# Network Bridge (eth0 & tap0) and forwarding (gateway) issues

## JSheridan

I tried briding my eth0 & tap0 for my vpn.

The bridge works (vpn<->local). The gentoo box has still access to the internet but doesn't work as a gateway anymore (packets are not forwarded back to the clients; see details later)

Normally the gentoo box splits the local traffic to several different routers. Sadly the system just has one lan port.

The routing / forwarding looks like this:

=========================

Clients <-> Gentoo Box <-> Routers

The actual network is 192.168.0.0/16:

========================

===== <-> Routers

|Switch| <-> Gentoo

===== <-> Clients

If I could I would have changed the layout and moved all routers to a seperate network but since I can't I have to live with that  :Sad: 

At least this setup worked for quite some time but after I created a bridge (br0) to bridge between the eth0 and tap0 (vpn) my client's are unable to access the internet. As mentioned before the packets are not forwarded back to the clients.

For simplicity I reduced it to one additional router let's say the 192.168.0.3 and disabled my firewall:

conf.d/net:

=======

config_br0="192.168.0.1 netmask 255.255.0.0 broadcast 192.168.255.255"

routes_br0="default via 192.168.0.3"

bridge_br0="eth0 tap0"

brctl_br0="setfd 0 sethello 0 stp off"

rc_need_br0="net.eth0 net.tap0"

config_eth0="null"

tuntap_tap0="tap"

config_tap0="null"

routing:

======

default via 192.168.0.3 dev br0

127.0.0.0/8 via 127.0.0.1 dev lo

192.168.0.0/16 dev br0 proto kernel  scope link  src 192.168.0.1

brctl show:

=======

bridge name     bridge id               STP enabled     interfaces

br0             8000.0007e914925c       no              eth0

                                                        tap0

iptables:

======

# Generated by iptables-save v1.4.12.1 on Tue Jan  3 15:52:04 2012

*nat

:PREROUTING ACCEPT [160:13024]

:INPUT ACCEPT [111:10845]

:OUTPUT ACCEPT [540:41292]

:POSTROUTING ACCEPT [147:10508]

[397:31019] -A POSTROUTING -s 192.168.0.0/16 ! -d 192.168.0.0/16 -j MASQUERADE

COMMIT

# Completed on Tue Jan  3 15:52:04 2012

# Generated by iptables-save v1.4.12.1 on Tue Jan  3 15:52:04 2012

*mangle

:PREROUTING ACCEPT [11380:7436841]

:INPUT ACCEPT [4982:4186016]

:FORWARD ACCEPT [6352:3248825]

:OUTPUT ACCEPT [3534:232357]

:POSTROUTING ACCEPT [9887:3481258]

COMMIT

# Completed on Tue Jan  3 15:52:04 2012

# Generated by iptables-save v1.4.12.1 on Tue Jan  3 15:52:04 2012

*filter

:INPUT ACCEPT [4985:4188696]

:FORWARD ACCEPT [6352:3248825]

:OUTPUT ACCEPT [3537:232705]

COMMIT

# Completed on Tue Jan  3 15:52:04 2012

/proc/sys/net/ipv4/ip_forward

is enabled.

Now the strange thing is that packets from the clients correctly go through the box and get masqueraded, but the response is lost on the gentoo box. I noticed this while capturing the packets on the device.

Example: client pings 193.99.144.85

=======================

 33.195744 192.168.0.21 -> 193.99.144.85 ICMP 74 Echo (ping) request  id=0x0001, seq=9/2304, ttl=128

 33.195764  192.168.0.1 -> 193.99.144.85 ICMP 74 Echo (ping) request  id=0x0001, seq=9/2304, ttl=127

 33.240418 193.99.144.85 -> 192.168.0.1  ICMP 74 Echo (ping) reply    id=0x0001, seq=9/2304, ttl=244

WS=128

The client never receives the reply which definitly arrived at the server.

Everything looks identical to the working setup using eth0 (except changing eth0 to br0).

What could I be missing here?

I'd be glad if someone can help me fix this issue. Hopefully I didn't not miss too much vital information.

Thanks for any help in advance!

----------

