Re: [Bridge] challenge of year: connect to LAN using wireless-ap over bridge + unmanaged l2tpv3 tunnel + bridge? it's possible?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Aug 25, 2013 at 9:06 PM, Joel Wirāmu Pauling <joel@xxxxxxxxxxxx> wrote:
> What are your MTU settings?

i've using 1488 (default of L2TPv3) in all interfaces.

> All interfaces inside a bridge must have the the MTU of the smallest ; in
> some versions of bridge-utils you can add mismatched interface mtu's and
> everything breaks.

i didn't find any option like that in brctl

root@bahia:~# brctl
Usage: brctl [commands]
commands:
        addbr           <bridge>                add bridge
        delbr           <bridge>                delete bridge
        addif           <bridge> <device>       add interface to bridge
        delif           <bridge> <device>       delete interface from bridge
        hairpin         <bridge> <port> {on|off}        turn hairpin on/off
        setageing       <bridge> <time>         set ageing time
        setbridgeprio   <bridge> <prio>         set bridge priority
        setfd           <bridge> <time>         set bridge forward delay
        sethello        <bridge> <time>         set hello time
        setmaxage       <bridge> <time>         set max message age
        setpathcost     <bridge> <port> <cost>  set path cost
        setportprio     <bridge> <port> <prio>  set port priority
        show            [ <bridge> ]            show a list of bridges
        showmacs        <bridge>                show a list of mac addrs
        showstp         <bridge>                show bridge stp info
        stp             <bridge> {on|off}       turn stp on/off
root@bahia:~#

> Also are all your tap devices over proper ethernet segments? As soon as you
> have a Wireless segment then it will break (due to the WLAN layer2 frames
> overwriting mac's / remembering only the point to point mac's).

everything is ethernet, this first phase using only ethernet->wan
(l2tpv3) -> wan -> ethernet....
the problem is that my "Server A" does not forward arp/request to "Server B"...

