Difference between revisions of "Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Bridge"

From bering-uClibc
Jump to: navigation, search
(Created from http://leaf.sourceforge.net/doc/bubridge.html using "html2wiki --dialect=MediaWiki")
 
(Corrected Navigation Links for new Prev page)
 
(2 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
! colspan="3" align="center" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Bridge|Advanced Topics - Setting Up a Bridge]]
 
! colspan="3" align="center" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Bridge|Advanced Topics - Setting Up a Bridge]]
 
|-
 
|-
| width="20%" align="left"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a File Server|Prev]]
+
| width="20%" align="left"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a RADIUS Server|Prev]]
 
! width="60%" align="center" | [[Bering-uClibc 4.x - User Guide]]
 
! width="60%" align="center" | [[Bering-uClibc 4.x - User Guide]]
 
| width="20%" align="right"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Network Emulator|Next]]
 
| width="20%" align="right"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Network Emulator|Next]]
Line 10: Line 10:
  
 
==Objectives==
 
==Objectives==
We assume here that you have a network running with connectivity to the Internet. What follows describes the use of Bering as a bandwidth manager without having to reconfigure the network. The first step is therefore to setup a bridge and is described here. The second step is described in another chapter of the user's guide ([http://leaf.sf.net/devel/jnilo/buhtb-qos.html Managing QoS with Bering]).
+
We assume here that you want to implement a [[Bering-uClibc 4.x]] machine as an Ethernet "Bridge" which connects together two Ethernet network segments at Layer 2 of the OSI model.
 +
This can be desirable for a number of reasons:
 +
* To overcome the physical limitations of Ethernet installations (such as maximum cable lengths).
 +
* In order to implement some sort of processing or filtering of traffic passing through the bridge:
 +
** Emulation of WAN characteristics on a LAN link.
 +
** Quality of Service or Bandwidth Management.
  
Your external interface (to the internet) will be eth0, your internal interface (to your internal network) is supposed to be done through an ethernet network card (eth1).
+
'''Note: ''' This procedure configures [[Bering-uClibc 4.x]] as a Bridge rather than a Router and hence firewalling cannot be done with Shorewall.
 
+
Bridge supports only filtering on the FORWARD Chain. Shorewall defines rules on input, output, forward and its own tables. If the custom built tables get packets redirected from the FORWARD table, filtering would work. If Shorewall based firewalling is also needed, then the bridge should be replaced by a ARP Proxy set-up for which a quick and dirty setup document is available from Rick Onanian. This setup is, however, simpler to configure and manage.
What follows has been tested with Bering v1.0-stable on a VIA 533 machine with 3 LAN interfaces onboard. (Openbrick box).
+
 
+
The [http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/index.html ADSL Bandwidth Management Howto] is a useful reference for this section.
+
 
+
'''Note: ''' This procedure configures Bering as a bridge and hence firewalling cannot be done with shorewall. Bridge supports only filtering on the FORWARD Chain. Shorewall defines rules on input, output, forward and its own tables. If the custom built tables get packets redirected from the FORWARD table, filtering would work. If shorewall based firewalling is also needed, then the bridge should be replaced by a ARP Proxy set-up for which a quick and dirty setup document is available from Rick Onanian. This setup is, however, simpler to configure and manage.
+
  
 
Importance of such a configuration: If we were to plug a LEAF box in as a bandwidth manager or a firewall and can do so in a transparent fashion - meaning none of the computers need to be reconfigured in any form for IP gateways or subnets. This makes it easy to plug this in and out of a production network without users realizing except for maybe throttling of bandwidth. This also improves the capability to provide greater uptimes.
 
Importance of such a configuration: If we were to plug a LEAF box in as a bandwidth manager or a firewall and can do so in a transparent fashion - meaning none of the computers need to be reconfigured in any form for IP gateways or subnets. This makes it easy to plug this in and out of a production network without users realizing except for maybe throttling of bandwidth. This also improves the capability to provide greater uptimes.
  
==Step 1: declare the bridge package==
+
==Step 1: Declare the <code class="filename">bridge.lrp</code> Package==
Boot a Bering floppy image. Once the LEAF menu appears get access to the linux shell by (q)uitting the menu. Edit the <code class="filename">syslinux.cfg</code> file and declare bridge in the LRP= list of packages to be loaded at boot. Check the Bering [http://leaf.sourceforge.net/devel/jnilo/biaddrm.html installation guide] to learn how to do that.
+
The <code class="filename">bridge.lrp</code> Package implements the '''brctl''' command and also <tt>if-up</tt> and <tt>if-down</tt> hooks.
  
