The software solution to create a bridge in the main device, able to manage the internal network and the external WiFi connection convinced me that this was probably the best solution to deliver all the needed features:


  1. All the Meditech RPI can be accessible logging to the Master RPI via ssh or from the graphical desktop
  2. The internal devices can access the Master RPI device via the internal LAN sending their data to the storage database (MySQL based) via http / https and PHP
  3. The internal devices if needed can access the external network via the routed WiFi on the Master RPI
  4. Only one unit should access physically the Internet
  5. The system is open to more advanced security protocols, i.e. proxy, not implemented at the moment.
  6. Every wired Ethernet connected RPI device can act as an independent unit
  7. The Meditech unit should connect to the Internet via the Display Units acting also as a mobile access point
  8. Some new feature will be ...


The inspiring source for this solution after many tests and discarding other more complex and less performing variants come from an article on hackhappy.org site. Seeing in detail the procedure is almost simple and is covered by few steps:


1. Install the needed components


apt-get -y install isc-dhcp-server iptables

In this case the dhcp server is not an essential element as all the connected RPI has a static IP address but will be useful for further - possible - external units connected to the system


2. Set the network interfaces configuration for nat


This part of the script remained untouched: edit the /etc/network/interfaces


auto lo eth0
  iface lo inet loopback
  iface [Device] inet static
  address [IP]
  netmask [Netmask]

  auto [Device]
  iface [Device] inet dhcp
  wpa-ssid "[SSID]"
  wpa-psk "[Password]"

  up iptables-restore > /etc/iptables.ipv4.nat

Note that the second interface is set in DHCP mode; it is the wifi (usually wlan0) that will connect to the access point for the Internet connection. For a elementary security connection role the Display Unit of Meditech (aka the tablet) will be connected via tethering with the rest of the network with a fixed pre-defined AP name that will be reported as wired information in the RPI settings. This will grant that only that particual device set as a WiFi AP can connect to the rest of the network.

3. Set the DHCP configuration


option domain-name "[Domain]";
  option domain-name-servers,;
  subnet [Subnet] netmask [Netmask] {
  range [IP Range Start] [IP Range End];
 option routers [IP];

The only DHCP set is for the external access, while the internal ethernet settings (on eth0) will be static IP addresses

After these settings you should execute the following commands (as root, so use sudo)

echo "INTERFACES=\"eth0\"" > /etc/default/isc-dhcp-server
 service isc-dhcp-server restart
 update-rc.d isc-dhcp-server enable
 echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
 echo "1" > /proc/sys/net/ipv4/ip_forward
 iptables -t nat -A POSTROUTING -o [wlan0] -j MASQUERADE
 iptables -A FORWARD -i $wifid -o [eth0] -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -i [eth0] -o [wlan0] -j ACCEPT
 iptables-save > /etc/iptables.ipv4.nat
 /etc/init.d/networking restart

For those interested on the complete parametrised command from the original article it is in attach to this post.