802.11/802.3 network bridge help

[agentblue]

Hows it going everyone?

Anyways so heres my story. Im building an AP/router using a prism 3 card with hostap-drivers.Im using realtek 8169 gigabit nic. Ive got everything working correctly.iptables configured,dhcp dns hostapd,NAT,everything.
BUT, from what i understand a bridge cannot be done between an 802.11 and 802.3 interface.Due to promiscuous mode or something? well ive got the bridge setup and im having that problem. The LAN's cannot talk to eachother.They both connect to the net, but they dont know that eachother exist.For instance a client through the wireless cant ping a client through the wired. Im wondering if anyone has found a work around for this? I have read all the gentoo-wiki's and found no solution.Any help would be greatly appreciated.

thanks,
-Brandon

[MEW]

Can you post the output of 'ifconfig', 'ifconfig -a', and 'brctl show', please?

[tylerd75]

Have you enabled forwarding?

[agentblue]

sure, ive also forgot to mention a few things.
1) i have 2 lans one wired, one wireless. wired=eth0 wireless=wlan0
2)the wan is eth1
3)i have dhcp and dns working on eth0 & wlan0 as they are a bridge.
4)i found out that i cant use iptables for the bridge. if i stop iptables they 2 lans can talk.im guessing i have to use ebtables.
anyways here is ifconfig -a and brctl show:

ifconfig -a
br0 Link encap:Ethernet HWaddr 00:02:DD:35:60:36
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::202:ddff:fe35:6036/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:83639 errors:0 dropped:0 overruns:0 frame:0
TX packets:89198 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3799348 (3.6 Mb) TX bytes:7694385 (7.3 Mb)

eth0 Link encap:Ethernet HWaddr 00:08:54:2A:27:D7
inet6 addr: fe80::208:54ff:fe2a:27d7/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:218875 errors:0 dropped:0 overruns:0 frame:0
TX packets:330391 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17169124 (16.3 Mb) TX bytes:59533119 (56.7 Mb)
Interrupt:11 Base address:0x2f00

eth1 Link encap:Ethernet HWaddr 00:08:54:25:45:92
inet addr:172.20.4.15 Bcast:172.20.4.255 Mask:255.255.0.0
inet6 addr: fe80::208:54ff:fe25:4592/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:401864 errors:0 dropped:0 overruns:0 frame:0
TX packets:102143 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69748369 (66.5 Mb) TX bytes:69984960 (66.7 Mb)
Interrupt:10 Base address:0x4e00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6371 errors:0 dropped:0 overruns:0 frame:0
TX packets:6371 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:278328 (271.8 Kb) TX bytes:278328 (271.8 Kb)


wifi0 Link encap:UNSPEC HWaddr 00-02-DD-35-60-36-00-EA-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3146303 errors:0 dropped:0 overruns:0 frame:0
TX packets:183809 errors:0 dropped:490 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:269722611 (257.2 Mb) TX bytes:20390473 (19.4 Mb)
Interrupt:11 Base address:0x100

wlan0 Link encap:Ethernet HWaddr 00:02:DD:35:60:36
inet6 addr: fe80::202:ddff:fe35:6036/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:54980 errors:0 dropped:411908 overruns:0 frame:0
TX packets:184692 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:63099417 (60.1 Mb) TX bytes:16809764 (16.0 Mb)
Interrupt:11 Base address:0x100

wlan0ap Link encap:UNSPEC HWaddr 00-02-DD-35-60-36-00-EA-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:2290 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:4934 (4.8 Kb)
Interrupt:11 Base address:0x100
(i removed the interfaces for tspc and openvpn)

brctl show:

bridge name bridge id STP enabled interfaces
br0 8000.0002dd356036 yes eth0
wlan0

like i said before i dont think i can use iptables as it doesnt support bridges. ANY help here would be very greatly appreciated.

[agentblue]

i did enable forwarding on the bridge everything works find, but the wireless and wired lans cannot talk to eachother unless i disable iptables. but if i do that i lose nat and my firewall! lol

[MEW]

AFAIK, you can use iptables on any interface - as long as it has IP bound to it, iptables doesn't care. You probably have an iptables rule that stops them or something like that. AFAIK, you should have no mention of eth0 or wlan0 in iptables, just br0. And you shouldn't need IP packet forwarding (/proc/sys/net/ipv4/forwarding = 1 or something like that) turned on for the two bridged connections to talk to each other - just to the outside world.

If you can't find the problem in your iptables rules, please post them.

[digitall2000]

agentblue

i am try to do something similar
actually a bridge firewall access point from my lan to my dsl modem box
i do have iptables running on br0 with firestarter
but i had to assign an ip address to br0

i have yet to get ath0 to opperate properly - new to madwif and wep

MEW
just what do you mean by "as long as it has IP bound to it" ?

lance
digitall2000

[agentblue]

Im well aware of how iptables works and do have it configured correctly. And forwarding is enable in /proc/sys/net... i have read every gentoo tutorial due to networking/routing.my rules which worked fine before with only one interface also work fine for the bridge.but you are incorrect, but i have read that there are problems with bridging wireless/wired interfaces. because of putting the wireless driver into promiscuous mode.now im not sure if thats the case here.it very well may be. but it also may be a rule in iptables i incorrectly set.Im not at work right now were the router/firewall is so i will have to post that tomorrow.everything else works dhcp,dns,NAT,filtering,tsp client,openvpn,ntpd its one mean router LOL.Anyways ill post my iptables rules tomorrow. Thanxs for the help.
-Agentblue

[MEW]

MEW
just what do you mean by "as long as it has IP bound to it" ?

As long as the Internet Protocol stack is running on the interface, that's all iptables cares about. It doesn't care what kind of interface it is.

[agentblue]

i fixed the problem it was a bad iptables rule! lol. thanks for all the help i added a DROP rule w00ps!

[thepustule]

Hey there,

Can you add [SOLVED] to your topic now please?

[digitall2000]

hey MEW
im new to some of this
as long as ip is bound to the interface
just how is that accomplished?

>ifconfig ethX up?
or
>binding an ip address to the interface?

thanks lance

[MEW]

You don't have to do anything to bind IP to an interface. If IP is built into the kernel, then it will run on the interface.

[Miwer]

agentblue - glad you got it working. You should have posted your solution too, imho

... but you did give me a clue, so here it is, if anyone is still struggling with this.
The problem is, if you run a strict policy in the FORWARD chain of iptables, like I do:

Code: Select all

Chain FORWARD (policy DROP 114 packets, 11578 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2484 2418K ACCEPT     all  --  eth1   br0     anywhere             anywhere            state RELATED,ESTABLISHED
 2529  642K ACCEPT     all  --  br0    eth1    anywhere             anywhere

So - with some logging I found that it's forwarding the packets even though they are received from and sent to the same logical network - adding a -j LOG on the dropped packets revealed this, notice the PHYSIN and PHYSOUT values

Code: Select all

Aug 27 21:12:26 server IN=br0 OUT=br0 PHYSIN=ath0 PHYSOUT=eth0 SRC=192.168.0.200 DST=192.168.0.13 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=22764 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=20992

Adding this rule seemed to make it work. Does anyone know if this is safe or not?

Code: Select all

iptables -A FORWARD -i br0 -o br0 -j ACCEPT