Forwarding packets received on bridged interfaces -regarding

Forwarding packets received on bridged interfaces -regarding

[Knight Tiger]

Hi,

I  have a Linux box with two interfaces, eth0 and eth1. eth1 is a
wireless interface with connects to a network and receives a DHCP
address. eth0 connects to a AP (with a cross over cable) and provides
Internet connection to a bunch of clients. The setup looks like this

AP1 <--> eth0      eth1 <---> AP2<---> DHCP server.

Using brctl I create a bridge with eth1 and eth0. I have not assigned
an IP address for the bridge. eth1 receives an IP address for the DHCP
server. When a client connects to AP1 and it requests an IP address from
the same DHCP server, I am not able to see the request on the DHCP
server. I did a tcpdump on eth0, eth1 and br0. I am able to see the
DHCP request packet with the client MAC address on all three
interfaces. But for some reason, the DHCP request is not forwarded to
the DHCP server.

>  I suggest that you bridge eth0 and eth1 together and then DHCP the
bridge interface.

>  I don't think that this will have any thing to do with it, but make sure
that ip_forward is not interfering with any thing.

>  Also what, if any thing, do you have for an IPTables config?

I cannot perform DHCP for the bridge for the DHCP server tracks each
interface that is assigned an IP and this setup is designed to make it
transparent to the DHCP server. I have set ip_forward to be 1.
(/proc/sys/net/ipv4/ip_forward) It makes no difference if it is 1 or
0. iptables is empty and the default policy is to accept for all three
chains.

$ brctl show br0
br0 8000.001641162.ba no eth0 eth1

ebtables  -A FORWARD -d Broadcast --log-level info -j ACCEPT
ebtables -t broute -A BROUTING -p ARP -arp-dst-mac $ETH1_MAC
--log-level info  -j DROP // drop ARP packets destined for eth1 and do
not fwd it to eth0
ebtables -t broute -A BROUTING -d Broadcast -i eth0 --log-level info
-j ACCEPT // all broadcast packets must be fwded.

$tail -f /var/log/messages
<extract>
kernel: IN=eth0 OUT= MAC source <newclient> MAC dest FF:FF:FF:FF:FF:FF
proto 0x0800 IP proto 17 SPT 68 DST 67
kernel: IN=eth0 OUT= eth1 MAC source <newclient> MAC dest
FF:FF:FF:FF:FF:FF proto 0x0800 IP proto 17 SPT 68 DST 67

I did a tcpdump on eth1 (wireless interface) and eth0 (wired
interface) and both show the DHCP packet. But this DHCP packet is not
forwarded to the DHCP server via eth1

$netstat -rn
116.69.66.0    0.0.0.0         255.255.255.0    U 0  0  eth1
0.0.0.0          116.69.66.0   0.0.0.0              UG  0 0 eth1

I see that there is a  route to the external world through eth1. I can
ping google.com and the rest of the world through eth1. But I cannot
forward traffic received from eth0 to the external world. Any help is
greatly appreciated. I thank you for your patience in reading this
entire message.

Thanks
Regards
Knight

Re: Forwarding packets received on bridged interfaces -regarding

[Grant Taylor]

On 05/28/08 17:36, Knight Tiger wrote:
> I have a Linux box with two interfaces, eth0 and eth1. eth1 is a 
> wireless interface with connects to a network and receives a DHCP 
> address. eth0 connects to a AP (with a cross over cable) and provides 
> Internet connection to a bunch of clients. The setup looks like this 

> AP1 <--> eth0      eth1 <---> AP2<---> DHCP server.

Let's redraw this up a little bit.

                   +--------------+
                   |    Bridge    |
("Net 0")   AP0---+ eth0    eth1 +---AP1   ("Net 1")   DHCP server
                   +--------------+

Is a client on "Net 0" suppose to have an IP in the same subnet as 
clients on "Net 1"?  Or is the "Bridge" system going to be routing for 
all the clients on "Net 0" and hiding them as one IP to "Net 1"?

I ask this because you are starting to sound like the "Bridge" system is 
suppose to act like a SOHO router like you would use on your DSL / cable 
modem to connect your home LAN to your internet connection.  However 
your original question implied that you wanted "Net 0" and "Net 1" to be 
joined together as one big network where everything on both sides could 
see everything else.

<snip>

Please clarify the above before going further.



Grant. . . .

Re: Forwarding packets received on bridged interfaces -regarding

[Knight Tiger]

Hi,

I thank you for your quick response. I wish I could draw ascii art
like that. I dont know how to do that on an email compose window.

On Wed, May 28, 2008 at 8:07 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
<snip>
>
> Let's redraw this up a little bit.
>
>                  +--------------+
>                  |    Bridge    |
> ("Net 0")   AP0---+ eth0    eth1 +---AP1   ("Net 1")   DHCP server
>                  +--------------+
>
> Is a client on "Net 0" suppose to have an IP in the same subnet as clients
> on "Net 1"?  Or is the "Bridge" system going to be routing for all the
> clients on "Net 0" and hiding them as one IP to "Net 1"?

The bridge is between eth0 and eth1. AP0 is connected via a crossover
cable. eth1 connects to "Net 1" and eth0 connects to AP0. eth0 does
not have an IP address (I can assign it one, but I dont see any reason
for it)
The clients have IP address allocated from the same subnet as eth1,
The clients are no different from eth1 from the perspective of the
DHCP server.

> I ask this because you are starting to sound like the "Bridge" system is
> suppose to act like a SOHO router like you would use on your DSL / cable
> modem to connect your home LAN to your internet connection.  However your
> original question implied that you wanted "Net 0" and "Net 1" to be joined
> together as one big network where everything on both sides could see
> everything else.
>

<snip>

The bridge system (comprising of interfaces eth0 and eth1) is a laptop
running Linux that aims to extend the range of a wireless network (the
one which the wireless interface eth1 connects to). It may appear to
be easier to add more APs and connect them to the back bone network
but we are evaluating this approach because we want to switch the
wireless network to a 3G data connection and still offer Wi-Fi
services to our clients. As a start we wanted to evaluate WiFi
extension. with just WiFi. We want the Linux laptop to be totally
transparent and the clients connect to the Wi-Fi network just as they
would from any other AP. The Linux laptop merely acts as a firewall+
bridge for the clients. The clients would get IP addresses in the same
subnet as eth1 in the figure. Remote monitoring of the linux machine
is possible through the DHCP assigned IP address. All traffic from/to
the clients should flow through the bridge. I plan to add filtering
after I get traffic flowing in both directions.

The problem:

The DHCP requests from the clients get blocked at the eth1 interface.
I want all traffic from the clients to go out via eth1. I would like
to know to configure this setup,

I thank you again for your patience. Looking forward to your replies.

Thanks
Regards
Knight

Re: Forwarding packets received on bridged interfaces -regarding

[Grant Taylor]

On 05/28/08 23:55, Knight Tiger wrote:
> I thank you for your quick response. I wish I could draw ascii art 
> like that. I dont know how to do that on an email compose window.

You are welcome.  As far as the ASCII art, a fixed width font and lots 
of practice go a long way.  ;)

> The bridge is between eth0 and eth1. AP0 is connected via a crossover 
> cable. eth1 connects to "Net 1" and eth0 connects to AP0. eth0 does 
> not have an IP address (I can assign it one, but I dont see any 
> reason for it) The clients have IP address allocated from the same 
> subnet as eth1, The clients are no different from eth1 from the 
> perspective of the DHCP server.

*nod*

With that clarification, I'd suggest that you simply bridge eth0 and 
eth1 and not have any rules in either EBTables or IPTables.  This should 
allow your clients to communicate with each other like you are wanting.

About the only thing that I might do differently than what you have done 
(aside from any filtering) is to move the ""management IP to the bridge 
interface rather than eth1.  I'd do this so that you can still get to 
the management IP from one network if the other network's interface gets 
shut down.  Consider what would happen if you were on a client on "Net 
0" connected to the management IP (bound to eth1) when eth1 was taken 
down.  This is just a personal preference though and should have no 
baring on functionality.

> The bridge system (comprising of interfaces eth0 and eth1) is a 
> laptop running Linux that aims to extend the range of a wireless 
> network (the one which the wireless interface eth1 connects to). It 
> may appear to be easier to add more APs and connect them to the back 
> bone network but we are evaluating this approach because we want to 
> switch the wireless network to a 3G data connection and still offer 
> Wi-Fi services to our clients. As a start we wanted to evaluate WiFi 
> extension. with just WiFi. We want the Linux laptop to be totally 
> transparent and the clients connect to the Wi-Fi network just as they 
> would from any other AP. The Linux laptop merely acts as a firewall+ 
> bridge for the clients. The clients would get IP addresses in the 
> same subnet as eth1 in the figure. Remote monitoring of the linux 
> machine is possible through the DHCP assigned IP address. All traffic 
> from/to the clients should flow through the bridge. I plan to add 
> filtering after I get traffic flowing in both directions.

*nod*

I don't see any problems with what you are proposing while using WiFi. 
However I do wonder if you will still be using bridging when 3G is in 
place, as I don't know how many IPs you will be able to get with your 3G 
service.  Other than that, things should be fine.

> The problem:
> 
> The DHCP requests from the clients get blocked at the eth1 interface. 
> I want all traffic from the clients to go out via eth1. I would like 
> to know to configure this setup,

I re-looked at your EBTables rules and did not see any thing that should 
prevent things from working as long as you are not using the MAC address 
of eth1 (i.e. talking to or from eth1).  If you are using the MAC of 
eth1 then you are forcing the bridge to route the packet when the IP 
stack will not have any thing to route.

The only other thing that comes to mind is that seeing as how (I think) 
eth1 is a wireless NIC, you may be dealing with problems with a wireless 
card that is not playing quite right.  You might consider testing your 
bridging (and filtering when it is time) via a regular computer with two 
wired ethernet interfaces.

> I thank you again for your patience. Looking forward to your replies.

*nod*

You are welcome.



Grant. . . .

Re: Forwarding packets received on bridged interfaces -regarding

[Knight Tiger]

Hi,

<snip>
>
>> The problem:
>>
>> The DHCP requests from the clients get blocked at the eth1 interface. I
>> want all traffic from the clients to go out via eth1. I would like to know
>> to configure this setup,
>
> I re-looked at your EBTables rules and did not see any thing that should
> prevent things from working as long as you are not using the MAC address of
> eth1 (i.e. talking to or from eth1).  If you are using the MAC of eth1 then
> you are forcing the bridge to route the packet when the IP stack will not
> have any thing to route.
>
> The only other thing that comes to mind is that seeing as how (I think) eth1
> is a wireless NIC, you may be dealing with problems with a wireless card
> that is not playing quite right.  You might consider testing your bridging
> (and filtering when it is time) via a regular computer with two wired
> ethernet interfaces.

I did the test on a desktop with two NICs and no iptables/ebtables
entries. The setup works great. Thanks. I expect the problem to be
with the wirless NIC (I use the Intel Linux drivers but apparently
they are no good for bridge settings).

Thanks again.

Regards
Knight

Re: Forwarding packets received on bridged interfaces -regarding

[Grant Taylor]

On 05/30/08 17:32, Knight Tiger wrote:
> I did the test on a desktop with two NICs and no iptables/ebtables 
> entries. The setup works great. Thanks. I expect the problem to be 
> with the wirless NIC (I use the Intel Linux drivers but apparently 
> they are no good for bridge settings).

I wondered if such was not going to be the problem.  Can you replace the 
wireless card?

For the record (and those searching the archive), what wireless card and 
driver(s) are you using?

> Thanks again.

*nod*

Good luck.  :)



Grant. . . .

Re: Forwarding packets received on bridged interfaces -regarding

[Knight Tiger]

Hi,

The wireless card is Intel PRO/Wireless 2200 BG and the driver is
obtained from  ipw2200.sourceforge.net.
I am running Fedora Core 5 on an IBM Thinkpad T43

I tried the same tests with a PCMCIA orinoco card (lucent) but that
failed as well. I tried a Cisco card but it was not detected. Proxim
failed the detection test as well.

Thanks !
Knight


On Fri, May 30, 2008 at 3:57 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 05/30/08 17:32, Knight Tiger wrote:
>>
>> I did the test on a desktop with two NICs and no iptables/ebtables
>> entries. The setup works great. Thanks. I expect the problem to be with the
>> wirless NIC (I use the Intel Linux drivers but apparently they are no good
>> for bridge settings).
>
> I wondered if such was not going to be the problem.  Can you replace the
> wireless card?
>
> For the record (and those searching the archive), what wireless card and
> driver(s) are you using?
>
>> Thanks again.
>
> *nod*
>
> Good luck.  :)
>
>
>
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>