LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   How to route IP packets between ethernet bridges? (https://www.linuxquestions.org/questions/linux-networking-3/how-to-route-ip-packets-between-ethernet-bridges-725543/)

GeorgeS069 05-12-2009 05:33 PM

How to route IP packets between ethernet bridges?
 
Hello everyone,
I currently have a DSL connection with Speakeasy that I use to run a few http servers and e-mail for a few domains and I am now, in addition to the DSL line, adding a Verizon FiOS connection that I would like to run through the same system that I have setup now as an ethernet bridge/firewall for my Speakeasy connection so here is the big Question.
Would I be able to route packets that would normally go out to the FiOS connection and then come back through the Speakeasy connection and have them hop over to the other Ethernet bridge?
In other words I would have two bridging devices consisting of 2 NIC's each and I don't want the packets destined for my "other" LAN to go out on the net but, instead just jump to the the other bridge device.

If this is really confusing I will see if I can draw some sort of diagram.

Thank you to anyone who can help!!!

George

bhaslinux 05-13-2009 04:14 AM

yes! it is confusing.
But all I can say is that having proper routing table entries will solve your problem at the router side.
Also, bridging is at layer2 and you are talking of packets at layer 3.
Can you please explain more ?

GeorgeS069 05-13-2009 12:17 PM

1 Attachment(s)
I am working on a diagram and I will post that when I'm done later today but, for now, I will try to explain better:

I have a Debian Lenny system with an ethernet bridge(br0) that carries my Speakeasy DSL line and runs iptables for the firewall.
What I would like to do is add another ethernet bridge(br1) to that machine that will carry my new Verizon FiOS line and also be firewalled by iptables. Now here is where it gets complicated... I want the packets from the PC's on the new FiOS line to jump from the new bridge(br1) to the original bridge(br0) instead of routing out to the internet and coming back in through the DSL line and of course I want the same for the PC's on the DSL line(br0) to jump to the PC's on the FiOS line(br1).

On a side note, are there any suggestions on what NIC's I should use for the router/bridges?

bhaslinux 05-14-2009 04:30 AM

If i am understanding this right:
You want the incoming packets to still come into the eth2 of br1 but you want outgoint packets to go to
eth1 or br0 only.

1. The routing from 192.168.1.0 to 192.168.2.0 is automatically done if you enable
ip forwarding. Just make sure that for the 1.0 network you specify gateway as the br0 ip and for 2.0 it is br1 ip
echo 1 > /proc/sys/net/ipv4/ip_forward (as root)
[ I think this is all what you wanted. ]

2. if you want 2.0 network to reach the internet via br0 instead of br1 you can just add the default route
as br0 ip in the debian machine and enable napt
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE (as root)
This will take care of always sending packets via br0

GeorgeS069 05-14-2009 08:39 AM

No, unfortunately that is not what I want and I do apologize for this being so confusing. :redface:

What I want is to have packets that originate at the WinXP machines and are destined for the Debian servers to go directly to the Debian servers across the bridges instead of routing out through the Verizon line and back in through the Speakeasy line.
And of course I want that to work in reverse also. Packets originating at the Debian servers and destined for the WinXP machines should go directly to the WinXP machines across the bridges instead of out through the Speakeasy line and back in through the Verizon line.

I guess the best way to explain it is this: I want my LOCAL packets to stay LOCAL. I don't want to use up bandwidth on both of my lines to get an email from a server 2 feet away from me.

I'm fairly certain this can be done with IPtables and I do have a small amount of experience with IPtables so it shouldn't be too difficult once someone sets me on the right course. :D

baldy3105 05-21-2009 04:52 AM

You can configure a bridge interface with an IP address i.e. "ifconfig br0 10.0.3.129 up". If you give each bridge interface an IP address and your Linux box has forwarding enabled, then LAN 1 should route to LAN 2.

You can consider a bridge interface as a virtual interface that bridges between two nics. Once created it is just another interface and can be assigned an IP and routes in the same way as say eth0.

You need to consider how you want the routing to work. The easiest method would be to keep the local router as default-gateway for your hosts, and configure a specific 192.168.x.0 route on the DSL router pointing back to the approriate bridge interface IP.