>
> On 26 August 2013 11:54, Jorge Pereira <jpereiran@xxxxxxxxx> wrote:
>>
>> Hi Joel,
>>
>> thanks for your answer!! but i CAN'T understand why my bridge (SERVER
>> A) don't forward the arp-request
>> from LAN to my other side of L2TPv3 (SERVER B).... so, all i need it's
>> that my 'bridge' forward (broadcast, anycast, unicast, arp, ...)
>> everything to other side of L2TPv3 bridge... let me try to explain
>> below...
>>
>> e.g:
>>
>> +------------------------------------------------+
>> | Bahia: lan network 10.251.0.0/16 |
>> +------------------------------------------------+
>>  |
>>  |      +-----------------------------+
>>  +--> | Bridge   A               |
>>         | LAN: bridge/promisc|
>>         | WAN: 200.199.10.1 |
>>  +---- +-----------------------------+
>>  |
>>  |
>>  \     +--------------------------------------------------------+
>>   +---| L2TPv3 / promisc / l2tpeth0 over WAN |
>>  /     +--------------------------------------------------------+
>>  |
>>  |      +-----------------------------+
>>  +--> | Bridge   B               |
>>         | LAN: bridge/promisc|
>>         | WAN: 200.199.10.2 |
>> +-----+-----------------------------+
>> |
>> +-------------------------------------------------+
>> | Recife: lan network 10.251.0.0/16 |
>> +-------------------------------------------------+
>>
>> e.g - 1: from side 'B', i can send icmp request to anyone in
>> 10.251.0.0/16. but can't receive response because
>> my bridge A ignore/discard all packets arp/unicast/...  and does not
>> forward to Bridge B. only broadcast!
>>
>> e.g - 2: (sysct/proxy_arp) don't solves my problem... if somebody have
>> any suggestion, please! tell me! :)
>>
>>
>> On Fri, Aug 23, 2013 at 2:22 AM, Joel Wirāmu Pauling <joel@xxxxxxxxxxxx>
>> wrote:
>> > You can't bridge 802.11 segments with normal ethernet segments. Wifi
>> > AP's
>> > that do this use magic; or hidden pesudo bridges to do the same.
>> >
>> > You will need to use something like relayd to form a psuedo bridge
>> > between
>> > your wired and wireless segments or use routing.
>> >
>> >
>> > -Joel
>> >
>> >
>> > On 23 August 2013 14:21, Jorge Pereira <jpereiran@xxxxxxxxx> wrote:
>> >>
>> >> hi everyone,
>> >>
>> >>     so,first it seemed a trivial question to me, but since I could not
>> >> find anybody being neither able to answer
>> >> this question nor giving a short config example. after a few sleepless
>> >> nights and exhausting all the reading
>> >> and research. here I am sharing my problem with all of you, in the hope
>> >> of
>> >> some possible solution/sugestion.
>> >> or is it that this is impossible??
>> >>
>> >> below my scheme/layout.
>> >>
>> >> +---------------------------------------------------------+
>> >> | MAIN SERVER - 10.60.61.1 (DHCP SERVER) |
>> >> +---------------------------------------------------------+
>> >>                      |
>> >> +---------------------------+
>> >> |    NETWORK vlan601 |
>> >> |  net 10.251.0.0/16      |
>> >> |  gw:10.251.0.1            |
>> >> +---------------------------+
>> >>                     |
>> >> +------------------------------------------------------------------+
>> >>  | SERVER B (BRIDGE / unmanaged L2TPv3) - BAHIA |
>> >> +------------------------------------------------------------------+
>> >>
>> >> root@bahia:~#  ip -d addr show eth0 # WAN
>> >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> >> state
>> >> UP qlen 1000
>> >>     link/ether 00:50:56:a7:13:49 brd ff:ff:ff:ff:ff:ff
>> >>     inet 200.243.1.5/24 brd 200.243.1.255 scope global eth0
>> >>     inet6 fe80::250:56ff:fea7:1349/64 scope link
>> >>        valid_lft forever preferred_lft forever
>> >> root@bahia:~#  ip -d addr show eth1 # LAN (VLAN/TRUNK)
>> >> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> >> state
>> >> UP qlen 1000
>> >>     link/ether 00:50:56:a7:13:4a brd ff:ff:ff:ff:ff:ff
>> >>     inet6 fe80::250:56ff:fea7:134a/64 scope link
>> >>        valid_lft forever preferred_lft forever
>> >> root@bahia:~#  ip link add link eth1 name eth1.601 mtu 1500 type vlan
>> >> id
>> >> 601
>> >> root@bahia:~#  ip link set dev eth1.601 up promisc on
>> >> root@bahia:~#  ip -d addr show eth1.601
>> >> 9: eth1.601@eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500
>> >> qdisc
>> >> noqueue state UP
>> >>     link/ether 00:50:56:a7:13:4a brd ff:ff:ff:ff:ff:ff
>> >>     inet6 fe80::250:56ff:fea7:134a/64 scope link
