On Wed, Feb 17, 2010 at 10:55 PM, Marek Kierdelewicz <marek@xxxxxxxxx> wrote: > Hello, > > Try to solve each of the problems at a time. One question - does squid > have internet connection on nonbridged interface with dedicated > IP address? > Sure. Tested. >>On a bridge setup, I want to filter http traffic transparently through >>Squid. br0 bridge is between eth0 and eth1. >>In the bridged traffic there are some tagged VLANs. >>When I run tcpdump on br0 I see all the traffic from VLANs. At this >>point a DNAT (VLAN10Subnet - Any - http => Original - LocalIP - >>8080) does not work. > > What does `cat /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged` show? > It should be set to 1 if you want tagged traffic to pass iptables. You > can set this value in runtime by issuing: > echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged > or more permamently by adding > net.bridge.bridge-nf-filter-vlan-tagged=1 to /etc/sysctl.conf > It is already 1. > Anyway you still need to have the route to client as I wrote below. > >>I think the problem is not having any IP on br0.26 from VLAN10Subnet. >>Because the whole C class is divided into subnets of 255.252 having 2 >>usable IP address and both are used. Do you have any other idea on >>identifiying the problem? > > One thing is missing for sure. Lets assume you have 10.0.0.0/30 subnet > on vlan 26. You should add on your bridge such route: > ip route add 10.0.0.0/30 dev br0.26 > This may be our problem. However ip route add returns "SIOCADDRT: No such device" while I see br0.26 in ifconfig output. What about routing into not "dev br0.26" but to "dev br0"? > This way bridge knows where to send replies to clients (subnet > 10.0.0.0/30 available directly on br0.26 interface). > > Hope that helps. > > Best regards, > Marek Kierdelewicz > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
