Re: brouting different VLANs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

2013/3/4 Humberto Jucá <betolj@xxxxxxxxx>:
> Hi,
>
> I'm not sure if I understand right.
> This configuration is not very common and I've never tried something like this.
> The arp traffic by bridge will not work because the VLANs are
> different, but with proxy-arp your firewall becomes arp router - can
> it work.
>
> ebtables -t broute -A BROUTING -i bond0.10 -j DROP
> ebtables -t broute -A BROUTING -i bond0.20 -j DROP
>
> echo 0 > /proc/sys/net/ipv4/conf/bond0.10/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/bond0.20/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
>
> echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp
>
> I chose the br0 interface (proxy_arp), because the logical
> configuration of the network is defined in br0.
> I don't know if works!
>
>

Hi,

If I broute all packets (including ARP) then I get the following results:

1. Customer1 sends echo-request from 10.0.0.10 to 8.8.8.8.
2. Linux router receives this ping on eth0 which handles it to bond0
which recognizes vlan10 tag and handles it to bond0.10 which broutes
it to br0.
3. Then router sends arp who-has with customer1 MAC address from br0
interface which handles it to both bridge ports bond0.10 and bond0.20
which tags it with respective vlan tags and handles it to bond0 which
handles it to eth0 which sends it out on the wire.
4. Customer replies with arp reply is-at with his MAC address.
5. Linux router receives this arp reply on eth0 which handles it to
bond0 which recognizes vlan10 tag and handles it to bond0.10. However
my arp reply doesn't go up to br0 from here.

After I add this rule:
ebtables -t broute -A BROUTING -p ! arp -i bond0.10 -j DROP

Now arp reply goes up to br0 and I can see customer1 MAC in ip
neighbor table. Now internet works fine.

You say my config is something unusual? After a few days of reading
manuals and then trial and error this is how I've managed to connect
customer1 to the internet.



-- 
Dovydas Sankauskas
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux