LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Getting Wake-On-LAN Magic Packets from one bridge/subnet to another on a Linux-Router (https://www.linuxquestions.org/questions/linux-newbie-8/getting-wake-on-lan-magic-packets-from-one-bridge-subnet-to-another-on-a-linux-router-4175500207/)

baedamichi 04-01-2014 01:58 PM
Getting Wake-On-LAN Magic Packets from one bridge/subnet to another on a Linux-Router
 
Dear community

First of all, thanks a lot for even existing, I greatly appreciate that there are people out there who just try to help newbies to come to grips with Linux!

About me: My name is Peter, and I've been the person in charge for the IT infrastructure at a small branch of our school for quite some months now. I'm not an IT professional, but I've taught myself quite a bit about Windows operating systems in all their different flavours. When it comes to Linux, however, I'm quite the noob.

On our network, there are 40 Windows workstations, one Windows server and one Linux router (which manages pretty much all of the network traffic - DHCP, internet connection, traffic between machines etc).

This router is some sort of appliance based on Linux, adapted to a school's needs (internet filtering, proxy authentication etc.).

https://onedrive.live.com/embed?cid=...ENYewSfOT3Ia2I

Currently, two networks are connected to that router (with different ip ranges), as can be seen in the picture (an ifconfig dump taken from the browser-based gui; but I checked it against the command line output of ifconfig just to make sure the gui doesn't "lie"). Eth1 and eth2, configured with bridges (br0, br2). Eth0 is used to connect to the internet, eth3 and br1 are currently unused (not deactivated, there's just nothing plugged in the corresponding ethernet port). Just to clear things up, the different eth0-3 are not virtual, but each of them corresponds to a physical ethernet port on the device.

Now, I hope that's enough background information, so here's my problem: The server (Windows Server 2008R2) is on br0, and I want to use it to wake the workstations which are on br2 up via LAN.

So far, I've successfully configured the Windows Server (the IP of which is 172.28.1.1) to send the Magic Packets via netcast (or network directed broadcast) to the broadcast address of br2 (172.26.255.255)on port 9 (UDP, with the Wake on Lan Tool 2 (http://oette.wordpress.com/wol2/)).
However, the Linux router does not send those on to the workstations in the 172.26.x.x network (on br2).

I've already googled (and searched this and some other forums) a lot, but unfortunately I've not been able to find anything which comes even close to a solution. All I've found out is that broadcasts to different subnets are disabled by modern routers by default as a security measure.
I've asked the manufacturer of that router, and was told that they don't support this feature which isn't accessible via the (browser-based gui), but that it would be supported by the Linux kernel, but that they wouldn't help me with that because, well, they wouldn't support this feature.

So I guess I'll have to configure that with the command line, but I'm lost at how exactly to do that. I suppose I have to either configure something with ifconfig or maybe add something to the routing tables via command line? I've figured out how to enable/disable broadcasts (see picture, broadcast is enabled on the two relevant bridges), but that only seems to affect broadcasts initiated from WITHIN the same subnet, not those from another subnet.

I'm a bit too, well, call it shy or careful, to try stuff and mess with that router, as you can probably infer from the previous lines, this thing is pretty much "the heart" of our network. Thus, I would greatly appreciate it if somebody could help me with that (even if it was just telling me the correct search terms to find in on google, so far I've tried stuff like "wake on lan across/over/via linux bridge", "magic packets across/over/via linux bridge", "(network directed) broadcasts via/over/across linux bridge", all of them with no luck thus far.

Oh, another question to the experts, now I know that what I'm looking to achieve is disabled for a reason, am I right in the assumption that "all" I risk is a ddos/smurf attack (which would not be that bad; nothing permanently damaged/infected, all I have to do is disable it and the network is running again; after all, we're just a school, no big harm done if our network is down for an hour or two) once I get this running and a student on br0 figures out they can flood br2 with magic packets or ping requests? Or are there any graver security concerns I've missed while researching the matter?

Well, thanks to everybody who bothered to read this long text, any help is greatly appreciated!

