Hi wondering if anyone can help. I have two NICs on a debian sarge based system and current running as a bridge (br0) which consists of eth0 and eth1. Is it possible to add a virtual interface to the eth1 so I can also do NAT on the box as well? I have tried many times and keep coming up with errors. Kind Regards William Bohannan
On 5/28/2007 8:12 AM, William Bohannan wrote:> Hi wondering if anyone can help. I have two NICs on a debian sarge based > system and current running as a bridge (br0) which consists of eth0 and > eth1. Is it possible to add a virtual interface to the eth1 so I can > also do NAT on the box as well? I have tried many times and keep coming > up with errors.Why not add virtual aliased interfaces to the br0 interface? Do your NATing there. Grant. . . .
Thanks Grant, I am very new to combining NATing and Brigdge. Please can you possibly give an example on how to add the virtual interface. Current /etc/networking/interfaces looks like this: --------------------------------------- auto lo iface lo inet loopback auto br0 iface br0 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.128 network xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 ----------------------------------------- Kind Regards William Bohannan -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Grant Taylor Sent: Monday, May 28, 2007 6:39 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] 2 NICs Bridge + Router On 5/28/2007 8:12 AM, William Bohannan wrote:> Hi wondering if anyone can help. I have two NICs on a debian sargebased> system and current running as a bridge (br0) which consists of eth0and> eth1. Is it possible to add a virtual interface to the eth1 so I can > also do NAT on the box as well? I have tried many times and keepcoming> up with errors.Why not add virtual aliased interfaces to the br0 interface? Do your NATing there. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On 05/31/07 07:22, William Bohannan wrote:> Thanks Grant, I am very new to combining NATing and Brigdge. Please > can you possibly give an example on how to add the virtual interface.I''ll try. I don''t recognize the format of the file below, but I''ll take a stab at it.> Current /etc/networking/interfaces looks like this: > --------------------------------------- > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address xxx.xxx.xxx.xxx > netmask 255.255.255.128 > network xxx.xxx.xxx.xxx > broadcast xxx.xxx.xxx.xxx > gateway xxx.xxx.xxx.xxxauto br0:1 iface br0:1 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.128 network xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx> pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1 > -----------------------------------------Again this is just a guess and where I would start. You may have better luck seeking support through your distribution. Grant. . . .
Grant Didn''t work comes up with cannot create bridge as already exists and current bridge br0 stops working. Currently using Debian. Will try the debian forums to see if someone can help. Thanks again for the assistance. # /etc/network/interfaces auto lo iface lo inet loopback # public ip auto br0 iface br0 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.128 network xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx # private ip auto br0:1 iface br0:1 inet static address 10.10.10.254 netmask 255.255.255.0 network 10.10.10.0 broadcast 10.10.10.255 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 Kind Regards William Bohannan -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Grant Taylor Sent: Thursday, May 31, 2007 2:36 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] 2 NICs Bridge + Router On 05/31/07 07:22, William Bohannan wrote:> Thanks Grant, I am very new to combining NATing and Brigdge. Please > can you possibly give an example on how to add the virtual interface.I''ll try. I don''t recognize the format of the file below, but I''ll take a stab at it.> Current /etc/networking/interfaces looks like this: > --------------------------------------- > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address xxx.xxx.xxx.xxx > netmask 255.255.255.128 > network xxx.xxx.xxx.xxx > broadcast xxx.xxx.xxx.xxx > gateway xxx.xxx.xxx.xxxauto br0:1 iface br0:1 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.128 network xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx> pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1 > -----------------------------------------Again this is just a guess and where I would start. You may have better luck seeking support through your distribution. