Score:1

Server

How can I MASQUERADE between vlan bridges

Sheik

3/27/23, 1:30 PM

I have created two VLAN bridges in openwrt based system which has single physical interface.

*) eth0->lan->br-lan
*) br-lan->br-lan.2(VLAN INTF)->br-vlan2(BRIDGE INTF)
*) br-lan->br-lan.20(VLAN INTF)->br-vlan20(BRIDGE INTF)

I am running an DHCP server in by ubuntu machine.

I am trying to route between the vlan to open up the intervlan communication. But i couldn't succeed.

what i did is

 iptables -t nat -I POSTROUTING -o br-vlan2 -j MASQUERADE

 iptables -A FORWARD -i br-vlan2 -o br-vlan20 -mstate --state RELATED,ESTABLISHED -j ACCEPT

 iptables -A FORWARD -i br-vlan20 -o br-vlan2 -j
 ACCEPT

 echo 1 > /proc/sys/net/ipv4/ip_forward

And I have tried updating /etc/config/firewall with forwarding rules

config zone
        option name 'vlan2'
        list network 'br-lan.2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'vlan20'
        list network 'br-lan.20'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'br-lan.2'
        option dest 'br-lan.20'

config forwarding
        option src 'br-lan.20'
        option dest 'br-lan.2'

What is wrong here? And am beginner to router concepts.

Edit:

This is how my setup looks like

             IP:  192.168.2.10     192.168.20.10
             GW:  192.168.2.1      192.168.20.1
                   |client 1|       |client 2|
                         ^              ^
                     ____|______________|________
                    |  br-vlan2   |   br-vlan20  |    
 _____________      |192.168.2.2  | 192.168.20.2 |   
|             |     |_____________|______________|
| 192.168.1.1 |     |    |br-lan  IP: 192.168.1.2|
|   router    |---->|eth0|   GW: 192.168.1.1     |
|_____________|     |____|_______________________|          
                    |    x86 machine as AP       |
                    |____________________________|

409

0 + 0

router

iptables

vlan

openwrt

Nikita Kipriyanov

3/27/23, 3:17 PM

What is the actual hardware running OpenWRT and where its eth0 is connected? Better remove br-lan and make VLAN subinterfaces out of eth0 directly (OpenWRT is almost always configured this way). Also, why so many bridges, what else do you plan to put inside them? Wouldn't it be simpler to just assign IP directly to those VLAN subinterfaces and put them into firewall zones?

Score:0

Server

Nikita Kipriyanov

3/27/23, 3:54 PM

The ordinary OpenWRT router usually has a single Ethernet interface in the CPU which is internally connected to a "smart switch" chip. Other ports of the switch are made available outside as jacks, one usually labeled as "WAN" and others are "LAN". The switch is configured in the following way: the CPU-switch link is trunk (all VLANs are tagged), one port ("WAN") is made one VLAN untagged and the rest ports ("LAN") made other VLAN untagged. This is essentially standard "router-on-a-stick" setup, where switch works as simple port extender for a low-port-count router.

The rest looks exactly like your case, the Linux computer which has a single Ethernet interface. To complement switch setup, it is split into VLAN subinterfaces. Then, those subinterfaces are configured according to their function: the LAN is put into a bridge with WLAN interface(s), while WAN is configured without bridges.

This setup looks like the following (eth0 is the only interface of the router):

eth0 has two VLAN subinterfaces, .1 and .2
eth0.1 and wlan0 and wlan1 are combined into br-lan which has IP address assigned and put into LAN zone
eth0.2 has address assigned too.

In case you really need bridges, this is the way to go:

config interface 'vlan20'
        option ifname 'eth0.20'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.20.1'

config interface 'vlan2'
        option ifname 'eth0.2'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'

This would be translated into: Two VLAN subinterfaces will be created out of eth0, and two bridges created, br-vlan20 and br-vlan2. Each VLAN subinterface will participate in its own bridge. Bridges then have IPs assigned.

If you don't need a bridge (e.g. you aren't planning to add other interfaces), just remove option type 'bridge' line from the definition.

Beware, the device on the other side of the eth0 link in this case must be prepared to deal with tagged frames!

The firewall setup for this case might look like this:

config zone
        option name 'zone20'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vlan20'

config zone
        option name 'zone2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option network 'vlan2'

config forwarding
        option src 'zone20'
        option dest 'zone2'

config forwarding
        option src 'zone2'
        option dest 'zone20'

Notice how the zone's network options in the firewall correspond to interface's names in the network configuration file. Linux interface names only appear once in the network configuration file and nowhere else. forwarding's src and dst options, however, correspond to zone's name options.

0 + 0

Sheik

3/29/23, 10:15 AM

Thanks @Nikita I just configured my x86 machine as a wireless Access Point. My machine has an ethernet card and two wireless cards and there is no any internal switch. I just tried as you suggested creating vlans from eth interface and forwarding with zone names. That worked fine. But my requirement is to route between vlan bridges. I need to create vlan from br-lan and then enable intervlan routing in my AP. I am just trying to implement client based intervlan routing as part of one of my AP features.

Sheik

3/30/23, 2:34 AM

Hi @Nikita Kipriyanov I just added my setup along with the question. Earlier I said my case is not working and your case is working. Actually both the cases are working when I keep my clients gateway as VLAN bridges ip, But my AP acts in bridge mode obviously the clients gets the router as gateway. so the packet leaves out before getting forwarding. Hope you understood my scenario. I need to route between the bridges in the AP. This is what i required.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I MASQUERADE between vlan bridges

TH: ฉันจะสวมหน้ากากระหว่างสะพาน vlan.js ได้อย่างไร

RO: Cum să mă MASCĂREZ între poduri vlan

RU: Как я могу МАСКАРИРОВАТЬСЯ между мостами vlan

VI: Làm cách nào tôi có thể MASQUERADE giữa các cầu nối vlan

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.