Your <code class="filename">syslinux.cfg</code> file could look like (adjust to your tastes):
+
Add the <tt>bridge</tt> Package to the <tt>LRP</tt> list in <code class="filename">leaf.cfg</code> as described in the [[Bering-uClibc 4.x - User Guide - Basic Configuration - LEAF Packages|LEAF Packages]] Chapter.
  
display syslinux.dpy
+
==Step 2: Install the kernel Modules==
timeout 0
+
In order to have the bridge working, you need to have bridging support enabled through the appropriate kernel Modules.
default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 boot=/dev/fd0u1680:msdos
+
PKGPATH=/dev/fd0u1680 LRP=root,etc,local,modules,ppp,keyboard,bridge,dnscache,weblet
+
  
The last two lines ("default linux ... dnscache,weblet") must be typed as a single one in <code class="filename">syslinux.cfg</code>
+
You also need to load the driver Module of the network cards assigned to your "External" and "Internal" network links.
 +
With [[Bering-uClibc 4.x]] this is most easily accomplished by using the automatic hardware detection facility described in the [[Bering-uClibc 4.x - User Guide - Basic Configuration - Basic System Configuration|Basic System Configuration]] Chapter.
  
==Step 2: declare the bridge module:==
+
The extra kernel Modules which implement the bridging functionality need to be installed into directory <code class="filename">/lib/modules/</code>.
In order to have the bridge working, you need to have bridging support enabled through the appropriate kernel modules. You also need to declare the driver module of the network card assigned to your internal network. In the following example, this card is supposed to be a Realtek 8139 fast Ethernet module onboard.
+
Once present in this directory they will be loaded automatically when required.
 +
Note that this is rather different from the behaviour with [[Bering-uClibc 3.x]] where the Modules also had to be explicitly declared in file <code class="filename">/etc/modules</code>.
  
To configure your modules, go to the LEAF Packages configuration menu and choose modules. Enter 1) to edit the <code class="filename">/etc/modules</code> file and enter the following information:
+
Extract the following Module files from <code class="filename">modules.tgz</code> and copy them to directory <code class="filename">/lib/modules/</code>. Take care to ''remove'' the directory structure levels - the <code class="filename">.ko</code> files need to be located directly in <code class="filename">/lib/modules/</code> and not in a sub-directory of that.
<nowiki>(...)
+
* <code class="filename">kernel/net/bridge/bridge.ko</code>
# Those realtek based NICs need mii module
+
* <code class="filename">kernel/net/llc/llc.ko</code>
mii
+
* <code class="filename">kernel/net/802/stp.ko</code>
#8139cp
+
8139too
+
# Bridge support
+
bridge
+
(...)
+
</nowiki>
+
 
+
bridge.lrp is shipped as part of the standard Bering floppy. The bridge.lrp contains only the utilities and not the kernel module. The kernel modules for the network interface module and bridging can be downloaded from [http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/ Bering module directory]
+
 
+
Copy the modules to <code class="filename">/lib/modules</code> directory.
+
 
+
Check if they work by giving the commands as follows in the same order (important):
+
<nowiki>Bering -root-
+
# insmod mii
+
 
+
Bering -root-
+
# insmod 8139too
+
 
+
Bering -root-
+
# insmod bridge
+
</nowiki>
+
  
These should load properly as they do not have any other dependencies.
+
Once these files have been copied to directory <code class="filename">/lib/modules/</code> they need to be registered with the module loading system.
 +
This can be done manually by running the following command:
 +
depmod
 +
Note that this is done automatically at boot time.
  
 
==Step 3: Configure the bridge system==
 
==Step 3: Configure the bridge system==
Invoke lrcfg and choose 1) Network configuration and then 1) Network Interfaces. In the interface file, comment all lines except those for the bridge.
+
Invoke '''lrcfg''' and choose <tt>1) Network configuration</tt> and then <tt>1) Network Interfaces</tt>. In the interface file, comment out all lines except those for the bridge (also leave the "loopback" lines un-commented):
 
  <nowiki>(...)
 
  <nowiki>(...)
 