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Grant Works well except I cannot for the life of me get NAT working. I have the following setup: ### Network Interface script # /etc/init.d/network/interfaces auto lo iface lo inet loopback auto br0 iface br0 inet static address 193.xxx.xxx.77 netmask 255.255.255.128 network 193.xxx.xxx.0 broadcast 193.xxx.xxx.127 gateway 193.xxx.xxx.126 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 ### Simple script to start at boot # /etc/init.d/brouter.init echo "Bringing up NAT" ip addr add 10.10.1.254/24 dev br0 iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE route add -net -n 0.0.0.0 dev br0 #enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward Please advise. Kind Regards William Bohannan -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Grant Taylor Sent: Thursday, May 31, 2007 2:36 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] 2 NICs Bridge + Router On 05/31/07 07:22, William Bohannan wrote:> Thanks Grant, I am very new to combining NATing and Brigdge. Please > can you possibly give an example on how to add the virtual interface.I''ll try. I don''t recognize the format of the file below, but I''ll take a stab at it.> Current /etc/networking/interfaces looks like this: > --------------------------------------- > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address xxx.xxx.xxx.xxx > netmask 255.255.255.128 > network xxx.xxx.xxx.xxx > broadcast xxx.xxx.xxx.xxx > gateway xxx.xxx.xxx.xxxauto br0:1 iface br0:1 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.128 network xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx> pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1 > -----------------------------------------Again this is just a guess and where I would start. You may have better luck seeking support through your distribution. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On 06/04/07 11:28, William Bohannan wrote:> Works well except I cannot for the life of me get NAT working. I have > the following setup:Good.> ### Network Interface script > # /etc/init.d/network/interfaces > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address 193.xxx.xxx.77 > netmask 255.255.255.128 > network 193.xxx.xxx.0 > broadcast 193.xxx.xxx.127 > gateway 193.xxx.xxx.126 > > pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1What would happen if you added additional address, netmask, network, broadcast, and gateway lines? Would that allow you to have aliases defined in this manner, or would it simply over ride the existing settings?> ### Simple script to start at boot > # /etc/init.d/brouter.init > echo "Bringing up NAT" > ip addr add 10.10.1.254/24 dev br0 > iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE > route add -net -n 0.0.0.0 dev br0 > #enable forwarding > echo 1 > /proc/sys/net/ipv4/ip_forwardHum, this looks like you will be MASQUERADEing any and all traffic that leaves br0. I''m betting that you are MASQUERADEing some traffic that you do not want to MASQUERADE.> Please advise.You need to selectively MASQUERADE traffic that is leaving your br0 interface. I.e. MASQUERADE any traffic that is leaving your network headed to the world. You can accomplish this a couple of different ways (possibly more). 1) MASQUERADE any traffic that is not destined to your internal network. In other words MASQUERADE any traffic that is leaving your network. I.e. iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE (If I have that IPTables syntax correct. You get the idea.) 2) MASQUERADE any traffic that is leaving the physical interface that is facing the internet via the physdev IPTables match extension. (Sorry, I have no experience with this option.) Personally, I would try to do it based on destination IP address rather than physical interface for various reasons that are not really pertinent here. Grant. . . .
Grant Thanks for the quick reply. On the test machine (10.10.1.20) can ping 193.xxx.xxx.77 & 10.10.1.254 (the brouter), however still cannot ping the internet gateway 193.xxx.xxx.126. Below is my routing table: [root:~]$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface localnet * 255.255.255.128 U 0 0 0 br0 10.10.1.0 * 255.255.255.0 U 0 0 0 br0 default * 0.0.0.0 U 0 0 0 br0 default 193.xxx.xxx.126 0.0.0.0 UG 0 0 0 br0 ## Start up script # echo "Bringing up NAT" ip addr add 10.10.1.254/24 dev br0 iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE route add -net -n 0.0.0.0 dev br0 #enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward route add default gw 193.220.59.126 ## Network interfaces file # /etc/network/interfaces auto lo iface lo inet loopback auto br0 iface br0 inet static address 193.xxx.xxx.77 netmask 255.255.255.128 network 193.xxx.xxx.0 broadcast 193.xxx.xxx.127 gateway 193.xxx.xxx.126 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 Thanks again for all the help so far. Kind Regards William Bohannan -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Grant Taylor Sent: Monday, June 04, 2007 4:53 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] 2 NICs Bridge + Router On 06/04/07 11:28, William Bohannan wrote:> Works well except I cannot for the life of me get NAT working. I have > the following setup:Good.> ### Network Interface script > # /etc/init.d/network/interfaces > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address 193.xxx.xxx.77 > netmask 255.255.255.128 > network 193.xxx.xxx.0 > broadcast 193.xxx.xxx.127 > gateway 193.xxx.xxx.126 > > pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1What would happen if you added additional address, netmask, network, broadcast, and gateway lines? Would that allow you to have aliases defined in this manner, or would it simply over ride the existing settings?> ### Simple script to start at boot > # /etc/init.d/brouter.init > echo "Bringing up NAT" > ip addr add 10.10.1.254/24 dev br0 > iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE > route add -net -n 0.0.0.0 dev br0 > #enable forwarding > echo 1 > /proc/sys/net/ipv4/ip_forwardHum, this looks like you will be MASQUERADEing any and all traffic that leaves br0. I''m betting that you are MASQUERADEing some traffic that you do not want to MASQUERADE.> Please advise.You need to selectively MASQUERADE traffic that is leaving your br0 interface. I.e. MASQUERADE any traffic that is leaving your network headed to the world. You can accomplish this a couple of different ways (possibly more). 1) MASQUERADE any traffic that is not destined to your internal network. In other words MASQUERADE any traffic that is leaving your network. I.e. iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE (If I have that IPTables syntax correct. You get the idea.) 2) MASQUERADE any traffic that is leaving the physical interface that is facing the internet via the physdev IPTables match extension. (Sorry, I have no experience with this option.) Personally, I would try to do it based on destination IP address rather than physical interface for various reasons that are not really pertinent here. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Thank you so much been wanting to do this for ages, finally got it working (had to remove the gw) :) ### /etc/network/interfaces # auto lo iface lo inet loopback auto br0 iface br0 inet static address 193.xxx.xxx.77 netmask 255.255.255.128 network 193.xxx.xxx.0 broadcast 193.xxx.xxx.127 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 ### /etc/init.d/brouter.sh # echo "Bringing up NAT" ip addr add 192.168.2.101/24 dev br0 iptables -t nat -A POSTROUTING -o br0 -d ! 192.168.2.0/24 -j MASQUERADE #enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward route add default gw 193.xxx.xxx.126 Kind Regards William Bohannan -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Grant Taylor Sent: Monday, June 04, 2007 4:53 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] 2 NICs Bridge + Router On 06/04/07 11:28, William Bohannan wrote:> Works well except I cannot for the life of me get NAT working. I have > the following setup:Good.> ### Network Interface script > # /etc/init.d/network/interfaces > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address 193.xxx.xxx.77 > netmask 255.255.255.128 > network 193.xxx.xxx.0 > broadcast 193.xxx.xxx.127 > gateway 193.xxx.xxx.126 > > pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1What would happen if you added additional address, netmask, network, broadcast, and gateway lines? Would that allow you to have aliases defined in this manner, or would it simply over ride the existing settings?> ### Simple script to start at boot > # /etc/init.d/brouter.init > echo "Bringing up NAT" > ip addr add 10.10.1.254/24 dev br0 > iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE > route add -net -n 0.0.0.0 dev br0 > #enable forwarding > echo 1 > /proc/sys/net/ipv4/ip_forwardHum, this looks like you will be MASQUERADEing any and all traffic that leaves br0. I''m betting that you are MASQUERADEing some traffic that you do not want to MASQUERADE.> Please advise.You need to selectively MASQUERADE traffic that is leaving your br0 interface. I.e. MASQUERADE any traffic that is leaving your network headed to the world. You can accomplish this a couple of different ways (possibly more). 1) MASQUERADE any traffic that is not destined to your internal network. In other words MASQUERADE any traffic that is leaving your network. I.e. iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE (If I have that IPTables syntax correct. You get the idea.) 2) MASQUERADE any traffic that is leaving the physical interface that is facing the internet via the physdev IPTables match extension. (Sorry, I have no experience with this option.) Personally, I would try to do it based on destination IP address rather than physical interface for various reasons that are not really pertinent here. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On 06/04/07 13:26, William Bohannan wrote:> Thank you so much been wanting to do this for ages, finally got it > working (had to remove the gw) :)*nod* I was in the middle of reading your last message when you replied stating that you had fixed your problem. I was just staring at the fact that you had two defaults and wondering if that was not the problem. You are welcome. I''m glad that I was able to help. :) Grant. . . .