Hello, ---- Original Message ----- From: "andrew kelly" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 27, 2001 2:32 PM Subject: [Bridge] Re: bridge WITHOUT IP??? (NetBeui bridge) - no html this post
> apologies - my first post went out in html .... > > Okay - whacky configuration here, not one I have seen in any of > the searching I have done over the last few weeks. > > I have two subnets - each either side of a hardware router > (ie. *not* the linux bridge box) with this router DHCP'ing its IP > address from an ISP. There are other machines on the ISP side of > the router, each DHCP'ing their IP addresses. The machines > upstream of the router get their addresses DHCP-wise from the > router itself ... so far so good! > The router will only pass IP, and I want (for all sorts of reasons) > to maintain NetBeui on the local PCs - both behind the router and > in front of it - for local windows connectivity. In essence, I want > to build a NetBeui bridge. > > I am running redhat 7.2, the kernel-2.4.2 ... I have built a > tailored kernel and am having trouble trying to get it to do just > what i need ... it seems to be so close, but I am having problems. > None of the bridging/iptables config is in the boot scripts yet, > when Ican set it all up by hand, I will perform that step. > > I have two ethernet cards in the bridge, eth0 and eth1. eth0 is > connected to the local side (192.168.123.0 - 255.255.255.0) of the > router and eth1 to the ISP (144.136.170.0 - 255.255.252.0) side. > They are initialising okay at boot as I can run up a terminal, do: > ifconfig eth0 192.168.123.10 > ifconfig eth1 0.0.0.0 > route add -net 192.168.123.0 eth0 > route add default gw 192.168.123.254 > and ping other machines on my routed subnet successfully, as well > as out on the net. This is going through the router and I have > obviously set up the DNS satisfactorily too as I can ping > www.sun.com for example. > > After reading swathes of stuff on the net, I have had best success > with the following: > ifconfig eth0 0.0.0.0 > ifconfig eth1 0.0.0.0 > brctl addif wgroup eth0 > brctl addif wgroup eth1 > brctl addbr wgroup > brctl addif wgroup eth0 > brctl addif wgroup eth1 > iptables -F > iptables -P FORWARD DROP > ifconfig wgroup up > > I should mention that I omitted config'ing eth0 to 0.0.0.0 > at first, in the hope that I'd be able to have things working > as they were and simply add ethernet packet forwarding ... I > found that eth0 disappeared from the route table as soon as > I added it to the wgroup bridge anyway - I thought that having > an IP address assigned to eth0 at this point might be causing > me problems, so now I explicitly set it to 0.0.0.0 > > At this point the bridge seems happy. I can see NetBeui happily > flying across the bridge. tcpdump -i eth0 and eth1 report > different IP traffic, so it looks good in principle. I am still > seeing various ARP stuff mirrored on both interfaces - but I figure > I'll sort that out later. Most beautifully, my windows machines > can all see each other across the bridge - whoopee! > > Now, I'd like to be able to *use* the bridge machine from time to > time, not to mention also telnet in to it, so it needs an IP > address - s I: > ifconfig wgroup down > ifconfig wgroup 192.168.123.10 > iptables -F > iptables -P FORWARD DROP > iptables -A INPUT -i eth1 -j DROP > iptables -A OUTPUT -o eth1 -j DROP > route add -net 192.168.123.0 wgroup > ifconfig wgroup up > > At this point, I can again ping from the bridge to machines on > the subnet behind the router - which is cool. I want the bridge > to use the router as a gateway to the net, so I add > route add default gw 192.168.123.254 > and I can once more ping www.sun.com from the bridge. > > At this point all seems fine. I see the odd glitch in the > windows connectivity, but it comes straight back so I'm not too > perplexed. However, my joy is short lived. From time to time, > I see IP activity on the local subnet mirroring the other side > of the bridge that I can't explain. I'm beginning to think I > should do something about these ARPs making their way (both ways) > across the bridge, not to mention the IGMP packets that also > cross without hesitation. Not fully understanding all the ins > and outs of this networking dark magic, I'm also worried I'm > publishing my local MAC addresses to the world. > When the bridge doesn't know where the destination computer is, it will broadcast the packet on all (or some, if it uses STP) of it's network cards. But if I understand your network correctly this shouldnt be a problem, as your router is between the internet and your bridge. The router will not forward these ARP messages to the internet. > The big killer at this stage though is that the bridge seems > to be passing DHCP also and I get problems when the router > renews its IP address from the ISP. The bridge forwards the > request back to the upstream side of the router and it answers > itself before the ISP does - giving itself an IP address. I don't understand this. The bridge is a DHCP server? Is your bridge between the internet and the router? I hope not... I guess I can't figure out your network setup. > I had hoped that specifying a policy of > iptables -P FORWARD DROP > would cause the bridge to drop all IP related packets instead > of forwarding them - but, alas, it would appear not. Now I'm > concerned now that the periodic windows glitches may be > symptomatic of some other similar problem! Use this patch to be able to use iptables on a bridge: http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.3-against-2.4.13 -ac7.diff So: you will need to patch the kernel with this patch. Then you will need to atleast configure the kernel with these 2 options: Networking options --> Network packet filtering (replaces ipchains) and Networking options --> 802.1d Ethernet Bridging -> netfilter (firewalling) support > > So - question is, can anybody see any problems with what I've > done, or offer some advice of any kind? Essentially, this > all started out as a solution to a simple problem ... I want > to be able to build NetBeui only bridge. Of course, obce I > solve this problem, you just know that I'll want to replace > my hardware router with the linux NAT stuff don't you! The > only real attraction of the dedicated router is that it will > be sucking much less juice than a full-blown PC will, so it's > more energy efficient to use it for now - but I'll solve that > problem when I come to it! If you only want to bridge NetBEUI you can use ebtables: ebtables -A FORWARD -p NetBEUI -j ACCEPT ebtables -P FORWARD DROP These 2 rules will allow NetBEUI traffic to be bridged and will drop everything else. See http://users.pandora.be/bart.de.schuymer/ebtables/ If I understand your intentions right, you want to put the bridge between the 2 networks and the router, so with 3 network cards. Then I think you will need to also bridge the ip messages, because else they won't arrive at the router. I don't know the NetBEUI protocol, but if such a packet is sent to a computer on another subnet, won't the packet be sent to the router then? Then a bridge won't help solve the problem... I think the router then needs to support the NetBEUI protocol. Or the routing table of the local hosts must be changed so they don't send packets destined for that subnet to the router. Hope this was a little helpful. cheers, Bart _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
