDOWN group default qlen 1000
link/ether 02:02:02:02:02:02 brd ff:ff:ff:ff:ff:ff
7: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br0 state LOWERLAYERDOWN group default qlen 1000
link/ether 02:02:02:02:02:02 brd ff:ff:ff:ff:ff:ff
8: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br0 state LOWERLAYERDOWN group default qlen 1000
link/ether 02:02:02:02:02:02 brd ff:ff:ff:ff:ff:ff
9: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 02:02:02:02:02:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.40.1/24 brd 192.168.40.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::2:2ff:fe02:202/64 scope link
valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:08:22:f2:11:fc brd ff:ff:ff:ff:ff:ff
11: ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 02:08:22:f2:11:fc brd ff:ff:ff:ff:ff:ff
inet 192.168.10.1/24 scope global ap0
valid_lft forever preferred_lft forever
inet6 fe80::8:22ff:fef2:11fc/64 scope link
valid_lft forever preferred_lft forever
/etc/dnsmasq.d/interfaces:interface=wlan1 # not sure that is needed because I have nothing for eth0
interface=ap0
interface=br0
# DHCP-Server not active for Interface
#dhcp-authoritative
dhcp-range=br0,192.168.40.100,192.168.40.150,255.255.255.0,48h
dhcp-option=br0,3,192.168.40.10
dhcp-range=ap0,192.168.10.100,192.168.10.150,255.255.255.0,48h
dhcp-option=ap0,3,192.168.10.1
dhcp-range=wlan1,192.168.11.100,192.168.11.150,255.255.255.0,48h
dhcp-option=wlan1,3,192.168.11.1
# note: above I have wlan1 but nothing about eth0
/etc/network/interfaces:# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
pre-up ip link set $IFACE up
post-down ip link set $IFACE down
auto eth1
iface eth1 inet manual
pre-up ip link set $IFACE up
post-down ip link set $IFACE down
auto wan
auto lan0
iface lan0 inet manual
auto lan1
iface lan1 inet manual
auto lan2
iface lan2 inet manual
auto lan3
iface lan3 inet manual
auto br0
iface br0 inet static
address 192.168.40.1
netmask 255.255.255.0
bridge_ports lan0 lan1 lan2 lan3
bridge_fd 5
bridge_stp no
source-directory /etc/network/interfaces.d
should be this:
default route have to be r2’s address inside same subnet as client…br0-adress
IT WORK!
Ein großes Dankeschön frank-w!
you are the man!
I will give you some news about what I’m going to do with the r2 (and share the docs)
Hello,
BPI-R2 not booting on sd card with the bpi-r2-buster.img image. I flash the card with the command : dd bs=4M if=bpi-r2-buster.img of=/dev/sdb conv=fsync I tried several images but Ubuntu is the only one that worked for me. (2018-03-29-ubuntu-16.04-mate-desktop-bpi-r2-sd-emmc.img)
Is there anything else to do to make it work?
Thank you
Make sure boot-switch above microsd slot is set to sd…else it will try to boot emmc and only if it founds no prelpader there it tries sd-card
Or it can be hardware incompatibilty if you use different card vendors
If this is not the issue i need more info’s like boot log
You see partitions BPI-BOOT/ROOT on the sdcard?
I retry to flash the sd card and now BPI-R2 boot normally Thank you
If anyone is stumbling over this error on bootup:
FAILED to start Load kernel modules
Try moving this file to right directory
mv /etc/modules-load.d/cryptodev.conf /etc/modprobe.d/
It was wrong in my build.sh…have fixed it in 5.4-merged
Hello Frank-W!
I’ve difficulties with nftables settings! I’ve tried to make a shell script as fw_on.sh and fw_of.sh with success. The main problem is, after about one day, R2 is laging, and seems to me slow down! I have to stop it manually, and restart it - maybe it’s not enough efficient!(only one core from cpu’s is 100%, about 1,8Gb from 2Gb is free) but after a small time it becomes sluggish again! I’ve not found any nftables config for such a home router! What would you suggest me as firewall for this device? If it was nftables, how would you configure?(only input-forward-output or/and prerouting/postrouting with masquerade/snat/dnat considering HW Nat is not supported due to kernel 4.19.62 )
Thanks in advance!
I have only iptables configured (my main OS is still stretch with kernel 4.14). Currently i have only buster 4.19+ on my test-device. As iptables is legacy with buster/5.4 you should try using nftables…but i have no experience/examples with it. Which process is using the 100%?
Have not got 100% with iptables…i guess another process is using your cpu
Basicly you have only to transform iptables rules to nftables…maybe another user can help you with it…but we need to see your rules to decide if there are efficient or not…you should put rules filtering much traffic first so that later rules have lesser packets
Since kernel 3.13 it is supported, and Debian Buster uses the nftables framework by default!
So, we should live with nftables! 
root@bpi-r2:~# nft -v nftables v0.9.0 (Fearless Fosdick)
What do you think about these iptables rules :
iptables -A INPUT -i br0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168../24 -i br0 -j ACCEPT
iptables -A FORWARD -d 192.168../24 -i wan -j ACCEPT
iptables -t nat -A POSTROUTING -o wan -j MASQUERADE
Will this give me what I want? An efficient, powerful firewall? As I type commands above, 2 nft tables occure, and look so out :
root@bpi-r2:~# nft list tables
table ip filter
table ip nat
root@bpi-r2:~# nft list table filter
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
iifname "br0" counter packets 2481 bytes 177420 accept
iifname "lo" counter packets 4 bytes 200 accept
ct state related,established counter packets 515 bytes 70982 accept
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
iifname "br0" ip saddr 192.168.3.0/24 counter packets 16918 bytes 3802591 accept
iifname "wan" ip daddr 192.168.3.0/24 counter packets 24361 bytes 20966291 accept
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
root@bpi-r2:~# nft list table nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
oifname "wan" counter packets 1126 bytes 287339 masquerade
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
}