1

On a router running OLSR there are four ports/interfaces where connected devices talk OLSR to each other. Now i dont like to use an IP address for each interface but instead bridge them all and set just one IP address on the bridge.

The problem now is, those devices should NOT see each other on layer2, else olsr routing changes the wrong way (because of the bridge). Those devices should be routed on layer3 by OLSR only. Ok, so there is an option to use ebtables...

I've already read this post, but it's not exactly what im looking for. So im trying to figure out how to allow each connected device talk OLSR to the router while deny all connected devices to see each other on layer2.

# deny talking to each other
ebtables -P FORWARD DROP
ebtables -F FORWARD

works well, but then the router itself does not see any connected device, so i guess i need to allow the interfaces to talk to the router itself.

# allow port eth1
ebtables -F FORWARD -i eth1 -j ACCEPT
ebtables -F FORWARD -o eth1 -j ACCEPT

but this allows too much, the effect is the same like setting the policy back to accept.

how should i set the ebtables rules to make this work the right way?

Community
  • 1
  • 1
Christoph Lösch
  • 645
  • 7
  • 22
  • Bridging is layer-2. Routing operates at layer-3. Bridging extends the layer-2 domain. Routing extends the layer-3 domain and divides and connects layer-2 domains. You are trying to mix two different things, picking and choosing what you want from each. – Ron Maupin Sep 16 '15 at 22:52
  • well, i admit im not completely understanding how ebtables works. in the end i want connected devices talk on layer2 to the router only, not to each other. because having the bridge on the router i guess this should be done with ebtables to allow traffic from each port to the router itself and deny traffic to other ports? – Christoph Lösch Sep 16 '15 at 23:07
  • The idea of a router is that it is designed to connect different networks and route traffic between different networks. Devices on the same network need to be able to contact each other on layer-2 to be able to talk on layer-3. You should really assign different networks to each of the four interfaces. You can do so much more with the traffic like allow/deny, route based on policies, different QoS marking and queuing, etc. With different networks and routing, you can easily allow the traffic you wish to allow, while denying the traffic you wish to block. – Ron Maupin Sep 16 '15 at 23:18
  • yes, sure i could set vlans for each port but then again i need one ip per interface, so i could also stick with the ports/interfaces itself without the bridge.. but in a mesh network, using olsr with public ips, this is suboptimal and a waste of ips. (please dont start discussing why public ips are used - this network is designed this way :) ) – Christoph Lösch Sep 16 '15 at 23:33
  • If you block layer-2 frames from traversing the interfaces while keeping the same network on each interface, devices on the same network but on different interfaces.will not be able to contact each other. Devices on the same network talk to each other in layer-2 frames. That's just how it works. – Ron Maupin Sep 16 '15 at 23:39
  • You could subnet the public addresses into smaller subnets and put a different one on each interface. That should work. – Ron Maupin Sep 16 '15 at 23:41

2 Answers2

1

When one device wants to talk to another device, the sending device looks at the layer-3 destination address. Then:

  • If the destination layer-3 address is in the same network as the sending device, the device will look in the ARP cache (sending an ARP which is a layer-2 broadcast if it isn't in the cache) to determine the layer-2 (MAC) address of the destination device so that the layer-3 packet can be encapsulated into the layer-2 frame. The layer-2 frame is then sent out the interface.
  • If the destination layer-3 address is in a different network, the sending device will use the layer-2 (MAC) address of the gateway as the destination layer-2 address. The gateway (router) discards the layer-2 frame from the layer-3 packet, routes it to a different interface, and repeats the process to get a new layer-2 address and encapsulates the layer-3 packet in a new layer-2 frame before sending it out the interface.

Based on your requirement to block layer-2 between the interfaces, a device on one interface in the same network as a device on another interface will never be able to contact the other device because it can't contact it via layer-2.

If you need to use the public address range that you were given, you can subnet that range into four /31 subnets. That gives each link two IP addresses, and each link is in a different network. A layer-3 boundary (router) will block layer-2 between its interfaces. Routing will take care of the rest.

You really need to understand this; it very basic networking. Don't take this the wrong way, but it would seem that you should probably hire someone with the proper skill set for an hour or a day set up your network.

Ron Maupin
  • 6,180
  • 4
  • 29
  • 36
0

its as simple as to put all ports into a bridge br0 and then:

ebtables -P FORWARD DROP
ip link set br0 promisc on

(works as expected on an ubnt edgerouter, but was also tested on a linux box before, so should work there too)

Christoph Lösch
  • 645
  • 7
  • 22