Cheers, Peter

P.S.: Just in case that's important, another screenshot showing the Linux version:

https://onedrive.live.com/embed?cid=...MtOKKa3ESRadcQ

Ser Olmy 04-01-2014 03:50 PM
I've looked into this, and after browsing through documentation and some trial-and-error, I've come to the startling conclusion that Linux just doesn't forward directed broadcasts to a connected subnet, and there's seem to be no setting to override this behaviour. This is actually allowed by (the ancient but still valid) RFC 922, so it's not technically a bug.

There are two possible workarounds:
  1. Install a helper application on the gateway in question
  2. Create a static ARP entry pointing to the broadcast MAC address
While (1) many not be feasible in your particular scenario, (2) should be easy enough, provided you have access to the command line. Just pick an unused IP address in the subnet, and run:
Code:
arp -s <IP_address> ff:ff:ff:ff:ff:ff
I've tested this, and apparently the ARP implementation isn't too picky about the contents of the ARP cache, so it will happily create and send broadcast frames for any traffic to the IP address in question.

baedamichi 04-05-2014 03:31 AM
Thanks a bunch, your answer was really helpful!

I tried solution 2., and it works quite well thus far. Just in case anyone with the same problem stumbles across this, I just want to explain what I had to do to get this working:

Firstly, of course, I did what Ser Olmy proposed from the command line of the Linux gateway/router, logged in as root.

Then, in my Wake-On-Lan-Tool I had to manually create a second entry for each computer on the network in question, using the computers' real mac addresses and the fake-broadcast-ip which I assigned to the broadcast mac address (ff:ff:ff:ff:ff:ff) on the Linux router. The wake on lan method to be used from the three choices Wake On Lan 2 gives you is "direct", i.e. the packets are directly sent to the "fake-broadcast-address".

And this works, the computers on the subnet receive the packets and wake up.

Of course, if you do it that way, you shouldn't forget to tell your DHCP server not to assigne the address you used as a "fake-broadcast-address" to any client computers (which I could do from the web interface of the linux box).

Downsides of this approach (I just wonder why there is no simple switch to enable broadcasts across subnets on a Linux router, I could imagine there are more people like me who don't have a server running 24/7 on all of their subnets...) are of course that you manually (the automatic detection of network computers via DHCP included in Wake On Lan 2 of course only returns the client computers with their "real" ip addresses, not the fake broadcast one) have to add all computers on the formerly unreachable subnet to whatever solution you use for sending the packets (which in my case happens to be Wake On Lan 2). The program I use doesn't allow you to add more than one MAC addressper host, so basically I have to create an additional entry for each host. Also, of course I still need a "correct" (i.e. with the correct IP address) entry for each client computer on that subnet in Wake On Lan 2, as I also use it to shut the computers down and to monitor whether they are online or not, which of course only works with a correct IP address. For my specific setup, that doesn't matter too much, as the subnet in question is only a room for students to work in with only four computers, so that's not really a problem.
The second downside is, of course, that even though the ARP entry I had to create is called "static", it gets deleted every time the Linux box needs a restart or the network interface is brought down and up again for some reason or other.
To partly solve the second downside, I created a script (arp -s 172.26.1.7 ff:ff:ff:ff:ff:ff) and put it in the init.d folder, so the netry gets created on each startup. What I haven't been able to solve yet is to automatically create the arp entry when the network is brought up again, I haven't found the /etc/network/init.d folder which, as far as I found out, is supposed to contain scripts that run when a network adapter is brought up. I'll look into that further and post here once I found something.

Lastly, I have had a quick look at Ser Olmy's first proposed workaround, and found this:

http://darkness.codefu.org/wordpress...adcast-helper/

I haven't had the time to play around with it yet, but maybe some day. :)

If anyone wants to share their experience on waking up computers across different subnets, hopefully they'll share it here, as I was somewhat surprised that nothing was to be found on google, as, like I said, I could imagine that there are more people than just me who need to wake up compters in different subnets...

Finale remark: Ser Olmy, thanks again, I'm really grateful for your help!

Regards,

Peter


All times are GMT -5. The time now is 08:28 AM.