4

Given the following setup on a router that performs NAT between two networks A and B:

  • eth0 - physical interface - no ip address
    • eth0.1 - VLAN interface for network A - no ip address
    • eth0.2 - VLAN interface for network B - ip address for network B
  • br0 - bridge - ip address for network A
    • combines eth0.1 with other (irrelevant) interfaces

Question

A packet arrives from network A, so it is tagged with VLAN ID 1. Physically, it is received by eth0. Logically by eth0.1 but also by br0.

If the destination IP is in network B then it will additionally be forwarded logically to eth0.2 but has to leave physically through eth0 again.

In what order are such packets processed by ingress/egress qdiscs and PRE/POSTROUTING iptables?

What about the other direction, from network B to A through the same interfaces?

See netfiler packet flow diagram for reference: netfiler packet flow diagra

Improve this question

1 Answer 1

Reset to default
2

After some experiments with tcpdump and iptables I've observed the following:

If a packet sent from network A to network B then tcpdump shows :

  1. eth0: VLAN ID 1 tagged frame (4 bytes larger).
  2. eth0.1: un-tagged frame
  3. br0: same frame
  4. eth0.2: NATed frame

Iptables:

  1. br0 in
  2. NAT
  3. eth0.2 out

I assume qdiscs are processed in an order like this:

  1. eth0 ingress
  2. eth0.1 ingress
  3. br0 ingress
  4. br0 egress
  5. eth0.1 egress
  6. eth0 egress
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.