2013/3/4 Dovydas Sankauskas <laisve@xxxxxxxxx>: > 2013/3/3 Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>: >> Hello, >> >> Dovydas Sankauskas a écrit : >>> Hi, >>> >>> I am having some troubles with brouter setup. >> >> Why are you using brouting in this setup ? >> >>> I have customers on different VLANS but on the same subnet. I want to >>> allow access between customers and to allow access to internet. >>> Unfortunatelly I can't make customers on VLAN 10 to ping customers on >>> VLAN 20. Both VLANS 10 and 20 are on the _same_subnet_ 10.0.0.0/24. >>> >>> Here is my current setup: >>> >>> INTERNET >>> | >>> +-----------+------------+----------+ >>> | | eth2 | | >>> | | 1.2.3.4/30 | | >>> | +------------+ | >>> | | >>> | +---------------------------+ | >>> | | br0 | | >>> | | 10.0.0.1/24 | | >>> | +-------------+-------------+ | >>> | | bond0.10 | bond0.20 | | >>> | | vlan 10 | vlan 20 | | >>> +---+-------------+-------------+---+ >>> | | >>> 10.0.0.10 10.0.0.20 >>> >>> >>> I have eth0 and eth1 bonded into bond0. On bond0 I have VLAN >>> interfaces bond0.10 and bond0.20 for VLAN 10 and VLAN 20 respectively. >>> These bond0.10 and bond0.20 interfaces are bridged into interface br0. >>> br0 address 10.0.0.1 is default gateway IP for customer1 10.0.0.10/24 >>> on VLAN 10 and for customer2 10.0.0.20/24 on VLAN 20. >>> eth2 is my internet facing interface. There is no NAT. >>> >>> Internet access for both customers is working just fine with the >>> following ebtables rules: >>> ebtables -A FORWARD -i bond0.10 -j DROP >>> ebtables -A FORWARD -i bond0.20 -j DROP >>> ebtables -t broute -A BROUTING -p ! arp -i bond0.10 -j DROP >>> ebtables -t broute -A BROUTING -p ! arp -i bond0.20 -j DROP >>> >>> However I am struggling to enable access between customer 10.0.0.10 >>> and customer 10.0.0.20. >>> Please can you advise? >> >> According to your ebtables rules, your drop all bridged traffic on >> bond0.10 and bond0.20 and you force routing of all traffic except ARP on >> these interfaces. Why is that so, and can you explain how local direct >> communication between these VLANs would be possible ? > > I am trying to avoid bridging between VLAN 10 and VLAN 20 because I > have a pair of redundant identical Linux boxes sharing a common IP via > VRRP. I have blocked bridging because I want to avoid a Layer2 loop > and a broadcast storm. > > I have a C class network for assigning IP addresses to my customers > however the customers are connected via different VLANs. I don't own > part of my Layer2 network, so Vlan numbers are assigned by my Layer2 > transport providers. I want customers on VLAN 10 to access customers > on VLAN 20 and also to access internet. And to avoid Layer2 loop I > want to use routing, not bridging. I believe this should be possible > with proxy arp enabled on br0. > > My current commands allow customer1 and customer2 to access internet > and also to access the gateway itself. > > Please can you help with the brouting logic to enable access between > the customers? > > -- > Dovydas Sankauskas Hi, Just for the record. Here is the final config that worked for me: ebtables -A FORWARD -i bond0.10 -j DROP ebtables -A FORWARD -i bond0.20 -j DROP ebtables -t broute -A BROUTING -p arp --arp-ip-dst ! 10.0.0.1 -i bond0.10 -j DROP ebtables -t broute -A BROUTING -p arp --arp-ip-dst ! 10.0.0.1 -i bond0.20 -j DROP Now customer1 in vlan 10 can ping customer2 in vlan 20 (via proxy_arp). Also they can access the internet and the Linux router itself. Thank you for your time. -- Dovydas Sankauskas -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
