Rubin Shrestha
Rubin Shrestha
Blog

Can’t share Wi-Fi connection over Ethernet with both the firewall and overlay filesystem on

by |Published

I’ve configured my Raspberry Pi 4B to automatically connect to Wi-Fi and share its Internet connection to the ethernet port using NetworkManager.

This works so long as:

  1. the firewall (UFW) is off OR
  2. the firewall is on but the overlay filesystem is off OR
  3. the overlay fs is on but the firewall gets disabled (from its active-on-boot state), the network link renegotiated (mii-tool) resulting in an established but momentarily unprotected connection, then the firewall re-enabled.

When the IP(v4) doesn’t get assigned at boot due to the overlay fs being on, the laptop I’m testing with has some IPv6 DNS servers show up (all beginning in fec0:...) and it gets a link-local IPv6 address (fe80:...) in the Network device properties in Windows (I allowed IPv6 connection sharing even though I don’t have access to the IPv6 Internet). This shows that something is happening, just not enough.

UFW, which I’ve configured as follows, works correctly given the circumstances above:

  • In /etc/default/ufw, changed DROP on the DEFAULT_FORWARD_POLICY="DROP" line to ACCEPT
  • sudo ufw allow in on end0 from 10.42.0.0/24 to 0.0.0.0/0

I also enabled Predictable Network Interface Names in the hopes it made a difference (it didn’t).

Given case 3 above I can even run sudo mii-tool -r end0 and it’ll still renegotiate and reconnect just fine. What’s the firewall missing to work with the overlay on without first connecting when the firewall is off?

For my purposes, I need the Pi to be rebootable by unplugging its power cord and plugging it back in, thus the need for the write-protected SD card & overlay fs.

When I log in with the overlay fs on I also see the following text added to the console under the linux version header (6.1.0-rpi7-rpi-v8 #1 SMP PREEMPT Debian 1:6.1.63-1+rpt1 (2023-11-24) aarch64), if it helps:

tmpfs-root /media/root-rw tmpfs rw,relatime 0 0
overlayroot / overlay rw,relatime, lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_ 0 0
/dev/mmcblk0p2 /media/root-ro ext4 ro,relatime 0 0

I’m happy to provide relevant log outputs or other configuration details to resolve this. Overlay filesystems is a new concept to me so I don’t know how the two could be interacting to cause this. Any help would be really appreciated.

You may also like