Hello,
avlee a écrit :
>
> Bridge interface br0 made from eth0 and eth1.
> br0 has address from local lan class (192.168.1.100/24)
> bridge is between firewall and local lan (192.168.1.0/24).
> Everything works fine. Bridge passes traffic, i use 192.168.1.100
> to administer bridge.
>
> I added alias for br0 - and configured address 192.168.2.100.
For what purpose ?
Mixing IP subnets on the same ethernet network is usually considered a
bad idea, unless you know exactly what you are doing.
> Lan computers sends echo request to 192.168.2.100 thru default gateway
> (firewall) - so the traffic is passing thru bridge.
> (i checked using tcpdump -i br0).
> But the bridge is not accepting theese packets - it forwards them like
> all other packets.
> Is it normal ? Why ?
Yes, it is normal. The bridge acts like a logical ethernet switch and by
default forwards ethernet packets based upon their destination MAC
address, not their embedded destination IP address.
> Are "aliased" addresses on br0 treated in other way that main address
> on br0 ?
No, aliases are treated the same way as "main" addresses by the Linux
kernel routing code. However other OSes may vary.
Your bridge is equivalent to the following situation :
bridging box
192.168.1.100/24
192.168.2.100/24
br0
|
+-----+-----+
gateway 192.168.1.x/24 ----+eth0 eth1+---- stations 192.168.1.y/24
+-----------+
bridge = logical switch
When a station needs to send a packet for 192.168.2.100 via the gateway,
it sends it to the destination MAC address of the gateway LAN interface.
So the bridge forwards the packet from eth1 to eth0. Only packets sent
to the bridge interface (br0) MAC address are forwarded to the bridging
box upper layer.
In order for the bridging box to receive packets for 192.168.2.100, you
may, either :
- add a direct route to this address (or its subnet range) on the
stations, telling them that it is on the local network ;
- create an ebtables rule matching this IP destination address in the
BROUTING chain of the 'broute' table with the target DROP in order to
force routing of the packet instead of bridging ;
- create an ebtables rule matching this IP destination address in the
PREROUTING chain of the 'nat' with the target 'dnat' in order to replace
the destination MAC address with the MAC address of br0.
Note that the solutions based on ebtables won't work if the gateway is
down because the ARP resolution for its MAC address will fail, so
packets to a foreign address won't even been sent by the station.
|
Similar Threads
Linear Mode
