Hello, Try to solve each of the problems at a time. One question - does squid have internet connection on nonbridged interface with dedicated IP address? >On a bridge setup, I want to filter http traffic transparently through >Squid. br0 bridge is between eth0 and eth1. >In the bridged traffic there are some tagged VLANs. >When I run tcpdump on br0 I see all the traffic from VLANs. At this >point a DNAT (VLAN10Subnet - Any - http => Original - LocalIP - >8080) does not work. What does `cat /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged` show? It should be set to 1 if you want tagged traffic to pass iptables. You can set this value in runtime by issuing: echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged or more permamently by adding net.bridge.bridge-nf-filter-vlan-tagged=1 to /etc/sysctl.conf Anyway you still need to have the route to client as I wrote below. >I think the problem is not having any IP on br0.26 from VLAN10Subnet. >Because the whole C class is divided into subnets of 255.252 having 2 >usable IP address and both are used. Do you have any other idea on >identifiying the problem? One thing is missing for sure. Lets assume you have 10.0.0.0/30 subnet on vlan 26. You should add on your bridge such route: ip route add 10.0.0.0/30 dev br0.26 This way bridge knows where to send replies to clients (subnet 10.0.0.0/30 available directly on br0.26 interface). Hope that helps. Best regards, Marek Kierdelewicz -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
