Trouble with bridging?
I get to the point where the br0 interface has my Linode IP, and eth0 and tap0 are both up, but have no addresses (I believe this is the normal state). My routing table looks okay too. Oh, and "brctl show" shows tap0 and eth0 indeed bridged on br0.
However once I'm here, I don't have any connectivity – can't ping my gateway, or anything. I can only use the AJAX terminal (by the way…cool feature!!…)
Any ideas?
9 Replies
[root@orion ~]$ brctl show
bridge name bridge id STP enabled interfaces
br0 8000.00ff6b4b8097 no eth0
tap0
[root@orion ~]$ ifconfig | more
br0 Link encap:Ethernet HWaddr 00:FF:6B:4B:80:97
inet addr:207.192.70.105 Bcast:207.192.70.255 Mask:255.255.255.0
inet6 addr: fe80::2ff:6bff:fe4b:8097/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:661 (661.0 b) TX bytes:1350 (1.3 Kb)
eth0 Link encap:Ethernet HWaddr FE:FD:CF:C0:46:69
inet6 addr: fe80::fcfd:cfff:fec0:4669/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2713 errors:0 dropped:0 overruns:0 frame:0
TX packets:1673 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:586429 (572.6 Kb) TX bytes:262755 (256.5 Kb)
Interrupt:16
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:68 errors:0 dropped:0 overruns:0 frame:0
TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7895 (7.7 Kb) TX bytes:7895 (7.7 Kb)
tap0 Link encap:Ethernet HWaddr 00:FF:6B:4B:80:97
inet6 addr: fe80::2ff:6bff:fe4b:8097/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:20 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@orion ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
207.192.70.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 207.192.70.1 0.0.0.0 UG 0 0 0 br0
My client machine connects over OpenVPN to my Linode with bridging. Then I configure the client's tap0 as my second Linode IP.
If I try to connect to my Linode IP externally, I see an arp who-has (public IP), which gets forwarded over the OpenVPN tunnel to the client. The client then responds with its tap0 MAC address (which I guess is just generated randomly).
However, at this point, it seems like the Linode routers just discard the response (maybe because they don't like the MAC address?)
What seems to work, although I don't know how to persist this setting, is if I use my first Linode/first IP to do proxy ARP for the second IP. That is, I temporarily bring up the second IP on my Linode, ping it (thus caching the MAC <==> IP relationship in Linode's routers, I suppose), and then bring it back down, and then bring back up the tunnel.
So then, if I enable IP forwarding on my Linode, my machine answers with "itself" for the ARP request (for the second IP), and then forwards the packets down the tunnel, and everything is working. However, this doesn't stay because eventually the ARP entry expires out of the Linode routers, and everything dies.
After looking around for a long time, it doesn't seem possible any more to add a manual published ARP entry (either with 'ip neigh add proxy' or 'arp -s ….. pub') -- this seems to have been replaced with "auto" proxy ARP, where Linux will proxy for you automatically if you set the flag in /proc to 1 and it detects an attempt to cross two divergent subnets (but this doesn't help when the IPs are adjacent to each other!).
So two questions:
1) Is there a way I can report back a MAC address in response to the ARP from the Linode routers that will be "accepted"?, or
2) Is it possible (in any way) to set manual proxy ARP entries in Linux 2.6, such that I can use IP forwarding from my first IP?
> However, at this point, it seems like the Linode routers just discard the response (maybe because they don't like the MAC address?)
I did a quick experiment – I bumped my MAC address by one (for eth0) and then tried to send out some traffic -- no luck. So I guess traffic is filtered by MAC address also. Would it be possible to get a second MAC address assigned to my Linode? Given that I have a second IP and I'm using bridging?
@Ophidian14:
> However, at this point, it seems like the Linode routers just discard the response (maybe because they don't like the MAC address?)
I did a quick experiment – I bumped my MAC address by one (for eth0) and then tried to send out some traffic -- no luck. So I guess traffic is filtered by MAC address also. Would it be possible to get a second MAC address assigned to my Linode? Given that I have a second IP and I'm using bridging?
Try:
ifconfig ethx hw ether 00:E0:29:6E:04:78
ie make up a mac address or use one of your local ones.
I'm sorry..I read your message again. This is probably not what you want.
Fred B.
> ifconfig ethx hw ether 00:E0:29:6E:04:78
ie make up a mac address or use one of your local ones.
I'm sorry..I read your message again. This is probably not what you want.
Right. Unless I use the MAC address that was already assigned to my eth0 interface on my Linode, I can't send out any traffic.
@Ophidian14:
2) Is it possible (in any way) to set manual proxy ARP entries in Linux 2.6, such that I can use IP forwarding from my first IP?
Well, I'm fairly certain I've figured out a way. It's sort of a hack, but it seems to work.
Basically, I wrote a small daemon that uses libpcap to watch for incoming ARP requests. If it sees one for my second IP, it answers automatically with my own Linode MAC address.
From there, I get packets for both IP addresses on my Linode, but IP forwarding in the Linux kernel sends (another) ARP request down my tap0 tunnel to my home machine (which is actually really configured with my second address) which answers with its MAC address. The Linode then forwards the traffic right along.
One little snag is that this is all a little confusing to the kernel and it's sending out ICMP redirects to anyone who contacts the second address, because it thinks there's a shorter route through the Linode gateway (when there really isn't). I'm going to hunt through /proc to see if I can turn that off….and if not, I'll just firewall it out. (update: this is easily disabled via /proc/sys/net/ipv4/conf/br0/send_redirects)
Anyway, if anyone wants the code for my little daemon gizmo, just let me know.
I am trying to set up a bridged OpenVPN server on my VM. The only difference between my configuration and yours seems to be that I'm bridging eth0:0 and not eth0. However, when I bring up the br0 interface, my Linode loses connectivity after a short while, which might (or might not) be related to the MAC address filtering happening at Linode's side.
Would you be able to share your ARP daemon?
Cheers,
osierra