# [SOLVED] How to setup transparent briging using iptables ?

## doublehp

I need to setup transparent briging using iptables, on a computer where some network cards do not support brctl. I know some people can do it, but I can not find any tutorial. Any one can help me ?

----------

## doublehp

Sounds like problem is mentionned by http://wiki.xensource.com/xenwiki/XenWifi

that points to

http://www.linuxfoundation.org/en/Net:Bridge

http://www.linuxfoundation.org/en/Net:Bridge#It_doesn.27t_work_with_my_Wireless_card.21

I will try this soon.

----------

## doublehp

Applied to my Debian, here is the resulting /etc/network/interfaces

```
# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

auto lo

iface lo inet loopback

auto eth0

iface eth0 inet static

        address 192.168.0.203

        netmask 255.255.255.0

        post-up beep

        post-up sleep 1

auto wlan0_rename

iface wlan0_rename inet static

        wireless-mode   managed

        wireless-essid  benoit@demaine.info 40 grand r

        wireless-key    0123-4567-89

        wireless-sens   2

        address 192.168.0.204

        netmask 255.255.255.0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

        post-up sleep 1

        post-up ifconfig eth0 0.0.0.0 up

#       post-up ifconfig eth1 0.0.0.0 up

        post-up ifconfig wlan0_rename 0.0.0.0 up

        post-up brctl addbr br0

        post-up brctl addif br0 eth0

#       brctl addif br0 eth1

        post-up brctl addif br0 wlan0_rename

        post-up ifconfig br0 192.168.0.203

        post-up ifconfig br0:1 192.168.0.204

        post-up ebtables -t nat -F

       post-up ebtables -t nat -A POSTROUTING -j snat --to-source 00:09:5B:91:56:08 --snat-arp

# essayer aussi SANS --snat-arp au besoin:

#       post-up ebtables -t nat -A POSTROUTING -j snat --to-source 00:09:5B:91:56:08

        post-up ebtables -t nat -A PREROUTING -p arp -j arpreply --arpreply-mac 00:09:5B:91:56:08

        post-up route add default gw 192.168.0.1

        post-up (echo -e "\t* sleeping 16s ... waiting for brige to build ..." ; sleep 16 ; beep -f 2000 -l 50 -r 3 ; echo -e "\t* bridge ready !!!" ; ) &

```

This assumes the machine just booted. If it's not the case, here is a way to clean your rules:

```
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F INPUT

iptables -F OUTPUT

iptables -F FORWARD

iptables -F -t nat

iptables -F -t filter

iptables -F -t mangle

iptables -F -t raw

ebtables -t filter -F

ebtables -t nat -F

ebtables -t broute -F
```

Key points: 

- establish wifi link first; it's way harder for the driver to join a node after bridge is up

- echo 1 > /proc/sys/net/ipv4/ip_forward ; you may need similar things for ipv6; i dont have ipv6 yet.

- ebtables -t nat -A POSTROUTING -j snat --to-source 00:09:5B:91:56:08

- ebtables -t nat -A PREROUTING -p arp -j arpreply --arpreply-mac 00:09:5B:91:56:08

Where the MAC address if the MAC of the bridge. If you try to fix the bug of wifi cards/driver not supporting spoofing (changing mac on the fly), you need to use as MAC for the brige, or here in ebtables rules. If you use several cards that dont suport spoofing, you will have to write more clever rules, likely using -o interface for each specific card.

This is far for even "good" script: all packets are transmetted on both side, even when not necessary. Furthermore, I have at the moment a windows laptop on the wifi side, and it complains it cant get free IP, and that attributed IP is already in use. This is because just after the DHCP delivers an IP, windows tries to ping it to check if it is free; to this ping, the bridge will answer a valid ARP reply, because the querried IP could be a host on his wired side ... that's the aime of the last rule ... and this rule prevent DHCP from working correctly. So, for now, this works fine only with static adressing.

Still, I have unified both sides of my network using software bridging, so, main part of the problem is solved.

References:

- http://lists.shmoo.com/pipermail/hostap/2005-January/009412.html

- http://wiki.xensource.com/xenwiki/XenWifi

- http://www.linuxfoundation.org/en/Net:Bridge#It_doesn.27t_work_with_my_Wireless_card.21

- http://www.atomicmpc.com.au/forums.asp?s=2&c=16&t=4705

- http://ebtables.sourceforge.net/examples.html#real (see examples in the main page, and the links at the bottom)

Commands that can be usefull for debugging:

- ip addr show

- tcpdump -veni eth0 icmp

- tcpdump -veni eth1 arp

----------

## doublehp

Works at last.

Question was: I have cheap hardware, and want to build a Wifi access point: i need to do transparent bridging between eth0 and wlan1.

Bad point for me (technical issue) was: after a few tests, as for many other people, my wifi card does not seem to enjoy brctl at all. I have an MA311, that is said to work for other people, but for me, brctl does not work nice. Maybe it is a firmware issue.

