From: Michal Soltys <soltys@ziu.info>
To: David Lamparter <equinox@diac24.net>
Cc: Greg Scott <GregScott@Infrasupport.com>, netdev@vger.kernel.org
Subject: Re: ebtables on a stick
Date: Wed, 30 Nov 2011 00:11:36 +0100 [thread overview]
Message-ID: <4ED566A8.2000108@ziu.info> (raw)
In-Reply-To: <20111128143901.GA589422@jupiter.n2.diac24.net>
On 11-11-28 15:39, David Lamparter wrote:
> On Sun, Nov 27, 2011 at 09:10:08AM -0600, Greg Scott wrote:
>> I have a situation that needs to route mostly and bridge only a
>> little bit.
>>
>> I have a private internal LAN, 192.168.10.nnn. But one host in the
>> internal side needs a real public IP Address, call it 1.2.115.157.
>> Everything except that public IP host needs to route. The public
>> host needs to bridge so it can interact with the world. But it also
>> needs to interact with the internal LAN.
>>
>> I have a Linux brouter set up with eth0 facing the Internet, eth1
>> facing the LAN as follows:
>>
>> ifconfig eth0 1.2.115.146 mask 255.255.255.240 ifconfig eth1
>> 192.168.10.1 mask 255.255.255.0
> [...]
>
> This doesn't answer your question, but your use case is better solved
> with proxy arp.
>
> ip route add 1.2.115.157/32 dev eth1
> ip neigh add proxy 1.2.115.157 dev eth0
> # ... adjust iptables rules to make sure traffic is allowed
> # optional, but I'd recommend:
> iptables -t raw -I PREROUTING -d 1.2.115.157 -j NOTRACK
> iptables -t raw -I PREROUTING -s 1.2.115.157 -j NOTRACK
>
> on the target host:
>
> ip addr add 1.2.115.157/32 dev ethX
> ip route add 192.168.10.1/24 dev ethX
> ip route add default via 192.168.10.1
In addition to what David wrote, you might want specify 'src' option on
certain routes, and/or specify scopes by hand.
For example if the lan host in question has something like:
ip add add 192.168.10.2/24 broad + dev eth0 scope link ip add add
1.2.115.157/32 dev eth0 scope global ip ro add unicast default via
192.168.10.1 dev eth0 src 1.2.115.157
Then the 'src' will prefer public ip for non-lan communication (even
without scopes).
Make sure, when you (likely) do snat with iptables on the router, to
skip this address in such case (in case of not using notrack).
BTW, scopes can help with masquerade target on router (not important in
your case as you have static addresses, but still), as it will choose
candidates with global scope.
next prev parent reply other threads:[~2011-11-29 23:11 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <925A849792280C4E80C5461017A4B8A2A04879@mail733.InfraSupportEtc.com>
2011-11-26 8:27 ` ebtables on a stick Greg Scott
2011-11-27 15:10 ` Greg Scott
2011-11-28 14:39 ` David Lamparter
2011-11-28 14:54 ` Greg Scott
2011-11-28 15:30 ` David Lamparter
2011-11-29 10:05 ` Greg Scott
2011-11-29 10:23 ` David Lamparter
2011-11-29 10:48 ` Greg Scott
2011-11-29 23:11 ` Michal Soltys [this message]
2011-12-01 5:46 ` Greg Scott
2011-12-01 7:14 ` David Lamparter
2011-12-01 14:10 ` Greg Scott
2011-12-01 14:39 ` Greg Scott
2011-12-01 14:47 ` David Lamparter
2011-12-01 15:29 ` Greg Scott
2011-12-01 16:50 ` David Lamparter
2011-12-01 16:56 ` Greg Scott
2011-12-02 15:40 ` Michal Soltys
2011-12-02 16:04 ` David Lamparter
2011-12-02 16:09 ` Greg Scott
2011-12-02 16:06 ` Greg Scott
2011-12-02 16:16 ` Michal Soltys
2011-12-02 16:20 ` Greg Scott
2011-12-02 16:44 ` Michal Soltys
2011-12-01 17:44 ` Michal Soltys
2011-12-01 17:51 ` Greg Scott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ED566A8.2000108@ziu.info \
--to=soltys@ziu.info \
--cc=GregScott@Infrasupport.com \
--cc=equinox@diac24.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).