1

Premise:

I am using a raspberry pi3 as AP. I have added an USB to ethernet adapter and this is the configuration I have:

  • built in eth port as eth0 (WAN)
  • built in wifi interface as wlan0 (LAN, wireless)
  • usb to ethernet adapter as eth1 (LAN, wired)

I have bridged successfully wlan0 and eth1 into a bridge, br0.

Then I have setup a nat to allow the devices on br0 to connect to the internet. All of this works.

Problem:

Now I would like to split the wired LAN, so that there is a virtual network (eth1:0) for trusted devices and another virtual network for less trusted devices (eth1:1).

The idea would be to add to br0 only eth1:0. This seems to work, but when I list the bridges, br0 seems to use directly eth1, instead of the virtual interface eth1:0.

In fact, if I try to create another bridge (br1) and add the other virtual network (eth1:1), I get an error saying that the interface is already in a bridge.

So it seems that a virtual interface cannot be added to a bridge, only its parent.

Is this true? Is there some other way to do it?

This is the test script I am using:

function configure_firewall() {
    echo  CONFIGURE FIREWALL START
    ####################### FORWARDING #####################
    # Enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Allow forwarding of traffic LAN -> WAN
    iptables -A FORWARD -i ${BRIDGE} -o ${WAN} -j ACCEPT

    # Allow traffic WAN -> LAN but only as reply to communication initiated from the LAN
    iptables -A FORWARD -i ${WAN} -o ${BRIDGE} -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Drop anything else
    iptables -A FORWARD -j DROP

    ####################### MASQUERADING ########################

    # Do the nat
    iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

    ###################### INPUT #############################
    # Allow local connections
    iptables -A INPUT -i lo -j ACCEPT

    iptables -A INPUT -i ${BRIDGE} -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -i ${WAN} -j ACCEPT
    iptables -A INPUT -i ${WAN} -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -j DROP

    ###################### OUTPUT #############################
    iptables -A OUTPUT -j ACCEPT
    echo  CONFIGURE FIREWALL END
}

function teardown_bridge() {
    echo TEARDOWN BRIDGE START
    ifconfig ${BRIDGE} down
    brctl delif ${BRIDGE} ${LAN}:0
    brctl delif ${BRIDGE} ${WIFI}
    brctl delbr ${BRIDGE}
    echo TEARDOWN BRIDGE END
}

function configure_bridge() {
    echo CONFIGURE BRIDGE START
    brctl addbr ${BRIDGE}
    brctl addif ${BRIDGE} ${LAN}:0
    brctl addif ${BRIDGE} ${WIFI}
    ifconfig ${BRIDGE} up 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.10.0
    echo CONFIGURE BRIDGE END
}

function configure_interfaces() {
    echo CONFIGURE INTERFACES START
    ifconfig ${LAN} up 0.0.0.1
    ifconfig ${LAN}:0 up 0.0.0.2
    ifconfig ${LAN}:1 up 0.0.0.3
    echo CONFIGURE INTERFACES END
}

function teardown_interfaces() {
    echo TEARDOWN INTERFACES START
    ifdown ${LAN}:1
    ifdown ${LAN}:0
    ifdown ${LAN}
    echo TEARDOWN INTERFACES END
}

function delayed_reset() {
    for i in `seq 15 -1 0`; do
        sleep 1
        echo ${i}
    done
    sync
    reboot
    exit
}

#test_network

#if [ $? -ne 0 ] ; then
    teardown_firewall
    teardown_bridge
    teardown_interfaces
    configure_interfaces
    configure_bridge
    configure_firewall
    #delayed_reset
#fi

After running the script, if I run ifconfig, it looks like the virtual networks exist:

eth1      Link encap:Ethernet  HWaddr 00:13:3b:62:11:f6  
          inet addr:0.0.0.1  Bcast:255.255.255.255  Mask:0.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30712 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19110 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5261152 (5.0 MiB)  TX bytes:5355909 (5.1 MiB)

eth1:0    Link encap:Ethernet  HWaddr 00:13:3b:62:11:f6  
          inet addr:0.0.0.2  Bcast:255.255.255.255  Mask:0.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth1:1    Link encap:Ethernet  HWaddr 00:13:3b:62:11:f6  
          inet addr:0.0.0.3  Bcast:255.255.255.255  Mask:0.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

But the entire eth1 appears to be in br0:

root@raspberrypi:/home/pi# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.00133b6211f6       no              eth1
                                                        wlan0

And this seems to confirm it:

root@raspberrypi:/home/pi# brctl addbr br1
root@raspberrypi:/home/pi# brctl addif br1 eth1:1
device eth1:1 is already a member of a bridge; can't enslave it to bridge br1.

Note: I did look at Create and bridge virtual network interfaces in Linux but it seems to be obsolete, as it refers to iproute2.

2
  • 1
    Since you show a lot of iptables configuration and no ebtables, yet you're using a bridge, you should probably start reading about it now. Commented Jan 24, 2017 at 4:12
  • JuliePelletier thank you. I'm doing this as hobby project, never had much of a chance to work on routing and somehow ebtables has maanged to go under my radar in all these years. Is ebtables.netfilter.org/br_fw_ia/br_fw_ia.html a good starting point or would you recommend to start elsewhere? Commented Jan 24, 2017 at 19:58

1 Answer 1

4

You can't create br0 and br1 bridges on one interface eth1, because eth1:0 and eth1:1 is the same interface eth1 with two different ip addresses. You can create vlan If your wired network and switch allow it. If you create two vlans eth1.10 and eth1.20 you will have two different interfaces, witch can be used for bridges br0 and br1.

3
  • Thank you, now I see my error. I got confused and assumed multiple addresses would qualify as virtual network, instead I really need a new interface. Commented Jan 24, 2017 at 20:00
  • For the record, this is what got me confused: linuxconfig.org/configuring-virtual-network-interfaces-in-linux If I now understood correctly, the article is misusing the word "virtual", to represent what is actually a multiple-address configuration, as opposite to a full vlan deployment. Commented Jan 24, 2017 at 21:44
  • Yes. This article at linuxconfig.org is wrong. Read about KVM and linux network on Redhat documentation site. Commented Jan 25, 2017 at 5:27

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.