Jorge Pereira
2013-Aug-23 02:21 UTC
[Bridge] challenge of year: connect to LAN using wireless-ap over bridge + unmanaged l2tpv3 tunnel + bridge? it's possible?
hi everyone, so,first it seemed a trivial question to me, but since I could not find anybody being neither able to answer this question nor giving a short config example. after a few sleepless nights and exhausting all the reading and research. here I am sharing my problem with all of you, in the hope of some possible solution/sugestion. or is it that this is impossible?? below my scheme/layout. +---------------------------------------------------------+ | MAIN SERVER - 10.60.61.1 (DHCP SERVER) | +---------------------------------------------------------+ | +---------------------------+ | NETWORK vlan601 | | net 10.251.0.0/16 | | gw:10.251.0.1 | +---------------------------+ | +------------------------------------------------------------------+ | SERVER B (BRIDGE / unmanaged L2TPv3) - BAHIA | +------------------------------------------------------------------+ *root at bahia:~# * ip -d addr show eth0 *# WAN* 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:50:56:a7:13:49 brd ff:ff:ff:ff:ff:ff inet 200.243.1.5/24 brd 200.243.1.255 scope global eth0 inet6 fe80::250:56ff:fea7:1349/64 scope link valid_lft forever preferred_lft forever *root at bahia:~# * ip -d addr show eth1 *# LAN (VLAN/TRUNK)* 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:50:56:a7:13:4a brd ff:ff:ff:ff:ff:ff inet6 fe80::250:56ff:fea7:134a/64 scope link valid_lft forever preferred_lft forever *root at bahia:~# * ip link add link eth1 name eth1.601 mtu 1500 type vlan id 601 *root at bahia:~# * ip link set dev eth1.601 up promisc on *root at bahia:~# * ip -d addr show eth1.601 9: eth1.601 at eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 00:50:56:a7:13:4a brd ff:ff:ff:ff:ff:ff inet6 fe80::250:56ff:fea7:134a/64 scope link valid_lft forever preferred_lft forever *root at bahia:~# ** *ip route show default via 200.243.1.254 dev eth0 200.243.1.0/24 dev eth0 proto kernel scope link src 200.243.1.5 *root at bahia:~# * and.... we've the interface l2tpeth0 (L2TPv3) established with other node into the internet by eth0 (WAN), plugged with vlan601 (eth1.601) by bridge called "br-red" *root at bahia:~#* brctl show bridge name bridge id STP enabled interfaces *root at bahia:~#* brctl addbr br-red *root at bahia:~#* brctl addif br-red eth1.601 *root at bahia:~#** *ip l2tp add tunnel tunnel_id 45 peer_tunnel_id 42 udp_sport 5001 udp_dport 5000 encap udp local 200.243.1.5 remote 200.199.10.12 *root at bahia:~#** *ip l2tp add session tunnel_id 45 session_id 5196755 peer_session_id 128 *root at bahia:~#* ip link set l2tpeth0 up promisc on master br-red *root at bahia:~#* ip link set br-red up *root at bahia:~#* brctl show br-red bridge name bridge id STP enabled interfaces br-red 8000.005056a7134a no eth1.601 l2tpeth0 *root at bahia:~# *brctl showstp br-red br-red bridge id 8000.005056a7134a designated root 8000.005056a7134a root port 0 path cost 0 max age 20.00 bridge max age 20.00 hello time 2.00 bridge hello time 2.00 forward delay 15.00 bridge forward delay 15.00 ageing time 300.01 hello timer 1.06 tcn timer 0.00 topology change timer 0.00 gc timer 5.08 flags eth1.601 (1) port id 8001 state forwarding designated root 8000.005056a7134a path cost 4 designated bridge 8000.005056a7134a message age timer 0.00 designated port 8001 forward delay timer 0.00 designated cost 0 hold timer 0.06 flags l2tpeth0 (2) port id 8002 state forwarding designated root 8000.005056a7134a path cost 100 designated bridge 8000.005056a7134a message age timer 0.00 designated port 8002 forward delay timer 0.00 designated cost 0 hold timer 0.05 flags *root at bahia:~# * * * it's ok, my bridge "by-red" listen all traffic over my LAN (vlan 601) and my L2TPv3 over internet. (wan)* * * * *root at bahia:~# ** *tcpdump -nve -i *br-red* "host 10.251.0.1" tcpdump: WARNING: br-red: no IPv4 address assigned tcpdump: listening on br-red, link-type EN10MB (Ethernet), capture size 65535 bytes 20:58:17.860060 d4:ae:52:84:37:ae > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.251.90.157 tell *10.251.0.1*, length 46 20:58:17.980065 d4:ae:52:84:37:ae > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.251.153.31 tell *10.251.0.1*, length 46 ^C 7 packets captured 7 packets received by filter 0 packets dropped by kernel *root at bahia:~# * +-----------------------------------------------------------------------------------------+ | SERVER B (BRIDGE/L2TPv3 + WIRELESS ACCESS POINT) - RECIFE | +-----------------------------------------------------------------------------------------+ *root at recife:~#* ip addr show eth1 *# (WAN)* 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000 link/ether a0:f3:c1:a3:c4:11 brd ff:ff:ff:ff:ff:ff inet 200.199.10.12/21 brd 200.199.10.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::a2f3:c1ff:fea3:c411/64 scope link valid_lft forever preferred_lft forever *root at recife:~#* ip route show default via 200.199.10.254 dev eth1 proto static 200.199.10.0/21 dev eth1 proto kernel scope link src 200.199.10.12 192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 *root at recife:~#* ip l2tp add tunnel tunnel_id 42 peer_tunnel_id 45 udp_sport 5000 udp_dport 5001 encap udp local 200.199.10.12 remote 200.243.1.5 *root at recife:~#* ip l2tp add session tunnel_id 42 session_id 128 peer_session_id 5196755 *root at recife:~#* ip link set dev l2tpeth0 up promisc on master br-red *root at recife:~#* brctl show bridge name bridge id STP enabled interfaces br-lan 7fff.a0f3c1a3c40f no eth0 *root at recife:~#* brctl addbr br-red *root at recife:~#* brctl addif br-red l2tpeth0 *root at recife:~#* brctl addif br-red wlan0 *root at recife:~#* ifconfig br-red up *root at recife:~#* ip link set br-red up *root at recife:~#* brctl show bridge name bridge id STP enabled interfaces br-lan 7fff.a0f3c1a3c40f no eth0 br-red 8000.1ae0f4a30221 no l2tpeth0 wlan0 *root at recife:~#* * * *....::: RESUME :::...* 1) sorry for the long email.... 2) when i'm "recife hostspot"... I can join in wireless "Recife Wireless" from my device, but i can't receive ip from dhcp (10.60.61.1). 3) from "server A[bahia] (bridge with vlan601 network) and "server B [recife]", i can "see/listen" the broadcast request from my device mac "5c:95:ae:22:d6:6e" like below. *root at bahia:~# *tcpdump -nve -i br-red "ether host ether 5c:95:ae:22:d6:6e" 00:08:52.653667 5c:95:ae:22:d6:6e > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 255, id 37839, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 5c:95:ae:22:d6:6e, length 300, xid 0xe6f1d0a5, Flags [none] Client-Ethernet-Address 5c:95:ae:22:d6:6e Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Discover Parameter-Request Option 55, length 6: Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name Option 119, Option 252 MSZ Option 57, length 2: 1500 Client-ID Option 61, length 7: ether 5c:95:ae:22:d6:6e Lease-Time Option 51, length 4: 7776000 Hostname Option 12, length 14: "Straces-iPhone" ^C 1 packets captured 1 packets received by filter *root at bahia:~#* same thing result at "bridge a" (*root at recife:~#) *side... 4) the strangest thing of all and that, from bridge-b (recife). i can get ip from dhcp/broadcast request over L2TPv3... but without option "broadcast" i can't receive ip from dhcp (10.61.60.1) *root at recife:~#* udhcpc -B -i br-red udhcpc (v1.19.4) started Sending discover... Sending select for 10.251.157.22... Lease of 10.251.157.22 obtained, lease time 300 udhcpc: ifconfig br-red 10.251.157.22 netmask 255.255.0.0 broadcast + udhcpc: setting default routers: 10.251.0.1 *root at recife:~# *ip route add 200.243.1.5 via 200.199.10.254 dev eth1 *root at recife:~# *ip route show default via 10.251.0.1 dev br-red 10.251.0.0/16 dev br-red proto kernel scope link src 10.251.157.22 200.199.10.0/21 dev eth1 proto kernel scope link src 200.199.10.12 200.243.1.5 via 200.199.10.254 dev eth1 192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 *root at recife:~#* ping -c2 10.251.0.1 PING 10.251.0.1 (10.251.0.1): 56 data bytes --- 10.251.0.1 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss *root at recife:~#* 5) output of tcpdump listen the bridge "br-red" request from bridge-a-natal http://pastebin.com/t8wn3zRK 6) output of tcpdump listen the bridge "br-red" request from bridge-b-recife http://pastebin.com/njTQfd5k 7) after several researches i found the kernel options to set like "arp_filter", "bridge-nf-*",... but i don't have idea which option should enable / disable. tried some combinations but without success.... 8) the DHCP-OFFER doesn't forward by "bridge-a"... problems with unicast? multicast? arp_proxy? .... 9) we need join in the network by wireless and access the server 10.251.0.1 over bridge/l2tpv3 (unmanaged) 10) in our case, can use only L2TPv3. (may not be OpenVPN, ...) 11) all is Linux, without any iptables rules. 12) who will win a beer?! =] Best regards, Jorge Pereira -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.linuxfoundation.org/pipermail/bridge/attachments/20130822/8dd62dc2/attachment-0001.html>
Joel Wirāmu Pauling
2013-Aug-23 05:22 UTC
[Bridge] challenge of year: connect to LAN using wireless-ap over bridge + unmanaged l2tpv3 tunnel + bridge? it's possible?
You can't bridge 802.11 segments with normal ethernet segments. Wifi AP's that do this use magic; or hidden pesudo bridges to do the same. You will need to use something like relayd to form a psuedo bridge between your wired and wireless segments or use routing. -Joel On 23 August 2013 14:21, Jorge Pereira <jpereiran at gmail.com> wrote:> hi everyone, > > so,first it seemed a trivial question to me, but since I could not > find anybody being neither able to answer > this question nor giving a short config example. after a few sleepless > nights and exhausting all the reading > and research. here I am sharing my problem with all of you, in the hope of > some possible solution/sugestion. > or is it that this is impossible?? > > below my scheme/layout. > > +---------------------------------------------------------+ > | MAIN SERVER - 10.60.61.1 (DHCP SERVER) | > +---------------------------------------------------------+ > | > +---------------------------+ > | NETWORK vlan601 | > | net 10.251.0.0/16 | > | gw:10.251.0.1 | > +---------------------------+ > | > +------------------------------------------------------------------+ > | SERVER B (BRIDGE / unmanaged L2TPv3) - BAHIA | > +------------------------------------------------------------------+ > > *root at bahia:~# * ip -d addr show eth0 *# WAN* > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state > UP qlen 1000 > link/ether 00:50:56:a7:13:49 brd ff:ff:ff:ff:ff:ff > inet 200.243.1.5/24 brd 200.243.1.255 scope global eth0 > inet6 fe80::250:56ff:fea7:1349/64 scope link > valid_lft forever preferred_lft forever > *root at bahia:~# * ip -d addr show eth1 *# LAN (VLAN/TRUNK)* > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state > UP qlen 1000 > link/ether 00:50:56:a7:13:4a brd ff:ff:ff:ff:ff:ff > inet6 fe80::250:56ff:fea7:134a/64 scope link > valid_lft forever preferred_lft forever > *root at bahia:~# * ip link add link eth1 name eth1.601 mtu 1500 type vlan > id 601 > *root at bahia:~# * ip link set dev eth1.601 up promisc on > *root at bahia:~# * ip -d addr show eth1.601 > 9: eth1.601 at eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 > qdisc noqueue state UP > link/ether 00:50:56:a7:13:4a brd ff:ff:ff:ff:ff:ff > inet6 fe80::250:56ff:fea7:134a/64 scope link > valid_lft forever preferred_lft forever > *root at bahia:~# ** *ip route show > default via 200.243.1.254 dev eth0 > 200.243.1.0/24 dev eth0 proto kernel scope link src 200.243.1.5 > *root at bahia:~# * > > and.... we've the interface l2tpeth0 (L2TPv3) established with other node > into the internet by eth0 (WAN), plugged > with vlan601 (eth1.601) by bridge called "br-red" > > *root at bahia:~#* brctl show > bridge name bridge id STP enabled interfaces > *root at bahia:~#* brctl addbr br-red > *root at bahia:~#* brctl addif br-red eth1.601 > *root at bahia:~#** *ip l2tp add tunnel tunnel_id 45 peer_tunnel_id 42 > udp_sport 5001 udp_dport 5000 encap udp local 200.243.1.5 remote > 200.199.10.12 > *root at bahia:~#** *ip l2tp add session tunnel_id 45 session_id 5196755 > peer_session_id 128 > *root at bahia:~#* ip link set l2tpeth0 up promisc on master br-red > > *root at bahia:~#* ip link set br-red up > *root at bahia:~#* brctl show br-red > bridge name bridge id STP enabled interfaces > br-red 8000.005056a7134a no eth1.601 > l2tpeth0 > *root at bahia:~# *brctl showstp br-red > br-red > bridge id 8000.005056a7134a > designated root 8000.005056a7134a > root port 0 path cost 0 > max age 20.00 bridge max age 20.00 > hello time 2.00 bridge hello time 2.00 > forward delay 15.00 bridge forward delay 15.00 > ageing time 300.01 > hello timer 1.06 tcn timer 0.00 > topology change timer 0.00 gc timer 5.08 > flags > > eth1.601 (1) > port id 8001 state forwarding > designated root 8000.005056a7134a path cost 4 > designated bridge 8000.005056a7134a message age timer 0.00 > designated port 8001 forward delay timer 0.00 > designated cost 0 hold timer 0.06 > flags > > l2tpeth0 (2) > port id 8002 state forwarding > designated root 8000.005056a7134a path cost 100 > designated bridge 8000.005056a7134a message age timer 0.00 > designated port 8002 forward delay timer 0.00 > designated cost 0 hold timer 0.05 > flags > > *root at bahia:~# * > * > * > it's ok, my bridge "by-red" listen all traffic over my LAN (vlan 601) and > my L2TPv3 over internet. (wan)* > * > * > * > *root at bahia:~# ** *tcpdump -nve -i *br-red* "host 10.251.0.1" > tcpdump: WARNING: br-red: no IPv4 address assigned > tcpdump: listening on br-red, link-type EN10MB (Ethernet), capture size > 65535 bytes > 20:58:17.860060 d4:ae:52:84:37:ae > ff:ff:ff:ff:ff:ff, ethertype ARP > (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has > 10.251.90.157 tell *10.251.0.1*, length 46 > 20:58:17.980065 d4:ae:52:84:37:ae > ff:ff:ff:ff:ff:ff, ethertype ARP > (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has > 10.251.153.31 tell *10.251.0.1*, length 46 > ^C > 7 packets captured > 7 packets received by filter > 0 packets dropped by kernel > *root at bahia:~# * > > > +-----------------------------------------------------------------------------------------+ > | SERVER B (BRIDGE/L2TPv3 + WIRELESS ACCESS POINT) - RECIFE | > > +-----------------------------------------------------------------------------------------+ > > *root at recife:~#* ip addr show eth1 *# (WAN)* > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state > UP qlen 1000 > link/ether a0:f3:c1:a3:c4:11 brd ff:ff:ff:ff:ff:ff > inet 200.199.10.12/21 brd 200.199.10.255 scope global eth1 > valid_lft forever preferred_lft forever > inet6 fe80::a2f3:c1ff:fea3:c411/64 scope link > valid_lft forever preferred_lft forever > *root at recife:~#* ip route show > default via 200.199.10.254 dev eth1 proto static > 200.199.10.0/21 dev eth1 proto kernel scope link src 200.199.10.12 > 192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 > *root at recife:~#* ip l2tp add tunnel tunnel_id 42 peer_tunnel_id 45 > udp_sport 5000 udp_dport 5001 encap udp local 200.199.10.12 remote > 200.243.1.5 > *root at recife:~#* ip l2tp add session tunnel_id 42 session_id 128 > peer_session_id 5196755 > *root at recife:~#* ip link set dev l2tpeth0 up promisc on master br-red > *root at recife:~#* brctl show > bridge name bridge id STP enabled interfaces > br-lan 7fff.a0f3c1a3c40f no eth0 > *root at recife:~#* brctl addbr br-red > *root at recife:~#* brctl addif br-red l2tpeth0 > *root at recife:~#* brctl addif br-red wlan0 > *root at recife:~#* ifconfig br-red up > *root at recife:~#* ip link set br-red up > *root at recife:~#* brctl show > bridge name bridge id STP enabled interfaces > br-lan 7fff.a0f3c1a3c40f no eth0 > br-red 8000.1ae0f4a30221 no l2tpeth0 > > wlan0 > *root at recife:~#* > * > * > *....::: RESUME :::...* > > 1) sorry for the long email.... > 2) when i'm "recife hostspot"... I can join in wireless "Recife Wireless" > from my device, but i can't receive ip from dhcp (10.60.61.1). > 3) from "server A[bahia] (bridge with vlan601 network) and "server B > [recife]", i can "see/listen" the broadcast request from my > device mac "5c:95:ae:22:d6:6e" like below. > > *root at bahia:~# *tcpdump -nve -i br-red "ether host ether > 5c:95:ae:22:d6:6e" > 00:08:52.653667 5c:95:ae:22:d6:6e > ff:ff:ff:ff:ff:ff, ethertype IPv4 > (0x0800), length 342: (tos 0x0, ttl 255, id 37839, offset 0, flags [none], > proto UDP (17), length 328) > 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from > 5c:95:ae:22:d6:6e, length 300, xid 0xe6f1d0a5, Flags [none] > Client-Ethernet-Address 5c:95:ae:22:d6:6e > Vendor-rfc1048 Extensions > Magic Cookie 0x63825363 > DHCP-Message Option 53, length 1: Discover > Parameter-Request Option 55, length 6: > Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name > Option 119, Option 252 > MSZ Option 57, length 2: 1500 > Client-ID Option 61, length 7: ether 5c:95:ae:22:d6:6e > Lease-Time Option 51, length 4: 7776000 > Hostname Option 12, length 14: "Straces-iPhone" > ^C > 1 packets captured > 1 packets received by filter > *root at bahia:~#* > > same thing result at "bridge a" (*root at recife:~#) *side... > > 4) the strangest thing of all and that, from bridge-b (recife). i can get > ip from dhcp/broadcast request over L2TPv3... > but without option "broadcast" i can't receive ip from dhcp (10.61.60.1) > > *root at recife:~#* udhcpc -B -i br-red > udhcpc (v1.19.4) started > Sending discover... > Sending select for 10.251.157.22... > Lease of 10.251.157.22 obtained, lease time 300 > udhcpc: ifconfig br-red 10.251.157.22 netmask 255.255.0.0 broadcast + > udhcpc: setting default routers: 10.251.0.1 > *root at recife:~# *ip route add 200.243.1.5 via 200.199.10.254 dev eth1 > *root at recife:~# *ip route show > default via 10.251.0.1 dev br-red > 10.251.0.0/16 dev br-red proto kernel scope link src 10.251.157.22 > 200.199.10.0/21 dev eth1 proto kernel scope link src 200.199.10.12 > 200.243.1.5 via 200.199.10.254 dev eth1 > 192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 > *root at recife:~#* ping -c2 10.251.0.1 > PING 10.251.0.1 (10.251.0.1): 56 data bytes > > --- 10.251.0.1 ping statistics --- > 2 packets transmitted, 0 packets received, 100% packet loss > *root at recife:~#* > > 5) output of tcpdump listen the bridge "br-red" request from > bridge-a-natal http://pastebin.com/t8wn3zRK > 6) output of tcpdump listen the bridge "br-red" request from > bridge-b-recife http://pastebin.com/njTQfd5k > 7) after several researches i found the kernel options to set like > "arp_filter", "bridge-nf-*",... but i don't have > idea which option should enable / disable. tried some combinations but > without success.... > 8) the DHCP-OFFER doesn't forward by "bridge-a"... problems with unicast? > multicast? arp_proxy? .... > 9) we need join in the network by wireless and access the server > 10.251.0.1 over bridge/l2tpv3 (unmanaged) > 10) in our case, can use only L2TPv3. (may not be OpenVPN, ...) > 11) all is Linux, without any iptables rules. > 12) who will win a beer?! =] > > Best regards, > Jorge Pereira >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.linuxfoundation.org/pipermail/bridge/attachments/20130823/851e596c/attachment-0001.html>