>> >>        valid_lft forever preferred_lft forever
>> >> root@bahia:~#  ip route show
>> >> default via 200.243.1.254 dev eth0
>> >> 200.243.1.0/24 dev eth0  proto kernel  scope link  src 200.243.1.5
>> >> root@bahia:~#
>> >>
>> >> and.... we've the interface l2tpeth0 (L2TPv3) established with other
>> >> node
>> >> into the internet by eth0 (WAN), plugged
>> >> with vlan601 (eth1.601) by bridge called "br-red"
>> >>
>> >> root@bahia:~# brctl show
>> >> bridge name bridge id STP enabled interfaces
>> >> root@bahia:~# brctl addbr br-red
>> >> root@bahia:~# brctl addif br-red eth1.601
>> >> root@bahia:~# ip l2tp add tunnel tunnel_id 45 peer_tunnel_id 42
>> >> udp_sport
>> >> 5001 udp_dport 5000 encap udp local 200.243.1.5 remote 200.199.10.12
>> >> root@bahia:~# ip l2tp add session tunnel_id 45 session_id 5196755
>> >> peer_session_id 128
>> >> root@bahia:~# ip link set l2tpeth0 up promisc on master br-red
>> >> root@bahia:~# ip link set br-red up
>> >> root@bahia:~# brctl show br-red
>> >> bridge name bridge id STP enabled interfaces
>> >> br-red 8000.005056a7134a no eth1.601
>> >> l2tpeth0
>> >> root@bahia:~# brctl showstp br-red
>> >> br-red
>> >>  bridge id 8000.005056a7134a
>> >>  designated root 8000.005056a7134a
>> >>  root port         0 path cost   0
>> >>  max age         20.00 bridge max age  20.00
>> >>  hello time 2.00 bridge hello time   2.00
>> >>  forward delay 15.00 bridge forward delay  15.00
>> >>  ageing time 300.01
>> >>  hello timer 1.06 tcn timer   0.00
>> >>  topology change timer   0.00 gc timer   5.08
>> >>  flags
>> >>
>> >> eth1.601 (1)
>> >>  port id 8001 state     forwarding
>> >>  designated root 8000.005056a7134a path cost   4
>> >>  designated bridge 8000.005056a7134a message age timer   0.00
>> >>  designated port 8001 forward delay timer   0.00
>> >>  designated cost   0 hold timer   0.06
>> >>  flags
>> >>
>> >> l2tpeth0 (2)
>> >>  port id 8002 state     forwarding
>> >>  designated root 8000.005056a7134a path cost 100
>> >>  designated bridge 8000.005056a7134a message age timer   0.00
>> >>  designated port 8002 forward delay timer   0.00
>> >>  designated cost   0 hold timer   0.05
>> >>  flags
>> >>
>> >> root@bahia:~#
>> >>
>> >> it's ok, my bridge "by-red" listen all traffic over my LAN (vlan 601)
>> >> and
>> >> my L2TPv3 over internet. (wan)
>> >>
>> >> root@bahia:~#  tcpdump -nve -i br-red "host 10.251.0.1"
>> >> tcpdump: WARNING: br-red: no IPv4 address assigned
>> >> tcpdump: listening on br-red, link-type EN10MB (Ethernet), capture size
>> >> 65535 bytes
>> >> 20:58:17.860060 d4:ae:52:84:37:ae > ff:ff:ff:ff:ff:ff, ethertype ARP
>> >> (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has
>> >> 10.251.90.157 tell 10.251.0.1, length 46
>> >> 20:58:17.980065 d4:ae:52:84:37:ae > ff:ff:ff:ff:ff:ff, ethertype ARP
>> >> (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has
>> >> 10.251.153.31 tell 10.251.0.1, length 46
>> >> ^C
>> >> 7 packets captured
>> >> 7 packets received by filter
>> >> 0 packets dropped by kernel
>> >> root@bahia:~#
>> >>
>> >>
>> >>
>> >> +-----------------------------------------------------------------------------------------+
>> >>  | SERVER B (BRIDGE/L2TPv3 + WIRELESS ACCESS POINT) - RECIFE |
>> >>
>> >>
>> >> +-----------------------------------------------------------------------------------------+
>> >>
>> >> root@recife:~# ip addr show eth1 # (WAN)
>> >> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
>> >> state
>> >> UP qlen 1000
>> >>     link/ether a0:f3:c1:a3:c4:11 brd ff:ff:ff:ff:ff:ff
>> >>     inet 200.199.10.12/21 brd 200.199.10.255 scope global eth1
>> >>        valid_lft forever preferred_lft forever
>> >>     inet6 fe80::a2f3:c1ff:fea3:c411/64 scope link
>> >>        valid_lft forever preferred_lft forever
>> >> root@recife:~# ip route show
>> >> default via 200.199.10.254 dev eth1  proto static
>> >> 200.199.10.0/21 dev eth1  proto kernel  scope link  src 200.199.10.12
>> >> 192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1
>> >> root@recife:~# ip l2tp add tunnel tunnel_id 42 peer_tunnel_id 45
>> >> udp_sport
>> >> 5000 udp_dport 5001 encap udp local 200.199.10.12 remote 200.243.1.5
>> >> root@recife:~# ip l2tp add session tunnel_id 42 session_id 128
>> >> peer_session_id 5196755
>> >> root@recife:~# ip link set dev l2tpeth0 up promisc on master br-red
>> >> root@recife:~# brctl show
>> >> bridge name     bridge id               STP enabled     interfaces
