While residing in temporary housing, I found that the fiber optic entry for my provider was located in the farthest corner of the house, which proved to be quite inconvenient. Attempting to lay wire throughout the house was futile, and the home office is situated in the opposite corner.

My NAS is sitting in the office, but it doesn’t have integrated WiFi. It only has Cat6. Normally, I would set up a mesh network and a mini-LAN in the office. However, we’re living in austerity, and all I have is my Raspberry 4. So, I thought, let’s bridge my WiFi network to the Ethernet port to access my NAS.

I battled for days to bridge my Pi from WiFi to Ethernet. Every walkthrough I encountered focused on setting up an Ethernet to Wi-Fi Access Point bridge. However, most walkthroughs failed to consider 64-bit Debian Bookworm distributions that use Network Manager (nmcli). Below is my final working solution. A word of caution: this solution only works if your primary router allows you to set up a route between subnets in your home. Most consumer routers don’t provide this functionality, and this solution won’t work unless your router supports it.

Use your Raspberry Pi as a Bridge…

As a bridge, the LAN will have network access through a single IP address and relies on Network Address Translation to transmit data through the Raspberry Pi. To your Wifi network it appears that all data is coming from the Raspberry Pi. This approach is advantageous for a single device but not for a network. Here’s the environment:

• Raspberry Pi 4b, Raspberry Pi Os 64bit Debian 12 (bookworm)
• Wi-Fi Interface: wlan0 (this is our primary network)
• Wi-Fi Network: 192.168.1.0/24
• Raspberry Pi’s WiFi IP: 192.168.1.98 (assigned or manual)
• Ethernet Interface: eth0 (the network in my office)
• Ethernet Network: 192.168.10.0/24 (I just picked one)
• Raspberry Pi’s Ethernet IP: 192.168.10.1

1️⃣ Configure the WiFi Connection

A given, you should already have your Raspberry Pi on the network. Here is a way to do it via the CLI:

nmcli dev wifi connect "YourSSID" password "YourPassword"

2️⃣ Configure the Ethernet Connection

Assign a static IP to the Ethernet interface.

nmcli con add type ethernet ifname eth0 con-name eth0
nmcli con mod eth0 ipv4.addresses 192.168.10.1/24
nmcli con mod eth0 ipv4.method shared
nmcli con up eth0

The ipv4.method shared command starts the NAT and DHCP servers automatically. This is the simplest way and avoids configuring dnsmasq manually.

3️⃣ Enable IP forwarding

IP forwarding is disabled in Debian. So let’s enable it:

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

4️⃣ Verify that NAT is running

Do not use iptables. Every walkthrough seems to mix the old iptables command with the new nmcli environment. Debian Bookworm uses nftables instead through the nmcli interface. Verify NAT is setup with:

sudo nft list ruleset

Or manually configure it at /etc/nftables.conf:

#!/usr/sbin/nft -f

table ip nat {
    chain prerouting {
        type nat hook prerouting priority 0;
    }

    chain postrouting {
        type nat hook postrouting priority 100;
        oifname "wlan0" masquerade
    }
}

5️⃣ Activate your bridge:

sudo systemctl enable nftables
sudo systemctl start nftables

6️⃣ Test it out on your Pi.

You should be able to ping your Ethernet port…

ping 192.168.10.1(192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.177 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=0.143 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=0.093 ms

And you should be able to access the Internet from a computer on the Ethernet port.

But notice you can’t access the Ethernet IP from any other devices on your WiFi Network! Here’s how to fix that…

7️⃣ Configure your router:

This step depends on your home’s main router. Many popular routers limit this ability and do not provide options for advanced static routing. My AT&T BGW320 Fiber Optic router, for example, does not support this and breaks this bridge.

Add a static route on your main router (192.168.1.1):

• Destination network: 192.168.10.0/24
• Subnet mask: 255.255.255.0
• Gateway: 192.168.1.98 (your Raspberry Pi’s WiFi IP)

What does this mean? If you can’t setup a route between the .1 and .10 subnets they will not be able to communicate with each other. Your home router simply does not know how to handle requests between the two networks. You need a better router, sorry.

Or use your Raspberry Pi as a Router…

A similar process but a router allows for more devices and services to be organically hosted. Your LAN’s subnet is an independent network and your Raspberry Pi becomes a gateway between your LAN and WiFi network. To enable this, we want to remove the NAT function of the bridge and allow for all ports/protocols to be forwarded through the gateway….

Repeat step 1️⃣ Make sure WiFi is connected

Modify Step 2️⃣ Assign a static IP and subnet:

nmcli con add type ethernet ifname eth0 con-name eth0 || true
nmcli con mod eth0 ipv4.addresses 192.168.10.1/24
nmcli con mod eth0 ipv4.method manual
nmcli con up eth0

Setting ipv4.method to manual disables the NAT but keeps the DHCP server running.

Repeat step 3️⃣ Enable IP forwarding

Modify step 4️⃣. We DO NOT want NAT. DO NOT ADD NAT RULES.

Make sure your /etc/nftables.conf is set to allowing forwarding:

#!/usr/sbin/nft -f

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy accept;
    }

    chain forward {
        type filter hook forward priority 0;
        policy accept;
    }

    chain output {
        type filter hook output priority 0;
        policy accept;
    }
}

Repeat steps 5️⃣, 6️⃣, 7️⃣.

And that’s how to do it.