Routing from private to bridge

Routing from private to bridge

[Tom Gaudasinski]

Greetings,
    I have a problem in regards to the routing i've set up. I have a 
public subnet bridged from my ISP(DSL), it's a full bridge. So in order 
to use this subnet i have created a bridge out of two eth interfaces so 
that i may also firewall what will be behind the router. In addition to 
this I have a private subnet (192.168.1.x) that I NAT to the public IP 
of the router. My setup looks like this:

          DSL Modem (in bridge mode)
                        |
                  / eth0 \
                  <br0> 120.40.60.194/29
                  \ eth1 /
                 /           \__ Publically addresses machines
             eth2       
       192.168.1.1___Privately NATted machines

So eth0 and eth1 are part of the bridge (which has 1 ip address), and 
eth2 has a private address. eth0 plugs directly into the dsl modem, eth1 
into a switch that contains publically addressed computers and eth2 
logically so as well. I've set the rules up so that the users behind 
eth2 get natted and the public users also get internet. This works, what 
doesn't work however is that the 192.168.1.x users cannot communicate 
with the publically addressed users through the router. Even when the 
firewall has been cleared out (of natting rules) they still cannot ping 
or communicate. It seems there's a different procedure for routing to a 
bridge. my route -n output is:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
120.40.60.192  0.0.0.0         255.255.255.248 U     0      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
0.0.0.0         120.40.60.193  0.0.0.0         UG    0      0        0 br0

How can i get the private LAN users to route to the publically bridged 
subnet?

Thankyou.

Re: Routing from private to bridge

[Rod]

Tom Gaudasinski wrote:

> Greetings,
>    I have a problem in regards to the routing i've set up. I have a 
> public subnet bridged from my ISP(DSL), it's a full bridge. So in 
> order to use this subnet i have created a bridge out of two eth 
> interfaces so that i may also firewall what will be behind the router. 
> In addition to this I have a private subnet (192.168.1.x) that I NAT 
> to the public IP of the router. My setup looks like this:
>
>          DSL Modem (in bridge mode)
>                        |
>                  / eth0 \
>                  <br0> 120.40.60.194/29
>                  \ eth1 /
>                 /           \__ Publically addresses machines
>             eth2             192.168.1.1___Privately NATted machines
>
> So eth0 and eth1 are part of the bridge (which has 1 ip address), and 
> eth2 has a private address. eth0 plugs directly into the dsl modem, 
> eth1 into a switch that contains publically addressed computers and 
> eth2 logically so as well. I've set the rules up so that the users 
> behind eth2 get natted and the public users also get internet. This 
> works, what doesn't work however is that the 192.168.1.x users cannot 
> communicate with the publically addressed users through the router. 
> Even when the firewall has been cleared out (of natting rules) they 
> still cannot ping or communicate. It seems there's a different 
> procedure for routing to a bridge. my route -n output is:
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    
> Use Iface
> 120.40.60.192  0.0.0.0         255.255.255.248 U     0      0        0 
> br0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        
> 0 eth2
> 0.0.0.0         120.40.60.193  0.0.0.0         UG    0      0        0 
> br0
>
> How can i get the private LAN users to route to the publically bridged 
> subnet?
>
> Thankyou.

    Hello, I had a similar problem until I setup my IPTables rules for 
the configuration I have running..

eth0 = Dialin access & Wireless Access
eth1 = cable Internet
eth2 = gigabit network to my main machine
bt0 = Bluetooth WAP only when a BT connection is established (down 
otherwise)

Bridge (Jumpgate) = eth0, eth2

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
192.168.3.0      *               255.255.255.0   U     0      0        0 
jumpgate
211.28.229.0    *               255.255.255.0   U     0      0        0 eth1
loopback           *               255.0.0.0           U     0      
0        0 lo
default         211.28.229.1.op 0.0.0.0         UG    0      0        0 eth1

    Also here are the sections from my IPTABLES..

iptables/rules-save
-A SWITCH -i jumpgate -o lo -j OUTG
-A SWITCH -i jumpgate -o eth1 -j OUTG
-A SWITCH -i eth1 -o jumpgate -j INCOM
-A SWITCH -i lo -o jumpgate -j INCOM
-A SWITCH -i jumpgate -o jumpgate -j OUTG

    I am able to Ping from the machines on eth2 -> the wireless (across 
the bridge) also eth2 -> the world, World -> eth2

brctl show
bridge name     bridge id                          STP enabled     
interfaces
jumpgate          8000.001195ed1217       no                    eth0
                                                                                       
eth2

    Bridge Info (brctl showstp jumpgate) I'm just showing the relevent info

 brctl showstp jumpgate
eth0 (1)
 port id                8001                    state                
forwarding
eth2 (2)
 port id                8002                    state                
forwarding

    As with you, I wasn't able to ping past the bridge until I setup the 
firewall with the "-i" & "-o" routines, I even checked the ip_forwarding 
= "1" under /proc/sys/whatever.

    Hope this helps.

Re: Routing from private to bridge

[George Alexandru Dragoi]

If you use bridge, doesn't it mean the gateway of public ips is located on
your ISP or DSL modem? Because this way the
120.40.60.193<http://120.40.60.193>also needs to know about
192.168.1.0 <http://192.168.1.0> to forward packets to you. Why don;t you
just ask an ip from your ISP and that subnet will be routed to that ip. This
way you won't need bridge.

On 10/22/05, Tom Gaudasinski <cetus@internode.on.net> wrote:
>
> Greetings,
> I have a problem in regards to the routing i've set up. I have a
> public subnet bridged from my ISP(DSL), it's a full bridge. So in order
> to use this subnet i have created a bridge out of two eth interfaces so
> that i may also firewall what will be behind the router. In addition to
> this I have a private subnet (192.168.1.x) that I NAT to the public IP
> of the router. My setup looks like this:
>
> DSL Modem (in bridge mode)
> |
> / eth0 \
> <br0> 120.40.60.194/29 <http://120.40.60.194/29>
> \ eth1 /
> / \__ Publically addresses machines
> eth2
> 192.168.1.1___Privately NATted machines
>
> So eth0 and eth1 are part of the bridge (which has 1 ip address), and
> eth2 has a private address. eth0 plugs directly into the dsl modem, eth1
> into a switch that contains publically addressed computers and eth2
> logically so as well. I've set the rules up so that the users behind
> eth2 get natted and the public users also get internet. This works, what
> doesn't work however is that the 192.168.1.x users cannot communicate
> with the publically addressed users through the router. Even when the
> firewall has been cleared out (of natting rules) they still cannot ping
> or communicate. It seems there's a different procedure for routing to a
> bridge. my route -n output is:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 120.40.60.192 <http://120.40.60.192> 0.0.0.0 <http://0.0.0.0>
> 255.255.255.248 <http://255.255.255.248> U 0 0 0 br0
> 192.168.1.0 <http://192.168.1.0> 0.0.0.0 <http://0.0.0.0> 255.255.255.0<http://255.255.255.0>U 0 0 0 eth2
> 0.0.0.0 <http://0.0.0.0> 120.40.60.193 <http://120.40.60.193> 0.0.0.0<http://0.0.0.0>UG 0 0 0 br0
>
> How can i get the private LAN users to route to the publically bridged
> subnet?
>
> Thankyou.
>
>
>
>


--
Bla bla

Re: Routing from private to bridge

[George Alexandru Dragoi]

It just come up a simple idea. If the bridge ip is
120.40.60.194<http://120.40.60.194>,
why don;t you use it as a gateway for people behind it?

On 10/22/05, Tom Gaudasinski <cetus@internode.on.net> wrote:
>
> Greetings,
> I have a problem in regards to the routing i've set up. I have a
> public subnet bridged from my ISP(DSL), it's a full bridge. So in order
> to use this subnet i have created a bridge out of two eth interfaces so
> that i may also firewall what will be behind the router. In addition to
> this I have a private subnet (192.168.1.x) that I NAT to the public IP
> of the router. My setup looks like this:
>
> DSL Modem (in bridge mode)
> |
> / eth0 \
> <br0> 120.40.60.194/29 <http://120.40.60.194/29>
> \ eth1 /
> / \__ Publically addresses machines
> eth2
> 192.168.1.1___Privately NATted machines
>
> So eth0 and eth1 are part of the bridge (which has 1 ip address), and
> eth2 has a private address. eth0 plugs directly into the dsl modem, eth1
> into a switch that contains publically addressed computers and eth2
> logically so as well. I've set the rules up so that the users behind
> eth2 get natted and the public users also get internet. This works, what
> doesn't work however is that the 192.168.1.x users cannot communicate
> with the publically addressed users through the router. Even when the
> firewall has been cleared out (of natting rules) they still cannot ping
> or communicate. It seems there's a different procedure for routing to a
> bridge. my route -n output is:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 120.40.60.192 <http://120.40.60.192> 0.0.0.0 <http://0.0.0.0>
> 255.255.255.248 <http://255.255.255.248> U 0 0 0 br0
> 192.168.1.0 <http://192.168.1.0> 0.0.0.0 <http://0.0.0.0> 255.255.255.0<http://255.255.255.0>U 0 0 0 eth2
> 0.0.0.0 <http://0.0.0.0> 120.40.60.193 <http://120.40.60.193> 0.0.0.0<http://0.0.0.0>UG 0 0 0 br0
>
> How can i get the private LAN users to route to the publically bridged
> subnet?
>
> Thankyou.
>
>
>
>


--
Bla bla

Re: Routing from private to bridge

[Philip Craig]

On 10/22/2005 10:14 AM, Tom Gaudasinski wrote:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use 
> Iface
> 120.40.60.192  0.0.0.0         255.255.255.248 U     0      0        0 br0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
> 0.0.0.0         120.40.60.193  0.0.0.0         UG    0      0        0 br0
> 
> How can i get the private LAN users to route to the publically bridged 
> subnet?

What is the routing table on the public machines?
What NAT rules do you normally use?

It may be that the private machines and firewall are fine, but the routing
is wrong on the public machines.  If they simply have the default gateway
of 120.40.60.193, then they will be sending reply packets for private
addresses to the DSL modem, which is wrong.

Although these packets go via the firewall, their ethernet destination will
be the DSL router, so the firewall will bridge them rather than route.

You have two options:

- add a route on the public machines to use the firewall as the
gateway for the private addresses

- make sure the NAT rule on the firewall always NATs the private
addresses, even for connections to the public machines.