Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Let me say right out of the gate that I'm new to network configuration and especially VLAN's and bridging but what I'm trying to accomplish is nearly complete but for that missing puzzle piece that I need some expertise help with..
I am trying to create a Bridge on my router using DD-WRT, that allows one way communication so that it will isolate my webserver on VLAN2 but allow VLAN1 access to the webserver but not allow VLAN2 access to VLAN1.
By default DD-WRT allows this setup and I have successfully created the 2 bridges along with the VLAN's, now for the problem I'm facing. I cannot ping behind each gateway leading me believe there is one piece missing.
Pinging from a machine on on VLAN1 (192.168.3.100) is able to ping the gateway 192.168.2.1 but not a machine behind it e.g. 192.168.2.11 and vice versa a machine on VLAN2 (192.168.2.100) is able to ping the GW 192.168.3.1 but not a machine behind it e.g. 192.168.3.100.
So this tells me that br0 and br1 can see each other but way nothing behind the gateway?? Here is what I can discern from the configuration of the router..
I think to make 192.168.2.0/24 reachable from 192.168.3.0/24 but not vice versa
I don't have a machine in reach to test it (maybe some typos)
The first one makes it possible for 192.168.2.0 to answer to whatever (also the active FTP stuff)
the second line allow traffic to your webserver from your other subnet
the last drops traffic in the other way that was not allowed by the first line
iptables -A POSTROUTING -s 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -A POSTROUTING -s 192.168.2.0/24 -d 192.168.3.0/24 -j REJECT
By default the router created the routes and the iptable entry's so I can't help on those.
If I'm able to ping the Gateway from each subnet 192.168.1.100 => 192.168.2.1 and 192.168.2.100 => 192.168.3.1 does that mean the bridge is setup correctly?
If that is true, then does this become strictly a firewall problem? I'm trying to figure out what is working and what isn't working to eliminate the things that are working correctly from the problems... so I can focus my attention.
Assuming it is a firewall issue would shutting it down affect the outcome or will it still need iptables in order to pass the packets between the subnets?
I'm a bit suprised at this moment, so lets try to find out how far it works.
You could also try to use tcpdump on the webserver and see if the pings arrive there, then the problem would be only
to get the reply back to the sender.
try something like this on the webserver, and maybe also at the other side
tcpdump -i eth0 icmp
root@DD-WRT:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0014bf2afed6 no vlan0
eth1
br1 8000.0014bf2afed6 no vlan2
I also ran this on a working router... in this case there isn't a second bridge just a vlan but I noticed the additional POSTROUTING information for both subnets.
Having vlan0 and vlan1 in the POSTROUTING is probably harmless
this rule handled some packets but I do not see what good it does
383 125K MASQUERADE 0 -- * br0 192.168.3.0/24 192.168.3.0/24
the source and the destination is the same (192.168.3.0/24) but in that case there is no reason
why the packets go via the device (use it as a gateway)
I had to use the following to get the iptables into the firewall.
Quote:
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 192.168.3.0/24 -j REJECT
I'm hearing some grumblings that its possible to be a hardware limitation of the router that might be causing me the problems.. however it seems to me that since I can ping the gateway's on each subnet that I just find that hard to believe, I'm also very stubborn... lol!
So any ideas on how I might be able to track this down and figure out what's going on?
I don't expect that the hardware would be a limitation. I think it is unlikely if your has a managed switch that gives you vlans as separate ports it cannot handle this.
On the iptables output you can see the packets that are handled by a rule this can help to see what happens and you can
also use tcpdump to check if a ping package arrives at a machine, then you need to check if the reply goes the right way.
Maybe you can also use tcpdump at the device.
this way you could see what happens and maybe start in a different way. For example start fist to get both networks without worrying external connectivity.
tlowk, after many frustrating hours I was finally able to determine the problem was firewall related on the machines behind the gateway's. They both were Windows 7 machines that did not alloy Ping's..
Had I been smart enough to start there I could have saved myself and you the frustration.
Many thanks for your efforts and willingness to help, your what makes user forums work.
I must admit I don't know much about the strange behavior of windows machines. I assumed that replying to a ping is part of an IP implementation. The windows machines would have given this behavior away with tcpdump or wireshark, but I don't know whether this is available on them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.