Otherwise you either need each host on LAN 1 and 2 to have a default-route via the local DSL connection and a specific route to the other LAN via the associated bridge interface IP, or you could point the LAN hosts to the bridge interface IP as default-gateway and a default route on your linux host via the DSL.

GeorgeS069 05-22-2009 03:30 PM

Thank you Very Much Baldy!!

I'm going to try set this up tomorrow if I can get my wife to logoff DDO for a few hours :)

The box does have forwarding enabled and it's bridging the DSL line now with IPtables for a firewall for the whole LAN so now I just need to add another bridge for the FiOS and get the routes set.

I've got real IP's for the DSL and that bridge interface does have a real IP so I am thinking that I just need another bridge setup for the FiOS with a 192.168.*.* IP(my FiOS doesn't have real addresses yet) for that bridge and then just use route for the crossovers and then setup IPtables for the new addresses.

GeorgeS069 06-03-2009 02:58 PM

Well, I managed to get both bridges up and working and now I have this for my routing table:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
66.92.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 br1
0.0.0.0 66.92.xxx.1 0.0.0.0 UG 0 0 0 br0

So what would I need now to get them routing between the bridges?
Something like route add -net 66.92.xxx.0 netmask 255.255.255.0 dev br0 ?

Thanks again for all your help with this!!

baldy3105 06-04-2009 05:05 PM

You need to enable ip forwarding, 'echo 1 > /proc/sys/net/ipv4/ip_forward'.
How you enable it permanently depends on your distro.
You need to make sure that you have no firewall blocking your intended traffic
You need your hosts in each ip network to be configured with a default gateway of the respective br ip address
You don't need to add a route for two networks on the same router to talk to each other, they are both "connected" routes.
You need a route to get to any network that is not directly connected to your router
You need a default route 0.0.0.0 to define where traffic to any network not specified explicitly should be sent
You should not have a default route pointing in two directions. The router will either only use the first one configured, or it will try to load balance, sending the first packet one way and the next packet the other way

GeorgeS069 06-06-2009 10:10 AM

Hi Baldy and thank you again for your help!

I think I've made some progress on this.Here is my current bridge configuration....

bridge name bridge id STP enabled interfaces
br0 8000.001320a14e34 yes eth0
eth1
br1 8000.0018e708b5fd yes eth2
eth3
and the current routing table is.....

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
66.92.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
0.0.0.0 66.92.xxx.1 0.0.0.0 UG 0 0 0 br0

Does this all look sensible to you? Would a copy/paste of the output from an "ifconfig" be helpful also?

When I have this finished should I be able to do a "tracert" from a host on the FiOS connection and only have 1 or 2 hops to a host on the Speakeasy connection?

baldy3105 06-06-2009 02:48 PM

Correct they should talk directly. Only its not quite right, because a router can only have one default route. (Well you can use policy routing but that gets messy)

If your hosts all use the br interfaces Linux Box as their ip default gateway, then LAN 1 will talk to LAN2 directly via the linux box as you wanted, but LAN 1 and LAN2 internet traffic will all follow the same path out, which is the Linux box's default-route.

Re-reading your post, I think you want LAN 1 hosts to use the Speakeasy DSL and the LAN2 hosts to use the Verizon DSL, but also have them talk to each other, and you may need to rejig things slightly.

The other way to arrange it is that the DSL routers are the default gateway for their respective lans, you then add a static route to LAN2 on the Speakeasy DSL router with the br0 inteface as next-hop.

You then add a static route to LAN1 onto the Verizon DSL router that with the br1 ip as next-hop.

So step by step -

1. Lan 1 hosts use Speakeasy DSL router as DG.
2. On speakeasy DSL router you need

0.0.0.0 mask 0.0.0.0 gw <dsl interface>
and
192.168.2.0 mask 255.255.255.0 gw 192.168.1.<br0 ip>

3. Lan 2 uses Verizon router as DG,

4. On Verizon DSL router you need

0.0.0.0 mask 0.0.0.0 gw <dsl interface>
and
192.168.1.0 mask 255.255.255.0 gw 192.168.2.<br1 ip>

That will do what you're after.


All times are GMT -5. The time now is 08:18 AM.