unfortunately no. The problem you have unfortunately requires you to use two physical untagged interfaces according to every test I've done in the past. The only thing Ive found related but not exactly what you are doing is this from http://ebtables.netfilter.org/misc/brnf-faq.html but on the surface it almost the opposite of what you want to do but may work. You could try then adding the base interface and the vlan interface to the bridge, I haven't tested it so I can not be sure. Also what this means is that 3rd vlan you don't want to bridge may need special handling as well. quote from " http://ebtables.netfilter.org/misc/brnf-faq.html"; " How do I let vlan-tagged traffic go through a vlan bridge port and the other traffic through a non-vlan bridge port? Suppose eth0 and eth0.15 are ports of br0. Without countermeasures all traffic, including traffic vlan-tagged with tag 15, entering the physical device eth0 will go through the bridge port eth0. To make the 15-tagged traffic go through the eth0.15 bridge port, use the following ebtables rule: ebtables -t broute -A BROUTING -i eth0 --vlan-id 15 -j DROP With the above rule, 15-tagged traffic will enter the bridge on the physical device eth0, will then be brouted and enter the bridge port eth0.15, the vlan header will be stripped, after which the packet is bridged. The packet thus enters the BROUTING chain twice, the first time with input device eth0 and the second time with input device eth0.15. The other chains are only traversed once. All other traffic will be bridged with input device eth0. " That said I still think you will need to split the traffic across 2 physical interfaces to make this work, and I think it needs a revers matching rule to make the communications work in both directions. On Mon, Dec 22, 2014 at 10:24 AM, Tim Nelson <tnelson@xxxxxxxxxxxxx> wrote: > ----- Original Message ----- >> I get the scenario but not the why. Is it a subset of specific things >> you need to do a layer 2 bridge for or do you need it for something >> else. >> >> For example I have a firewall where I need to forward broadcast >> (255.255.255.255,xxx.xxx.xxx.255) messages between different segments >> in the network. Most people would think of bridging for this but I >> did >> something completely different involving setting both interfaces to a >> /32, adding a static route for each subnet, adding a static arp table >> entry on each interface for the broadcast IP addresses mapped to the >> broadcast mac addresses then simple iptables rules. >> > > Greetings Paul- > > I believe you mentioned this previously. While the mechanism is 'different', does the end result still operate the same, allowing a device on one interface to have an IP from the other interface, and still operate as though a bridge was in place? > > Thank you, > > --Tim > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
