bridge and NAT - ebtables support

**menulis** · 14-06-2004, 10:50

Hi all,

I would like to ask if there are any plans to make the firmware together with ebtables support for the kernel?

I have the following situation: I want all the LAN ports and a WAN port to be in a bridge thus I'm able to communicate with the LAN connected to the WAN port. What is more, I need to NAT 192.168.1.x private addresses to an external IP which then is also routed through the same LAN.

I tried to play with proxy arp on br0 and eth1, but I realized that this way I could not receive any broadcast packets from LAN (that which is connected to WAN port), so IMHO ebtables (a kernel patch actually) would be the only way to do the NAT inside the bridge.

Any thoughts are appreciated

Dziugas

**Oleg** · 14-06-2004, 13:53

You do not need bridging/ebtables if you want to use NAT. You just need to yet another MASQUERADE rule to the iptables or setup routing between to LANs.

**menulis** · 14-06-2004, 14:05

Hi, Oleg,

thanks for the answer. The problem is that if I assign eth1 interface to be in br0 logical bridge, all the interfaces (eth0, eth1, eth2) are in one brigde, and it's obvious that one interface can't belong to more than one brigde. That's why there is no routing between LANs, because basicly there is one LAN and NAT should be done according to the source address (-t nat -I POSTROUTING -s 192.168.1.x -d 0/0 -j DNAT --to 1.2.3.4 or similar).

Because brige operates in the second (data) layer, it's imposible to match the packets with iptables as bridged traffic flows before any iptables rules. That is what ebtables are designed for - to be able to match (say, filter, NAT or whatever) bridged traffic.

Dziugas

**Oleg** · 14-06-2004, 14:36

You do not need bridging at all. Why you're trying to use it?

**menulis** · 14-06-2004, 15:30

I do NEED it, because I want to access the LAN (30+ PCs) which is connected to the router's WAN port and which by default is not assigned to the bridge!

**Oleg** · 14-06-2004, 16:02

But why do you need a NAT in this case?

**Oleg** · 14-06-2004, 16:10

Once again. You need to setup either bridge or NAT. Not both at the same time.

**menulis** · 14-06-2004, 21:16

Oleg,

I know that it's quite uncommon situation, but however, I must have an external IP configured on the router and I want my "house LAN" (192.168.1.x) to be masqueraded to that IP. As I said before, I would also like to reach my "big LAN" which is connected to WAN port and which is using, say, 10.0.0.x addresses. So my "house LAN's" (those PCs which are connected to Asus router) are configured with an IP pair - 1.2.3.x and 192.168.1.x and the Asus router currently has 192.168.1.1 on br0 and an external IP on eth1. Now everything works fine except that I can't reach the "big LAN" directly, that's why I need bridge + NAT. Thus my external IP should obviously move to br0:0 as eth1 would join the bridge.

However, how complicated my situation could sound, I would like to ask once again if there are any plans to release the upcoming firmware together with ebtables-enabled kernel?

Thanks.

Dziugas

**tomilius** · 05-05-2005, 08:28

This thread was created to track the implementation of "ebtables" on the WL-500g.

I'm trying to get this working--everything seems to be going (it's all compiling now). Here's what I did...

I got (from http://sourceforge.net/project/showf...oup_id=39571):
ebtables-2.0.6
ebtables_kernel-2-0-003

I installed the ebtables_kernel-2-0-003 kernel patch with few problems (typical adjustments: had to rename broadcom/src/linux/linux to linux-2.4.20, had to move files put in broadcom/src/linux/linux-2.4.20-patch to linux-2.4.20, had to manually patch broadcom/src/linux/linux-2.4.20/Makefile looking at the diff file, renamed back to linux).

I put ebtables-2.0.6 in gateway, renamed to ebtables, updated Makefile (basically copied the iptables entries but eliminated all CONFIG-related stuff and the extension installation since they are built-in afaik).

Did a kernel config and set ebtables support along with all extensions.

Now we'll see how it works.

**tomilius** · 05-05-2005, 08:37

OK, I accidentally didn't modify the Makefile for ebtables which is apparently a necessity...

**tomilius** · 05-05-2005, 08:57

But there's more!

[admin@AsusRouter root]$ ebtables -L
The kernel doesn't support the ebtables filter table.

*ahem* This has happened before. When I first tried to get support for new iptables extensions to work, they would inexplicably not work, as though even though I THOUGHT the kernel was being recompiled (all signs indicated this), it wasn't. Hmm. Everything appears to be set up correctly, but it's not working.

**tomilius** · 05-05-2005, 10:06

OK, I'm done trying to get it working since I wasted several hours there and nothing doing. Somebody else who feels like it with more experience can try it and post here!

**tomilius** · 06-05-2005, 02:11

No I'm not. It seems to have worked now. I did all of my modifications over with 1.9.2.7-5 and made a resolution to completely recompile stuff when the kernel is changed... One of those, or both, solved it. I'll port more about it later, I'm just saying that it doesn't seem to be complaining about nonexistent tables when I run a "ebtables -L" (shows empty chains).

**tomilius** · 06-05-2005, 02:16

Yeah. A lot of posts I've made, but it works. The instructions in my first post merely need to be followed. Perhaps I could make a simpler patch version later, but I doubt it.

**Oleg** · 06-05-2005, 08:26

tomilius, I will review your patches. Just need to check for the ebtables+netfilter stuff which you're probably touching. Unfortunatly this could break LAN <-> WLAN communication, as firewall does not expect such packets. Have you tried opening windows share, which traverse LAN-WLAN bridge?

Thread: bridge and NAT - ebtables support

Thread Tools

Rate This Thread

Display

bridge and NAT - ebtables support

ebtables

Similar Threads

ethernet bridge

WL-500g to WL-330g bridge or WL-500g to WL-500G bridge?

Tags for this Thread

Posting Permissions