| View previous topic :: View next topic |
| Author |
Message |
Rutger
n00b
Joined: 20 Jul 2002
Posts: 32
Location: Leiden, Netherlands
|
 Posted: Tue Dec 19, 2006 7:16 pm Post subject: Network bridge troubles: can't reach ... (SOLVED) |
 |
|
Hello,
I have a server with 4 network cards installed. One of them, eth0, is connected to the internet. The three others (eth1, eth2, eth3) are bridged together as "br0" by folowing the Gentoo Brigde Howto. The three bridged cards are connected to pc's using crosscables. I have setup the server to be a DHCP-server and router using the Gentoo Home router howto.
Almost everything works perfectly: all the three pc's connected to the server automatically obtain an IP-address from the server and are able to access the internet.
My problem is now, that I am not able to connect to the other pc's on the bridge!!! For example, I cannot ping (or ssh, or anything) from pc1 to pc2 and vice versa, wile I AM able to ping to both the pc's from the server.
My setup:
SERVER
eth0: WAN-ip address.
eth1,2,3: bridged together as br0 with ip-address 10.0.0.1. The three NIC's are connected to PC1, 2 and 3 using crosscables. This server is able to ping PC1, 2 and 3.
PC1:
eth0: obtains 10.0.0.100 from the server and is connected to the internet
PC2:
eth0: obtains 10.0.0.101 from the server and is connected to the internet
PC2:
eth0: obtains 10.0.0.102 from the server and is connected to the internet
PROBLEM: not able to ping from PC1 or PC2 or PC3 to eachother.
My IPTABLES on the server (from the gentoo home-router howto):
| Code: | iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
export LAN=br0
export WAN=eth0
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -I FORWARD -i ${LAN} -d 10.0.0.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 10.0.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 10.0.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done |
But I also tried with empty iptables and only forwarding enabled.
I have searched the web for hours and read everything about iptables, ebtables, etc etc, but couldn't find a solution. I hope you can help me. I know it would be easier to connect all 3 pc's to 1 NIC on my server by using a switch, but that would mean I have to buy a switch AND a couple of straight cables. Do I really need to buy it or is there a simple solution to my problem??
Last edited by Rutger on Wed Dec 20, 2006 1:54 am; edited 1 time in total |
|
| Back to top |
|
 |
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Tue Dec 19, 2006 7:29 pm Post subject: |
|
|
can i see your routing tables, ie the output of route?
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
Rutger
n00b
Joined: 20 Jul 2002
Posts: 32
Location: Leiden, Netherlands
|
| Posted: Tue Dec 19, 2006 7:46 pm Post subject: |
|
|
This is the route output:
| Code: |
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 br0
192.168.1.0 * 255.255.255.0 U 2000 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default my.router 0.0.0.0 UG 2000 0 0 eth0
|
(The local 192.168.1.0-address is because my server is behind another router.) |
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Tue Dec 19, 2006 8:14 pm Post subject: |
|
|
i was going to suggest adjusting the table, but you're use of bridging would have made that unneccesary i would think...
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
Rutger
n00b
Joined: 20 Jul 2002
Posts: 32
Location: Leiden, Netherlands
|
| Posted: Tue Dec 19, 2006 8:25 pm Post subject: |
|
|
Erik258, could you maybe explain what you had in mind? I thought this bridged setup was the easiest way, but if you think I can get this to work without bridging and with using some iptables/route magic, I would be really happy!
All I want is the server acting as a gateway to the internet, and that the three computers connected to it are able to 'talk' to eachother. I don't care if the three pc's are on a different subnet or such, as long as they can interconnect. The funny thing is that every howto on this subject suggests bridging to make the subnets talk to eachother...
I hope you can point me in the right direction! |
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Tue Dec 19, 2006 8:55 pm Post subject: |
|
|
yeah, scrap the bridging.
what you want is three seperate network segments, all being routed. you need to tell route to route the network traffic for each pc to the interface connecting to the pc. right now ...
| Quote: | | 10.0.0.0 * 255.255.255.0 U 0 0 0 br0 |
all traffic for that device seems to be routed properly. however, evidently it's not making it. i don't know what bridging is like so i don't know what to think there.
so i would want instead:
10.0.0.100 -> oc1's nic
10.0.0.101 -> pc2's nic
10.0.0.102 -> pc3's nic
and then your bridging pc becomes a router. now bear in mind i've never done this, but i did eventually get routing of this nature working on a subnet behind a router. if the goal is that, i think this will work well. after all, do you really want a firewall between different parts of your internal network?
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
Rutger
n00b
Joined: 20 Jul 2002
Posts: 32
Location: Leiden, Netherlands
|
| Posted: Tue Dec 19, 2006 9:09 pm Post subject: |
|
|
| Thank you very much for your replies! I am going to figure out how to get this to work without bridging. |
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Tue Dec 19, 2006 9:21 pm Post subject: |
|
|
man iptables
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
Rutger
n00b
Joined: 20 Jul 2002
Posts: 32
Location: Leiden, Netherlands
|
| Posted: Tue Dec 19, 2006 9:23 pm Post subject: |
|
|
 |
|
| Back to top |
|
|
Rutger
n00b
Joined: 20 Jul 2002
Posts: 32
Location: Leiden, Netherlands
|
| Posted: Wed Dec 20, 2006 1:54 am Post subject: |
|
|
IT WORKS!!!
On my server:
config_eth1=( "10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0" )
config_eth2=( "10.0.1.1 broadcast 10.0.1.255 netmask 255.255.255.0" )
config_eth3=( "10.0.2.1 broadcast 10.0.2.255 netmask 255.255.255.0" )
DHCPD gives out IP-addresses on the different subnets. I changed my iptables following the gentoo homerouter guide (and payed attention to the end of section 6 where it explains how to add extra networks to your setup).
Now I can ping and ssh from 10.0.0.100 to 10.0.1.100, and all pc's are connected to the internet! I am very happy I don't have to buy a switch! (you know dutch people are avaricious  ) |
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Wed Dec 20, 2006 3:53 pm Post subject: |
|
|
awesome! i know the feeling, and it's great, isn't it?
i rather like switches though, mostly because i don't need 2 network cards per additional computer ; ) $30 right now + free shipping for a 16 port here in the states. And as you know we americans love buying new stuff ... mine's supposed to be coming today ; )
congradulations.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
|
Networking & Security
