[SOLVED] Trouble setting up bridged adapter

Shadow_7 · 07-13-2013, 04:59 AM

For the 3.x kernels you can overcome this error:

Code:

can't add wlan0 to br0: Operation not supported

By adding this line to the br0 section in /etc/network/interfaces (debian centric):

Code:

pre-up iw dev wlan0 set 4addr on

But still no joy on a working bridge with anything other than a 2.6 squeeze kernel. Even on non-squeeze versions of debian. It appears that the wireless authentication credentials get reset / undone when the bridge kicks in. In debian sid on the squeeze kernel, I have to set via script my wireless credentials while the br0 dhcp discovery is in progress and that oddly works. There seems to be a simpler hostapd bridge option, but it's not working for me (yet).

Shadow_7 · 08-22-2013, 06:03 AM

Apparently not just a 3.x kernel quirk for me. It breaks between 2.6.32 (debian squeeze kernel) and 2.6.34. With a configuration that auto bridges at boot with 2.6.32. But fails, mostly with the wireless (b43 / 14e4:4320 rev 03). The bridge never gets a dhcp lease, except on the 2.6.32 kernel. Even though iwconfig shows that the settings are set. And I can manually configure the wireless without the bridge active in /etc/network/interfaces.

Other caveats I found. My wireless card (b43 / 14e4:4320 rev 03) seems to need the broadcom-wl-4.150.10.5 firmware to work, even on newer kernels than the 2.6.32 one. And b43-fwcutter always grabs the broadcom-wl-5.100.138 version by default in debian.

I guess I have my backup config with bridging working at boot in wheezy (by use of the squeeze kernel). Versus my aging cruzer stick with debian squeeze. I would really like to run a newer kernel, but I guess I don't really "need" to (yet). Except that X seems to fail (no screens found) on this laptop when it comes to 2.6.x kernels in wheezy and the 855gm / i915 video. Even when X works under the stock 3.2 kernel. And X works under a 2.6 kernel on another machine with an ati chipset.

Shadow_7 · 08-26-2013, 04:48 PM

They say that network manager handles this and I have that selected on the gui for that in linuxlite. But no joy without extra routing via iptables and ebtables. Perhaps of use to someone, so here's my script for those rules and a basic firewall. No doubt there are better ones out there or better ways. But this is about as stripped down as I could make it for bash.

Code:

#!/bin/sh

net_iface_wireless="wlan0"
net_iface_ethernet="eth0"
net_iface_internet=$net_iface_wireless
net_iface_bridge=$net_iface_ethernet

net_L_MAC_internet="66:55:44:33:22:11"
net_NL_MAC="00:11:22:33:44:55"
net_NL_IP="192.168.2.2"

f_CLEAR() {
  echo "Clearing existing IPTABLES rules..."
  iptables -F
  iptables -X
  iptables -t nat -F
  iptables -t nat -X
  ebtables -t nat -F
  ebtables -t nat -X
}

f_SHOW() {
  echo "Showing rules..."
  iptables -L
  iptables -t nat -L
  ebtables -t nat -L
}

f_MASQUERADE() {
  echo "Enabling NAT / Masquerading..."
  echo 1 > /proc/sys/net/ipv4/ip_forward
  iptables -t nat -A POSTROUTING -o $net_iface_internet -j MASQUERADE
  iptables -A FORWARD -i $net_iface_internet -o $net_iface_bridge -m state \
                      --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -i $net_iface_bridge -o $net_iface_internet -m state \
                      --state RELATED,ESTABLISHED -j ACCEPT
}

f_BRIDGE() {
  echo "BRIDGE MAC translation..."
  ebtables -t broute -F
# MAC of local output to the world
  ebtables -t nat -A POSTROUTING -o $net_iface_internet \
           -j snat --to-src $net_L_MAC_internet \
           --snat-arp --snat-target ACCEPT
# MAC of non-local machine wishing to use the bridge
  ebtables -t nat -A PREROUTING -p IPv4 -i $net_iface_internet \
           --ip-dst $net_NL_IP \
           -j dnat --to-dst $net_NL_MAC \
           --dnat-target ACCEPT
  ebtables -t nat -A PREROUTING -p ARP -i $net_iface_internet \
           --arp-ip-dst $net_NL_IP \
           -j dnat --to-dst $net_NL_MAC \
           --dnat-target ACCEPT
}

f_BLOCK() {
  echo "Blocking new connections from outside the network..."
  #don't allow requests from outside, but allow responses to requests from inside.
  iptables -N block
  iptables -A block -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -A block -m conntrack --ctstate NEW ! -i $net_iface_internet -j ACCEPT
  iptables -A block -j DROP
  iptables -A INPUT -j block
  iptables -A FORWARD -j block
}

#--- ****************************** ---#
#--- * UP/DOWN based on parameter * ---#
#--- ****************************** ---#

if [ $1 = 'up' ]; then
  f_CLEAR;         # clear all rules
  f_MASQUERADE;    # translate the IP
  f_BRIDGE;        # translate the MAC
  f_BLOCK;         # anything inbound and not handled gets dropped
fi

if [ $1 = 'down' ]; then
  f_CLEAR;         # clear all rules
fi

if [ $1 = 'show' ]; then
  f_SHOW;          # show all rules
fi

Not perfect, but works for me. Not technically bridging, more of a double NAT. I'd prefer a bridge, double nat had issues for me long ago. But I wasn't using ebtables back then. One quirk was that I could watch youtube videos, but I could not upload them.

ssorbom · 09-06-2013, 10:33 PM

Hi,
It has been a while since I worked on this problem, but I found time starting yesterday.
I was able to fix my problem by following the steps listed here exactly (aside from disabling networkManager, which I did not seem to have):
http://wiki.libvirt.org/page/Network...buntu_Bridging
In my case, I did not even have to mess with ebtables.
Thank you for all your time an patience with me, I am still new to this aspect of networking.
Marking thread solved...

EDIT-followup observations:
For some reason I did not get any errors this time when running:

Code:

/sbin/sysctl -p /etc/sysctl.conf

I can't think what I did wrong the fist time.
Also:
I discovered I could leave the eth0 configuration in /etc/network/interface without incident.
If the bridge is properly configured with eth0's ip address, eth0 will no longer show an ip address automatically.