JSheridan n00b
Joined: 13 Aug 2005 Posts: 23
|
Posted: Tue Jan 03, 2012 4:15 pm Post subject: Network Bridge (eth0 & tap0) and forwarding (gateway) is |
|
|
I tried briding my eth0 & tap0 for my vpn.
The bridge works (vpn<->local). The gentoo box has still access to the internet but doesn't work as a gateway anymore (packets are not forwarded back to the clients; see details later)
Normally the gentoo box splits the local traffic to several different routers. Sadly the system just has one lan port.
The routing / forwarding looks like this:
=========================
Clients <-> Gentoo Box <-> Routers
The actual network is 192.168.0.0/16:
========================
===== <-> Routers
|Switch| <-> Gentoo
===== <-> Clients
If I could I would have changed the layout and moved all routers to a seperate network but since I can't I have to live with that
At least this setup worked for quite some time but after I created a bridge (br0) to bridge between the eth0 and tap0 (vpn) my client's are unable to access the internet. As mentioned before the packets are not forwarded back to the clients.
For simplicity I reduced it to one additional router let's say the 192.168.0.3 and disabled my firewall:
conf.d/net:
=======
config_br0="192.168.0.1 netmask 255.255.0.0 broadcast 192.168.255.255"
routes_br0="default via 192.168.0.3"
bridge_br0="eth0 tap0"
brctl_br0="setfd 0 sethello 0 stp off"
rc_need_br0="net.eth0 net.tap0"
config_eth0="null"
tuntap_tap0="tap"
config_tap0="null"
routing:
======
default via 192.168.0.3 dev br0
127.0.0.0/8 via 127.0.0.1 dev lo
192.168.0.0/16 dev br0 proto kernel scope link src 192.168.0.1
brctl show:
=======
bridge name bridge id STP enabled interfaces
br0 8000.0007e914925c no eth0
tap0
iptables:
======
# Generated by iptables-save v1.4.12.1 on Tue Jan 3 15:52:04 2012
*nat
:PREROUTING ACCEPT [160:13024]
:INPUT ACCEPT [111:10845]
:OUTPUT ACCEPT [540:41292]
:POSTROUTING ACCEPT [147:10508]
[397:31019] -A POSTROUTING -s 192.168.0.0/16 ! -d 192.168.0.0/16 -j MASQUERADE
COMMIT
# Completed on Tue Jan 3 15:52:04 2012
# Generated by iptables-save v1.4.12.1 on Tue Jan 3 15:52:04 2012
*mangle
:PREROUTING ACCEPT [11380:7436841]
:INPUT ACCEPT [4982:4186016]
:FORWARD ACCEPT [6352:3248825]
:OUTPUT ACCEPT [3534:232357]
:POSTROUTING ACCEPT [9887:3481258]
COMMIT
# Completed on Tue Jan 3 15:52:04 2012
# Generated by iptables-save v1.4.12.1 on Tue Jan 3 15:52:04 2012
*filter
:INPUT ACCEPT [4985:4188696]
:FORWARD ACCEPT [6352:3248825]
:OUTPUT ACCEPT [3537:232705]
COMMIT
# Completed on Tue Jan 3 15:52:04 2012
/proc/sys/net/ipv4/ip_forward
is enabled.
Now the strange thing is that packets from the clients correctly go through the box and get masqueraded, but the response is lost on the gentoo box. I noticed this while capturing the packets on the device.
Example: client pings 193.99.144.85
=======================
33.195744 192.168.0.21 -> 193.99.144.85 ICMP 74 Echo (ping) request id=0x0001, seq=9/2304, ttl=128
33.195764 192.168.0.1 -> 193.99.144.85 ICMP 74 Echo (ping) request id=0x0001, seq=9/2304, ttl=127
33.240418 193.99.144.85 -> 192.168.0.1 ICMP 74 Echo (ping) reply id=0x0001, seq=9/2304, ttl=244
WS=128
The client never receives the reply which definitly arrived at the server.
Everything looks identical to the working setup using eth0 (except changing eth0 to br0).
What could I be missing here?
I'd be glad if someone can help me fix this issue. Hopefully I didn't not miss too much vital information.
Thanks for any help in advance! |
|