This trick allowed to get working network, the "bad" way:

```
ifconfig eth0 192.168.0.205

iwconfig wlan1 mode managed

iwconfig wlan1 essid benoit

iwconfig wlan1 key 0123-4567-89

iwconfig wlan1 sens 2

ifconfig wlan1 192.168.0.206

echo 1 > /proc/sys/net/ipv4/ip_forward

sleep 1

ifconfig eth0 0.0.0.0 up

ifconfig wlan1 0.0.0.0 up

brctl addbr br0

brctl addif br0 eth0

brctl addif br0 wlan1

ifconfig br0 192.168.0.205

ifconfig br0:1 192.168.0.206

sleep 1

ebtables -t nat -F

ebtables -t nat -A POSTROUTING -j snat --to-source 00:09:5b:48:d6:ab --snat-arp

ebtables -t nat -A PREROUTING -p arp -j arpreply --arpreply-mac 00:09:5b:48:d6:ab

route add default gw 192.168.0.1

(echo -e "\t* sleeping 16s ... waiting for brige to build ..." ; sleep 16 ; beep -f 2000 -l 50 -r 3 ; echo -e "\t* bridge ready !!!" ; ) &
```

Advantage of this: ARP get answered nicely, and all frames go through as wanted

Bad point: the router answers to all ARP requests, meaning, it virtually owns all IPs (even those outside the network), so that when machines like DHCP, Windows and Linux check if an IP is free before using it, the router already use it, and no IP is even free.

My actual solution that work way better:

```
ifconfig eth0 192.168.0.205 netmask 255.255.255.255

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

iwconfig wlan1 mode managed

iwconfig wlan1 essid benoit

iwconfig wlan1 key 0123-4567-89

iwconfig wlan1 sens 2

ifconfig wlan1 192.168.0.206 netmask 255.255.255.255

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/conf/wlan1/proxy_arp

sleep 1

parprouted -d eth0 wlan1 &

while true

do

        echo "Waiting for default route to go away ..."

        while route -n |cut -d " " -f1 |grep "0.0.0.0" >/dev/null

        do

                sleep 1

        done

        echo "Trying to add default route ... until it's here."

        until route -n |cut -d " " -f1 |grep "0.0.0.0" >/dev/null

        do

                /bin/ping -c1 -w1 192.168.0.1 >/dev/null 2>&1

                sleep 1

                /sbin/route add default gw 192.168.0.1

                sleep 1

        done 

        /bin/echo "* Added default route"

done
```

Of course, the last part can not be encoded in system conf file for network, it has to be put in an independent script.

It has to be a double loop, in case we loose the default route ( I am 99,999% sure there are cases where we can loose it, if we loose it's MAC, what could happen if during a reboot of the gateway, we expire the timeout of the ARP cache).

This rely on the ability of parprouted to automatically update routes in the kernel (see reference below): use /32 masks, and hope for the best. Just assign any IP to each interface, in any network, and apply the 255.255.255.255 mask.

Minus: Discovery takes time: it can take up to 12s from experience: it means, when you try to reach a machine for the first time, you are likely to have lost, and errors at the beginning. Having a machine down for longer than the ARP timeout will be a problem. Trying to reach an IP that is not up will flood parprouted queues.

But once we found where an IP is, everything seems stable (because parprouted refreshes ARP before the timeout, so that they never expire).

***

Problems yet to fix:

- add DHCP relay

- check that IPv6 goes through

References:

http://lists.shmoo.com/pipermail/hostap/2005-January/009412.html => means brctl can work on MA311

http://www.atomicmpc.com.au/forums.asp?s=2&c=16&t=4705

MA311 as Master

http://ebtables.sourceforge.net/examples.html#real ebtables examples

http://www.linuxfoundation.org/en/Net:Bridge#It_doesn.27t_work_with_my_Wireless_card.21  says that it is common for a wifi card to not work with brctl

http://wiki.xensource.com/xenwiki/XenWifi

the first guide saying that ebtables can be used to fix this kind of MAC problem

http://osdir.com/ml/network.bridge.ebtables.user/2005-03/msg00012.html

ebtables to iptables on a transparent bridge

http://freshmeat.net/articles/view/1433/

http://wiki.openwrt.org/OpenWrtDocs/WhiteRussian/TransparentFirewall

more scripts

http://lartc.org/howto/lartc.bridging.proxy-arp.html

proxyarp

http://tldp.org/HOWTO/Wireless-HOWTO-5.html

the page that says parprouted creates automatically routes for any discovered machine, so that, in the end, we can assign to the machine any IP with the mask /32.

http://www.faqs.org/docs/Linux-mini/Proxy-ARP-Subnet.html

http://linux.die.net/man/8/parprouted

parprouted man page:

 *Quote:*   

> Unlike standard bridging, proxy ARP bridging allows to bridge Ethernet networks behind wireless nodes. Normal L2 bridging does not work between wireless nodes because wireless does not know about MAC addresses used in the wired Ethernet networks. Also this daemon is useful for making transparent firewalls.
> 
> [...]
> 
> By automatically adding appropriate /32 routes to Linux kernel IP routing table for the hosts learned via ARP , daemon ensures that the Linux kernel will be able to route the packets to the destination host when it receives them without any need routing/subnetting manually.
> ...

 

http://www.usenet-forums.com/linux-security/124068-simple-proxy-arp-setup-needed.html

dont forget to add

 *Quote:*   

> echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
> 
> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward

 

----------

