[LARTC] Bridging multiple vlans on linux router
Hi, I have a situation where router has to see hosts in multiple vlans with the same IP address The test scenario is : - | eth0 | br0 | --- eth1.25 | eth1.26 | eth1.27 - eth0 = Internet br0 = Lan 192.168.100.1/24 host 1= 192.168.100.11/24 eth1.25 host 2= 192.168.100.12/24 eth1.26 I need br0 to see all hosts in all vlans but hosts in different vlans not to see each other. Is there any way to do this with ebtables without making to many rules? ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Questions about mutiple providers
Hi, this is my first post to the list. I have googled a lot, and still cannot find a proper solution. I hope someone here will be able to shed some light on my doubts. I have set up a firewall using kernel 2.6.15 (Debian) that does NAT for 100 clients, and uses two different ISPs, using the howto found at http://lartc.org/howto/lartc.rpdb.multiple-links.html.I have *not* patched my kernel. The rounting setup is taken from the howto, and it basically works, I see packets flowing out of both WAN interfaces, and everyting seems to work properly for packets that are generated from the firewall itself. I have set up NAT rules in postrouting table, this way: iptables -t nat -A POSTROUTING -o $WAN -j SNAT -s 10.0.0.0/16 --to-source 217.221.234.74 iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source 83.211.205.162 Local net is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and their relative IP addresses are set as shown. WAN interfaces are phisically different and have no aliases, only the IP shown above. Now, I am experiencing two issues: - First, I see packets with from address set to 83.211.205.162 that go out of $WAN, and also packets with from address set to 217.221.234.74 that flow out of $WAN2. This address mixup should not happen, I suppose. looking at the packets, it seems that only NATed trafic shows this behaviour. - Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that still have the LAN from address, that is 10.0.x.x, these packets somehow where not NATed at all. Now, the questions are: How do I solve this? Do I need to patch my kernel to solve the first issue, because I need to lock at NAT established connections tables to make routing decisions? Is it impossible to have equal cost multipath and SNAT together without patching the kernel? If so, what patch do I need exactly? Is there something wrong with my kernel version, that has a broken NAT support? (this could explain why I get some packets that do not get NATed at all) Thanks a lot for the time you took reading this. -- Fabio Kurgan Muzzi ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Questions about mutiple providers
On Mon, Jan 29, 2007 at 01:17:03PM +0100, Fabio Muzzi wrote: Hi, this is my first post to the list. I have googled a lot, and still cannot find a proper solution. I hope someone here will be able to shed some light on my doubts. I have set up a firewall using kernel 2.6.15 (Debian) that does NAT for 100 clients, and uses two different ISPs, using the howto found at http://lartc.org/howto/lartc.rpdb.multiple-links.html.I have *not* patched my kernel. The rounting setup is taken from the howto, and it basically works, I see packets flowing out of both WAN interfaces, and everyting seems to work properly for packets that are generated from the firewall itself. I have set up NAT rules in postrouting table, this way: iptables -t nat -A POSTROUTING -o $WAN -j SNAT -s 10.0.0.0/16 --to-source 217.221.234.74 iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source 83.211.205.162 Local net is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and their relative IP addresses are set as shown. WAN interfaces are phisically different and have no aliases, only the IP shown above. Now, I am experiencing two issues: - First, I see packets with from address set to 83.211.205.162 that go out of $WAN, and also packets with from address set to 217.221.234.74 that flow out of $WAN2. This address mixup should not happen, I suppose. looking at the packets, it seems that only NATed trafic shows this behaviour. you have to setup your ip rule rules, which will state anything coming from 217.221.234.74 only goes out $WAN and anything coming from 83.211.205.162 only goes out $WAN2, it should be part of the wiki/faq doco - Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that still have the LAN from address, that is 10.0.x.x, these packets somehow where not NATed at all. never seen this Now, the questions are: How do I solve this? Do I need to patch my kernel to solve the first issue, because I need to lock at NAT established connections tables to make routing decisions? Is it impossible to have equal cost multipath and SNAT together without patching the kernel? If so, what patch do I need exactly? Is there something wrong with my kernel version, that has a broken NAT support? (this could explain why I get some packets that do not get NATed at all) Thanks a lot for the time you took reading this. -- Fabio Kurgan Muzzi ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Rewriting output interface
I would like to setup some rules for a wireless bridge to do load balancing. I'd like to dedicate one radio for doing transmit and one for receive. router | | - eth0 | | wlan0 upstream device wlan1 | ^ | | V ==^ | | V | wlan2 downstream device wlan3 | | - eth0 | | network All traffic headed to the network will be sent out on wlan0, while all traffic headed to the router to be sent on wlan3. Is tc capable of doing something like this, and if so, how would I configure it? I would prefer to bridge the traffic rather than routing it. Thanks, Hampton ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Rewriting output interface
We are using a madwifi type driver that supports wds. I just don't know how to setup the dual-bonded part of it. If someone has experience doing this with an ethernet only setup, I can adapt that to our network. Cheers, Hampton Stephen Hemminger wrote: On Mon, 29 Jan 2007 14:14:25 -0800 Hampton Maxwell [EMAIL PROTECTED] wrote: I would like to setup some rules for a wireless bridge to do load balancing. I'd like to dedicate one radio for doing transmit and one for receive. For most cases wireless bridge with Linux won't work. Unless you (one of the following): * have special device firmware * bridge only one client (ie point-to-point) * use MAC layer NAT * use experimental WDS and have device that supports it. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Bridging multiple vlans on linux router
On 01/29/07 04:04, Ivan Vladimirov wrote: I need br0 to see all hosts in all vlans but hosts in different vlans not to see each other. Is there any way to do this with ebtables without making to many rules? I think if you set a forward policy of DROP you will be able to do what you are wanting. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] lartc doc and Jamal's iproute2 notes
There are some notes written by Jamal that come with the iproute2 source that describe some very significant features that are not even hinted at in the lartc document. They aren't real easy to run across if you don't know they exist and even when I did first see them, I wasn't sure if they represented the current state of things. I also ran across IMQ and it took me a while to realize that was a dead end. It would be nice if at least the part on ingress filtering references them. The pipe action and ifb devices provide a way to overcome a lot of the ingress filtering limitations mentioned in the lartc document. The random action and packet mirroring action are probably of interest to people as well. It would have saved me a fair amount of time if these had been included as part of the lartc document. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc