I'm trying to setup a LAN network on enp1s0 (other computers should be able to connect via this interface to the network) and wlp0s20u1 (wireless access point). There is also a othet interface that is a WAN interface, temporarily for testing it's wlp2s0.

Both interfaces should be connected with a bridge. When there is no bridge ten wireless access point is working fine, but when I enable the bridge then I cannot connect to the WiFi hotspot anymore from the phone.

What I expect is a network where phone connected via WiFi would be able to access computer connected via cable to the Linux router, and also both would have access to the internet using WAN interface.

I'm doing:

brctl addbr br0
brctl addif br0 enp1s0
ifconfig br0
dhcpd -cf /path/to/config
hostapd /path/to/hostapd/config


subnet netmask {
    option broadcast-address;
    option routers;
    default-lease-time 600;
    max-lease-time 7200;
    option domain-name "local-network";
    option domain-name-servers,;


wpa_pairwise=CCMP TKIP

What I'm doing wrong? Thanks for your time. I spent many hours on searching a solution, hope someone will be able to help :(

@edit I found out that WPA2 does not work in Bridge mode, when I set wireless network to open then I can connect and I have internet access on phone, and brctl show shows me that both interfaces are connected.

Searching a PSK for a:x:y:z:b:c prev_psk=0x218c45c wlp0s20u1: STA a:x:y:z:b:c WPA: invalid MIC in msg 2/4 of 4- Way HandshakeSearching a PSK for a:x:y:z:b:c prev_psk=0x218c45c wlp0s20u1: STA a:x:y:z:b:c WPA: invalid MIC in msg 2/4 of 4- Way Handshake wlp0s20u1: AP-STA-POSSIBLE-PSK-MISMATCH a:x:y:z:b:c wlp0s20u1: AP-STA-POSSIBLE-PSK-MISMATCH a:x:y:z:b:c

This message was shown only in debugging mode, normally I saw only "AP-STA-POSSIBLE-PSK-MISMATCH", so I turned on debugging mode and filtered all messages in near this message.

I will edit this message when I will solve WPA2 problem and I will post a solution here.

Oh, I also set up a NAT like in first answer.

@edit WPA2 problem solved. When bridge is enabled then wpa_passphrase DOES NOT WORK, have to generate PSK using wpa_passphrase command and put into wpa_psk configuration value instead of wpa_passphrase.

Problem seems to be solved, I have only to test the bridge (connect any ethernet device and ping them)

2 Answers 2


Based on your configuration you would need to set up a NAT with the instructions at: https://wiki.archlinux.org/index.php/Internet_sharing. Alternatively you could add wlp2s0 to br0.

Wireless clients (and wired ones for that matter) need to be able to access the internet. In order to do so there has to be a route for their packets to the internet. Adding wlp2s0 to the bridge would accomplish that but given that it seems you are trying to have both wired and wireless clients I think you are better off setting up a NAT so packets are appropriately handled.

  • wlp0s20u1 is added by hostapd automatically, it only requires to add "bridge=br0" to hostapd config.
    – Krzysztofa Krzysztof
    Commented Jan 1, 2016 at 12:21
  • What nat has here to do? The problem was with connecting into a hotspot which means that it cannot get an ip address for example. Anyway I will try it as currently I have nat on wlp0s20u1, not on br0.
    – Krzysztofa Krzysztof
    Commented Jan 1, 2016 at 12:23
  • Oh sorry, I used the wrong interface in my example. In order to get internet access the box needs to know how to route packets between the WAN and the LAN. You will need to add wlp2s0 to the bridge.
    – ssgelm
    Commented Jan 2, 2016 at 7:42
  • Without either the NAT or wlp2s0 added to the bridge linux doesn't know how packets from the LAN are routed to the internet. NAT rules would accomplish that as would adding wlp2s0 to the bridge (as it makes it act like one large network).
    – ssgelm
    Commented Jan 2, 2016 at 7:44

Like I mentioned in edited question - problem solved. Also cable connected devices could access internet and wireless devices and vice-versa. The problem was wpa_passphrase that I changed to wpa_psk.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .