Bridge example needed

byrnejb

byrnejb

FreeBSD-13.0

I have a host with three i/fs: em3 (192.168.0.0/16 private LAN), em4 (123.123.123.0/25 (public LAN), em5 (public WAN).

What I wish to do is to configure a bridge so that addresses from em3 can reach addresses on em4 and vice versa. And have traffic from both em3 and em4 can reach the WAN.

I tried this:
Code: 
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em3 stp addm em4 stp"
ifconfig_em3="up"
ifconfig_em4="up"
ifconfig_bridge0="inet 192.168.0.1/16"
ifconfig_bridge0_alias123="inet 123.123.123.1/25"
ifconfig_em5="inet 134.134.134.234/25"
defaultrouter="134.134.134.233"
gateway_enable="YES"

However, this does not work as I had hoped. Traffic from 123.123.123.71 still cannot reach 192.168.216.53 as an example. What else is required?
 
I don’t think you need a bridge for this since your network ranges don’t overlap, just set gateway_enable="yes" in rc.conf(5). (And make sure you aren’t blocking the traffic with pf or ipfw.)
 
Eric A. Borisch said:
I don’t think you need a bridge for this since your network ranges don’t overlap, just set gateway_enable="yes" in rc.conf(5). (And make sure you aren’t blocking the traffic with pf or ipfw.)
Click to expand...
That is what I thought. But even without any firewall running addresses on em3 cannot ping addresses on em4. So I inferred that a bridge is required to move traffic between them. However, with the setup I used above I cannot even reach 192.168.0.1.
 
(1) Do you have pf or something else running to provide the NAT to the public wan?

(2) You’re restarted (or restarted routing) after setting the option in rc.conf?

(3) the devices you’re trying to ping between have the appropriate netmask and gateway information?
 
A1. I use PF to NAT. It evidently works as I am typing this.
A2. I reboot the router after changes.
A3. The netmasks have been checked, 255.255.0.0 for 192 and 255.255.255.128 for 123.
 
Can you ping from the router to both endpoints successfully? Can you ping the router from both endpoint successfully?

Check the value of net.inet.ip.forwarding?
 
I still have a problem. This is the gateway (GW) set up :

Code: 
                                  em4[LAN 192.168.0.0/16]
em5 [wan 76.x.y.x]   
                                  em3[LAN 216.x.x.0/25]

GATEWAY="YES" is specified in GW /etc/rc.conf. The forwarding flag is set: net.inet.ip.forwarding: 1. The contents of rc.conf are:
Code: 
### i/f em3
#ifconfig_em3_descr="HLL LAN 192.168.0.0/16 gateway"
ifconfig_em3="inet 192.168.0.1/16"

### i/f em4
ifconfig_em4_descr="HLL LAN 216.x.y1.0/25 gateway"
ifconfig_em4="inet 216.x.y.1/25"

### i/f em5
### WAN Gateway - Hamilton - HARTLYN001
ifconfig_em5="inet 72.a.b.234/29"         # HLL side WAN connection


static_routes="lan192 lan216"
route_lan192="-net 192.168.0.0/16 192.168.0.1"
route_lan216="-net 216.x.y.0/25 216.x.y.1"

defaultrouter="72.a.b.233"                        # ISP side WAN connection

I have checked, and rechecked, that all connected devices belong to only one of 192 or 216. However, devices on 192 cannot reach devices on 216 and vice vers. This behaviour is independent of whether or not the PF firewall is started. I was working on the belief that the router would automatically route traffic from 192 to 216 and from 216 to 192. Evidently I a mistaken. However, defining static routes do not seem to have any effect either. In fact I can see no route for either

Code: 
netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            72.a.b.233         UGS         em5
72.a.b.232/29      link#6             U           em5
72.a.b.234         link#6             UHS         lo0
72.a.b.236         link#6             UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.0.0/16     link#4             U           em3
192.168.0.1        link#4             UHS         lo0
216.x.y.0/25       link#5             U           em4
216.x.y.1          link#5             UHS         lo0
216.x.y.2          link#5             UHS         lo0
216.x.y.4          link#5             UHS         lo0

What else do I have to do to get traffic from em3 to pass to em4 and reverse?
 
both are present in cache
Code: 
?  (192.168.216.164) at 70:85:c2:80:f6:65 on em3 expires in 1200 seconds [ethernet]
? (216.185.71.41) at 70:85:c2:da:88:4f on em4 expires in 379 seconds [ethernet]
 
I have this configuration and it won't work for me either. There is little in the manual. I also tried setting up without giving addresses for wlan0 and igb0. I can't connect to the network when on the bridge. The cards disappear and are attached to the bridge.

Code: 
wlans_rtwn0="wlan0"
create_args_wlan0="wlanmode hostap"
ifconfig_wlan0="inet 10.1.2.1 netmask 255.255.255.0"
hostapd_enable="YES"

ifconfig_igb0="inet 10.1.1.1 netmask 255.255.255.0"
#dhcpd_enable="YES"
gateway_enable="YES"

cloned_interfaces="bridge0"
ifconfig_bridge0="addm igb0 addm wlan0 up"
ifconfig_igb0="up"
ifconfig_wlan0="up"
ifconfig_bridge0="inet 10.1.3.1/24"

Do I need to specify the inet for the bridge as either wlan0 or igb0? And give the other as an alias?

Here it is and here it works.
View: https://www.youtube.com/watch?v=bz45r_4BREw
 
I have a similar setup (two private subnets, both connected to the router, PF providing NAT for either to the outside world. I have GATEWAY_ENABLE=yes. I don’t create any static routes explicitly, or any fancy configuration of IPs beyond address and mask. I do have vnets complicating things, but we can ignore those for this discussion, I believe.
Here’s what my routing table looks like:


Internet:
Destination Gateway Flags Netif Expire
default 123.x.x.1 UGS cable
10.0.1.0/24 link#7 U bridge0
10.0.1.1 link#7 UHS lo0
10.0.128.0/24 link#9 U guest
10.0.128.1 link#9 UHS lo0
127.0.0.1 link#5 UH lo0
123.x.x.0/26 link#1 U cable
123.x.x.26 link#1 UHS lo0


I do have a bridge, but it is used to combine multiple Ethernet interfaces on the box that are on the same 10.0.1.0/24 subnet.

So, some comments:

I can ping through the box above from one subnet to the other if I allow it via PF. Make sure you don’t have PF blocking the traffic.

If you are trying to ping host2 from host1, can host1 ping the router successfully? Can host2?

Do you see the packets come in (via tcpdump) when pinging h1 to h2? Or h1 to router, etc?

You seem to have some extra IPs assigned on the subnets to your router. What are those doing? 216.x.y.2., for example.

You describe one interface as a local LAN; machines on that subnet are configured to only access the WAN through this machine, is that right?
 
Sub4sub said:
Code: 
ifconfig_bridge0="addm igb0 addm wlan0 up" 
{..}
ifconfig_bridge0="inet 10.1.3.1/24"
Code: 
ifconfig_wlan0="inet 10.1.2.1 netmask 255.255.255.0"
{..}
ifconfig_wlan0="up"
Code: 
ifconfig_igb0="inet 10.1.1.1 netmask 255.255.255.0"
{..}
ifconfig_igb0="up"
Click to expand...
Variables are overruling each other. Remember that rc.conf is just a shell script with a bunch of variables.

Code: 
#!/bin/sh

foo="bar"
foo="not bar"

echo $foo
 
byrnejb said:
Code: 
ifconfig_em3="inet 192.168.0.1/16"
{...}
route_lan192="-net 192.168.0.0/16 192.168.0.1"
Click to expand...
The ifconfig_em3 already adds an implicit route because 192.168.0.0/16 is a directly connected network. That static route should be removed.

Same for this one:
Code: 
ifconfig_em4="inet 216.x.y.1/25"
{...}
route_lan216="-net 216.x.y.0/25 216.x.y.1"
The route for 216.x.y.0/25 is already implicitly set, no need for the static here too.
 
You must log in or register to reply here.
Back
Top