* Re: Routing from private to bridge
2005-10-22 0:14 Routing from private to bridge Tom Gaudasinski
@ 2005-10-22 2:21 ` Rod
2005-10-22 9:07 ` George Alexandru Dragoi
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Rod @ 2005-10-22 2:21 UTC (permalink / raw)
To: netfilter
Tom Gaudasinski wrote:
> Greetings,
> I have a problem in regards to the routing i've set up. I have a
> public subnet bridged from my ISP(DSL), it's a full bridge. So in
> order to use this subnet i have created a bridge out of two eth
> interfaces so that i may also firewall what will be behind the router.
> In addition to this I have a private subnet (192.168.1.x) that I NAT
> to the public IP of the router. My setup looks like this:
>
> DSL Modem (in bridge mode)
> |
> / eth0 \
> <br0> 120.40.60.194/29
> \ eth1 /
> / \__ Publically addresses machines
> eth2 192.168.1.1___Privately NATted machines
>
> So eth0 and eth1 are part of the bridge (which has 1 ip address), and
> eth2 has a private address. eth0 plugs directly into the dsl modem,
> eth1 into a switch that contains publically addressed computers and
> eth2 logically so as well. I've set the rules up so that the users
> behind eth2 get natted and the public users also get internet. This
> works, what doesn't work however is that the 192.168.1.x users cannot
> communicate with the publically addressed users through the router.
> Even when the firewall has been cleared out (of natting rules) they
> still cannot ping or communicate. It seems there's a different
> procedure for routing to a bridge. my route -n output is:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> 120.40.60.192 0.0.0.0 255.255.255.248 U 0 0 0
> br0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth2
> 0.0.0.0 120.40.60.193 0.0.0.0 UG 0 0 0
> br0
>
> How can i get the private LAN users to route to the publically bridged
> subnet?
>
> Thankyou.
Hello, I had a similar problem until I setup my IPTables rules for
the configuration I have running..
eth0 = Dialin access & Wireless Access
eth1 = cable Internet
eth2 = gigabit network to my main machine
bt0 = Bluetooth WAP only when a BT connection is established (down
otherwise)
Bridge (Jumpgate) = eth0, eth2
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.3.0 * 255.255.255.0 U 0 0 0
jumpgate
211.28.229.0 * 255.255.255.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0
0 0 lo
default 211.28.229.1.op 0.0.0.0 UG 0 0 0 eth1
Also here are the sections from my IPTABLES..
iptables/rules-save
-A SWITCH -i jumpgate -o lo -j OUTG
-A SWITCH -i jumpgate -o eth1 -j OUTG
-A SWITCH -i eth1 -o jumpgate -j INCOM
-A SWITCH -i lo -o jumpgate -j INCOM
-A SWITCH -i jumpgate -o jumpgate -j OUTG
I am able to Ping from the machines on eth2 -> the wireless (across
the bridge) also eth2 -> the world, World -> eth2
brctl show
bridge name bridge id STP enabled
interfaces
jumpgate 8000.001195ed1217 no eth0
eth2
Bridge Info (brctl showstp jumpgate) I'm just showing the relevent info
brctl showstp jumpgate
eth0 (1)
port id 8001 state
forwarding
eth2 (2)
port id 8002 state
forwarding
As with you, I wasn't able to ping past the bridge until I setup the
firewall with the "-i" & "-o" routines, I even checked the ip_forwarding
= "1" under /proc/sys/whatever.
Hope this helps.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Routing from private to bridge
2005-10-22 0:14 Routing from private to bridge Tom Gaudasinski
2005-10-22 2:21 ` Rod
@ 2005-10-22 9:07 ` George Alexandru Dragoi
2005-10-22 10:38 ` George Alexandru Dragoi
2005-10-24 8:09 ` Philip Craig
3 siblings, 0 replies; 5+ messages in thread
From: George Alexandru Dragoi @ 2005-10-22 9:07 UTC (permalink / raw)
To: Tom Gaudasinski; +Cc: netfilter
If you use bridge, doesn't it mean the gateway of public ips is located on
your ISP or DSL modem? Because this way the
120.40.60.193<http://120.40.60.193>also needs to know about
192.168.1.0 <http://192.168.1.0> to forward packets to you. Why don;t you
just ask an ip from your ISP and that subnet will be routed to that ip. This
way you won't need bridge.