>> >> br-lan          7fff.a0f3c1a3c40f       no              eth0
>> >> root@recife:~# brctl addbr br-red
>> >> root@recife:~# brctl addif br-red l2tpeth0
>> >> root@recife:~# brctl addif br-red wlan0
>> >> root@recife:~# ifconfig br-red up
>> >> root@recife:~# ip link set br-red up
>> >> root@recife:~# brctl show
>> >> bridge name     bridge id                     STP enabled
>> >> interfaces
>> >> br-lan                7fff.a0f3c1a3c40f       no
>> >> eth0
>> >> br-red                8000.1ae0f4a30221  no
>> >> l2tpeth0
>> >>
>> >> wlan0
>> >> root@recife:~#
>> >>
>> >> ....::: RESUME :::...
>> >>
>> >> 1) sorry for the long email....
>> >> 2) when i'm "recife hostspot"... I can join in wireless "Recife
>> >> Wireless"
>> >> from my device, but i can't receive ip from dhcp (10.60.61.1).
>> >> 3) from "server A[bahia] (bridge with vlan601 network) and "server B
>> >> [recife]", i can "see/listen" the broadcast request from my
>> >> device mac "5c:95:ae:22:d6:6e" like below.
>> >>
>> >> root@bahia:~# tcpdump -nve -i br-red "ether host ether
>> >> 5c:95:ae:22:d6:6e"
>> >> 00:08:52.653667 5c:95:ae:22:d6:6e > ff:ff:ff:ff:ff:ff, ethertype IPv4
>> >> (0x0800), length 342: (tos 0x0, ttl 255, id 37839, offset 0, flags
>> >> [none],
>> >> proto UDP (17), length 328)
>> >>     0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from
>> >> 5c:95:ae:22:d6:6e, length 300, xid 0xe6f1d0a5, Flags [none]
>> >>           Client-Ethernet-Address 5c:95:ae:22:d6:6e
>> >>           Vendor-rfc1048 Extensions
>> >>             Magic Cookie 0x63825363
>> >>             DHCP-Message Option 53, length 1: Discover
>> >>             Parameter-Request Option 55, length 6:
>> >>               Subnet-Mask, Default-Gateway, Domain-Name-Server,
>> >> Domain-Name
>> >>               Option 119, Option 252
>> >>             MSZ Option 57, length 2: 1500
>> >>             Client-ID Option 61, length 7: ether 5c:95:ae:22:d6:6e
>> >>             Lease-Time Option 51, length 4: 7776000
>> >>             Hostname Option 12, length 14: "Straces-iPhone"
>> >> ^C
>> >> 1 packets captured
>> >> 1 packets received by filter
>> >> root@bahia:~#
>> >>
>> >> same thing result at "bridge a" (root@recife:~#) side...
>> >>
>> >> 4) the strangest thing of all and that, from bridge-b (recife). i can
>> >> get
>> >> ip from dhcp/broadcast request over L2TPv3...
>> >> but without option "broadcast" i can't receive ip from dhcp
>> >> (10.61.60.1)
>> >>
>> >> root@recife:~# udhcpc -B -i br-red
>> >> udhcpc (v1.19.4) started
>> >> Sending discover...
>> >> Sending select for 10.251.157.22...
>> >> Lease of 10.251.157.22 obtained, lease time 300
>> >> udhcpc: ifconfig br-red 10.251.157.22 netmask 255.255.0.0 broadcast +
>> >> udhcpc: setting default routers: 10.251.0.1
>> >> root@recife:~# ip route add 200.243.1.5 via 200.199.10.254 dev eth1
>> >> root@recife:~# ip route show
>> >> default via 10.251.0.1 dev br-red
>> >> 10.251.0.0/16 dev br-red  proto kernel  scope link  src 10.251.157.22
>> >> 200.199.10.0/21 dev eth1  proto kernel  scope link  src 200.199.10.12
>> >> 200.243.1.5 via 200.199.10.254 dev eth1
>> >> 192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1
>> >> root@recife:~# ping -c2 10.251.0.1
>> >> PING 10.251.0.1 (10.251.0.1): 56 data bytes
>> >>
>> >> --- 10.251.0.1 ping statistics ---
>> >> 2 packets transmitted, 0 packets received, 100% packet loss
>> >> root@recife:~#
>> >>
>> >> 5) output of tcpdump listen the bridge "br-red" request from
>> >> bridge-a-natal http://pastebin.com/t8wn3zRK
>> >> 6) output of tcpdump listen the bridge "br-red" request from
>> >> bridge-b-recife http://pastebin.com/njTQfd5k
>> >> 7) after several researches i found the kernel options to set like
>> >> "arp_filter", "bridge-nf-*",... but i don't have
>> >> idea which option should enable / disable. tried some combinations but
>> >> without success....
>> >> 8) the DHCP-OFFER doesn't forward by "bridge-a"...  problems with
>> >> unicast?
>> >> multicast? arp_proxy? ....
>> >> 9) we need join in the network by wireless and access the server
>> >> 10.251.0.1 over bridge/l2tpv3 (unmanaged)
>> >> 10) in our case, can use only L2TPv3. (may not be OpenVPN, ...)
>> >> 11) all is Linux, without any iptables rules.
>> >> 12) who will win a beer?! =]
>> >>
>> >> Best regards,
>> >> Jorge Pereira
>> >
>> >
>
>
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux