Diverting part of the traffic over a bridged network

Diverting part of the traffic over a bridged network

[Remi Pieternella]

Hi

I'm fairly new to ebtables and netfiltering so I will start by
describing what I would like to achieve.

My setup is rougly the one below:

                /----------br0----------\           rest of computers
192.168.0.x
                |                       |                  |
Music box -----eth1-- xubuntu machine --eth0----------- router
--------> Internet
192.168.0.x     |                   192.168.0.x      192.168.0.1(DHCP server)
                \-----------------------/
                           |
                           | Non local 192.168.0.x traffic
                           |
                           \----> different internet gateway or VPN


On my network I have a music box (Sonos) which needs to be visible on
my 192.168.0.x subnet (other wise my other computers will not be able
find it). But for which I would like to divert all non local to an
external gateway (possibly through a VPN connection)

The bridge now seems to work properly which mean that as soon as my
xubuntu machine (actually a virtual machine) starts the Sonos show up
on the network.

Next step however is to divert the non local traffic to a 2nd gateway.

Judging form what i have read so far I am assuming I will need ebtables for this

I found the following example but am not quite sure whether this
indeed what I need.

http://ebtables.sourceforge.net/examples/example3.html

Any help on the next step is appreciated!

p.s.
below some settings I am currently using

/etc/network/interfaces

----------------------
auto lo
iface lo inet loopback

# Bridge between eth0 and eth1
auto br0
iface br0 inet dhcp

  pre-up ifconfig eth0 down
  pre-up ifconfig eth1 down
  pre-up brctl addbr br0
  pre-up brctl addif br0 eth0
  pre-up brctl addif br0 eth1
  pre-up ifconfig eth0 0.0.0.0
  pre-up ifconfig eth1 0.0.0.0
  post-down ifconfig eth0 down
  post-down ifconfig eth1 down
  post-down ifconfig br0 down
  post-down brctl delif br0 eth0
  post-down brctl delif br0 eth1
  post-down brctl delbr br0
--------------------------------

I currently also have shorewall setup but basically this has been
setup to allow everything
(I was planning to tighten things up once i have got things working)

/etc/shorewall/policy
-------------------------
#SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST

loc        net        ACCEPT
loc        $FW        ACCEPT
loc        all        ACCEPT

$FW        net        ACCEPT
$FW        loc        ACCEPT
$FW        all        ACCEPT

net        $FW        ACCEPT
net        loc        ACCEPT
net        all        ACCEPT

all        all        ACCEPT
----------------------------------


Also I used to have masquerading setup
/etc/shorewall/masq
---------------------------

#INTERFACE        SOURCE        ADDRESS        PROTO    PORT(S)    IPSEC    MARK
eth0                    eth1
--------------------------

I guess I don't need this anymore since I have since setup the bridge
to bridge the traffic form eth1 to eth0 (i.s.o. routing it)

Re: Diverting part of the traffic over a bridged network

[Benedikt Gollatz]

On Sun, 9 Aug 2009 16:26:27 +0200, Remi Pieternella wrote:
> On my network I have a music box (Sonos) which needs to be visible on
> my 192.168.0.x subnet (other wise my other computers will not be able
> find it). But for which I would like to divert all non local to an
> external gateway (possibly through a VPN connection)

Why don't you just hook up the music box to the regular physical link and
configure a different default gateway for it?

PS. Sorry for the PM, Remi.

Re: Diverting part of the traffic over a bridged network

[Remi Pieternella]

Benedikt,

Indeed that certainly would have been the easier solution.
Unfortunately the Sonos music box doesn't allow me to set the gateway
(everything is set via DHCP).

What I could do is strip de DHCP server from the router and setup a
new one on my linux box. Next I would need to find a way to supply a
different gateway to DHCP requests coming in on eth1 (or based on the
MAC).

For the moment the bridged solution seems nicer as this would even
allow me to only divert very specific traffic (to specific sites)
(besides I guess the DHCP discussion would be considered off topic)

Regards
Remi

On Mon, Aug 10, 2009 at 1:41 AM, Benedikt
Gollatz<ben@differentialschokolade.org> wrote:
> On Sun, 9 Aug 2009 16:26:27 +0200, Remi Pieternella wrote:
>> On my network I have a music box (Sonos) which needs to be visible on
>> my 192.168.0.x subnet (other wise my other computers will not be able
>> find it). But for which I would like to divert all non local to an
>> external gateway (possibly through a VPN connection)
>
> Why don't you just hook up the music box to the regular physical link and
> configure a different default gateway for it?
>
> PS. Sorry for the PM, Remi.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>