On 10/22/05, Tom Gaudasinski <cetus@internode.on.net> wrote:
>
> Greetings,
> I have a problem in regards to the routing i've set up. I have a
> public subnet bridged from my ISP(DSL), it's a full bridge. So in order
> to use this subnet i have created a bridge out of two eth interfaces so
> that i may also firewall what will be behind the router. In addition to
> this I have a private subnet (192.168.1.x) that I NAT to the public IP
> of the router. My setup looks like this:
>
> DSL Modem (in bridge mode)
> |
> / eth0 \
> <br0> 120.40.60.194/29 <http://120.40.60.194/29>
> \ eth1 /
> / \__ Publically addresses machines
> eth2
> 192.168.1.1___Privately NATted machines
>
> So eth0 and eth1 are part of the bridge (which has 1 ip address), and
> eth2 has a private address. eth0 plugs directly into the dsl modem, eth1
> into a switch that contains publically addressed computers and eth2
> logically so as well. I've set the rules up so that the users behind
> eth2 get natted and the public users also get internet. This works, what
> doesn't work however is that the 192.168.1.x users cannot communicate
> with the publically addressed users through the router. Even when the
> firewall has been cleared out (of natting rules) they still cannot ping
> or communicate. It seems there's a different procedure for routing to a
> bridge. my route -n output is:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 120.40.60.192 <http://120.40.60.192> 0.0.0.0 <http://0.0.0.0>
> 255.255.255.248 <http://255.255.255.248> U 0 0 0 br0
> 192.168.1.0 <http://192.168.1.0> 0.0.0.0 <http://0.0.0.0> 255.255.255.0<http://255.255.255.0>U 0 0 0 eth2
> 0.0.0.0 <http://0.0.0.0> 120.40.60.193 <http://120.40.60.193> 0.0.0.0<http://0.0.0.0>UG 0 0 0 br0
>
> How can i get the private LAN users to route to the publically bridged
> subnet?
>
> Thankyou.
>
>
>
>
--
Bla bla
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Routing from private to bridge
2005-10-22 0:14 Routing from private to bridge Tom Gaudasinski
2005-10-22 2:21 ` Rod
2005-10-22 9:07 ` George Alexandru Dragoi
@ 2005-10-22 10:38 ` George Alexandru Dragoi
2005-10-24 8:09 ` Philip Craig
3 siblings, 0 replies; 5+ messages in thread
From: George Alexandru Dragoi @ 2005-10-22 10:38 UTC (permalink / raw)
To: Tom Gaudasinski; +Cc: netfilter
It just come up a simple idea. If the bridge ip is
120.40.60.194<http://120.40.60.194>,
why don;t you use it as a gateway for people behind it?
On 10/22/05, Tom Gaudasinski <cetus@internode.on.net> wrote:
>
> Greetings,
> I have a problem in regards to the routing i've set up. I have a
> public subnet bridged from my ISP(DSL), it's a full bridge. So in order
> to use this subnet i have created a bridge out of two eth interfaces so
> that i may also firewall what will be behind the router. In addition to
> this I have a private subnet (192.168.1.x) that I NAT to the public IP
> of the router. My setup looks like this:
>
> DSL Modem (in bridge mode)
> |
> / eth0 \
> <br0> 120.40.60.194/29 <http://120.40.60.194/29>
> \ eth1 /
> / \__ Publically addresses machines
> eth2
> 192.168.1.1___Privately NATted machines
>
> So eth0 and eth1 are part of the bridge (which has 1 ip address), and
> eth2 has a private address. eth0 plugs directly into the dsl modem, eth1
> into a switch that contains publically addressed computers and eth2
> logically so as well. I've set the rules up so that the users behind
> eth2 get natted and the public users also get internet. This works, what
> doesn't work however is that the 192.168.1.x users cannot communicate
> with the publically addressed users through the router. Even when the
> firewall has been cleared out (of natting rules) they still cannot ping
> or communicate. It seems there's a different procedure for routing to a
> bridge. my route -n output is:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 120.40.60.192 <http://120.40.60.192> 0.0.0.0 <http://0.0.0.0>
> 255.255.255.248 <http://255.255.255.248> U 0 0 0 br0
> 192.168.1.0 <http://192.168.1.0> 0.0.0.0 <http://0.0.0.0> 255.255.255.0<http://255.255.255.0>U 0 0 0 eth2
> 0.0.0.0 <http://0.0.0.0> 120.40.60.193 <http://120.40.60.193> 0.0.0.0<http://0.0.0.0>UG 0 0 0 br0
>
> How can i get the private LAN users to route to the publically bridged
> subnet?
>
> Thankyou.
>
>
>
>
--
Bla bla
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Routing from private to bridge
2005-10-22 0:14 Routing from private to bridge Tom Gaudasinski
` (2 preceding siblings ...)
2005-10-22 10:38 ` George Alexandru Dragoi
@ 2005-10-24 8:09 ` Philip Craig
3 siblings, 0 replies; 5+ messages in thread
From: Philip Craig @ 2005-10-24 8:09 UTC (permalink / raw)
To: Tom Gaudasinski; +Cc: netfilter
On 10/22/2005 10:14 AM, Tom Gaudasinski wrote:
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 120.40.60.192 0.0.0.0 255.255.255.248 U 0 0 0 br0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> 0.0.0.0 120.40.60.193 0.0.0.0 UG 0 0 0 br0
>
> How can i get the private LAN users to route to the publically bridged
> subnet?
What is the routing table on the public machines?
What NAT rules do you normally use?
It may be that the private machines and firewall are fine, but the routing
is wrong on the public machines. If they simply have the default gateway
of 120.40.60.193, then they will be sending reply packets for private
addresses to the DSL modem, which is wrong.
Although these packets go via the firewall, their ethernet destination will
be the DSL router, so the firewall will bridge them rather than route.
You have two options:
- add a route on the public machines to use the firewall as the
gateway for the private addresses
- make sure the NAT rule on the firewall always NATs the private
addresses, even for connections to the public machines.
^ permalink raw reply [flat|nested] 5+ messages in thread