1

My network has a rather complex setup I can't unfortunately simplify, currently it's being half-solved by two different devices (that cause a few other problems) and I wish to replace them with one Linux box with nftables.

I made a diagram (below), but in general I see three components in the setup:

  1. The one route that connects "Box 1" with whatever receives untagged (VLANless) data from the Intranet (1) and doesn't modify it in any way, just forwards directly to the output interface and vice versa. Marked yellow on the diagram.
  2. One route that takes VLAN 9 traffic, untags it and passes it on to the bridge+NAT. Marked blue on the diagram.
  3. The bridge that routes traffic between Intranet and Intranet 2 (VLAN 9) and the NAT through which devices on the intranets can access the internet. I only have one IPv4 and IPv6 address, that's why the IPv6 NAT :(.

Ideal solution

I have tried different approaches based on what was available online, but to no avail and I found nothing that combined so many different things (VLANs, bridges and NAT). Netfilter gurus please help me, do ask if something is unclear.

Avamander
  • 203
  • 2
  • 11
  • 2
    Your question is too complex (for me). Anyway here are a few pointers: Linux bridge can be turned vlan aware (ip link set bridge0 type bridge vlan_filtering 1). It must then be configured with the newer bridge command (not brctl). nftables' bridge support got improved with kernel 5.3 (can use new native bridge netfilter's conntrack). Also using netfilter's conntrack *zones* can help when the same traffic is seen multiple times or when different traffic use the same ip and only one should be tracked. If possible you should avoid using the bridge for routing (ie: don't put an ip on the bridge). – A.B Dec 07 '19 at 20:36
  • I've managed to set up most of what I've requested with trial and error, but now I have the issue that I can't get my machine to reply on any static IP I assign to any interface (using netplan), DHCP works, adding manual routes didn't help :(. I plan on writing up an answer but need to figure this out first. – Avamander Dec 08 '19 at 23:32
  • 2
    explanation: when an interface becomes a bridge port, its layer 3 (network layer, routing) gets ignored. That's not a bug, that's how it's working. – A.B Dec 08 '19 at 23:37
  • @Avamander Could you post an answer with some details with what you went with in the end? – gxx Jan 15 '22 at 13:30
  • @gxx Basically first step is creating an ethernet VLAN interface, then it takes two bridges (one between all of LAN (including VLAN interfaces), one between all of WAN), then you can create a `masquerade` rule for IP's originating from LAN in your `nat` table. That's it. – Avamander Jan 15 '22 at 16:25

0 Answers0