  #Step 4 (optional): configure a bridge
 
  #Step 4 (optional): configure a bridge
Line 72: Line 54:
 
  iface br0 inet static
 
  iface br0 inet static
 
         address 192.168.1.254
 
         address 192.168.1.254
         masklen 24
+
         netmask 255.255.255.0
 
         broadcast 192.168.1.255
 
         broadcast 192.168.1.255
 
         bridge_ports all
 
         bridge_ports all
 
  </nowiki>
 
  </nowiki>
  
The address is not mandatory for the system to work as a bridge but will be necessary if you want to log into the system and manage /configure /monitor the system.
+
The address is not mandatory for the system to work as a bridge but will be necessary if you want to log into the system and manage / configure / monitor the system over the network.
  
Note: Please remember that all other auto configuration and address configurations for all other interfaces should be commented as they become slaves to the bridge and do not have an individual identity.
+
'''Note:''' Please remember that all other auto configuration and address configurations for all other interfaces should be commented out as they become slaves to the bridge and do not have an individual identity.
  
 
==Step 4: Check if the bridge is working properly==
 
==Step 4: Check if the bridge is working properly==
Save the configuration to the boot floppy (through the LEAF backup menu entry) and reboot. Connect the bridge into the network between the gateway and the LAN. During reboot, the system should show a message similar to:
+
Save the configuration (through the LEAF backup menu entry - remember to save the Modules as well as the Configuration).
 +
Physically connect the bridge machine into the network.
  
Bridge firewalling enabled
+
Reboot, the system should show a message similar to:
Eth2 (port 3) entering promiscuous mode.
+
  Configuring network interfaces: Waiting for br0 to get ready (MAXWAIT is 30 seconds).
Eth1 (port 2) entering promiscuous mode.
+
  Eth0 (port 1) entering promiscuous mode.
+
  
  Eth2 (port 3) entering listening mode.
+
In logfile <code class="filename">/var/log/messages</code> you should see messages similar to the following:
  Eth1 (port 2) entering listening mode.
+
  Bridge firewalling registered
  Eth0 (port 1) entering listening mode.
+
NET: Registered protocol family 10
  Bridge (MAXWAIT 32 Seconds)
+
device eth0 entered promiscuous mode
  Eth2 (port 3) entering listening mode.
+
e100 0000:00:0a.0: eth0: NIC Link is Up 100 Mbps Full Duplex
  Eth1 (port 2) entering listening mode.
+
  ADDRCONF(NETDEV_UP): eth0: link is not ready
  Eth0 (port 1) entering listening mode.
+
  ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
  Topology change detected.
+
device eth1 entered promiscuous mode
  Topology change propogated.
+
eth1: DSPCFG accepted after 0 usec.
 +
  eth1: link up.
 +
  eth1: Setting full-duplex based on negotiated link capability.
 +
br0: port 2(eth1) entering learning state
 +
  br0: port 2(eth1) entering learning state
 +
  br0: port 1(eth0) entering learning state
 +
br0: port 1(eth0) entering learning state
 +
  br0: port 2(eth1) entering forwarding state
 +
  br0: port 1(eth0) entering forwarding state
  
Try to ping the gateway from any system. If the ping goes thro' well, the bridge is working properly. If not, check the cables and the type of cable used. If a straight cable is used between the Bering box and the router, switch it for a crossed cable and try the ping.
+
Try to ping the gateway from any system. If the ping goes through well, the bridge is working properly. If not, check the cables and the type of cable used. If a straight cable is used between the Bering box and the router, switch it for a crossed cable and re-try the ping.
  
Try the command <span class="emphasis">''ip li sh''</span> and a device called br0 should show up with the ip configured.
+
Try the following command:
 +
ip addr show dev br0
 +
A device called <tt>br0</tt> should show up with the IP address details configured.
  
'''Note:''' The bridge to router cable would need to be a straight cat5 cable as switch to router would normally be a crossed cable. It would do good to have a straight and a crossed cable handy so that both can be tried out.
+
'''Note:''' The bridge to router cable would need to be a straight CAT5 cable as switch to router would normally be a crossed cable. It would do good to have a straight and a crossed cable handy so that both can be tried out.
  
==Step 5: Using the utilities:==
+
==Step 5: Using the utilities==
bridge.lrp, when installed, provides if-up and if-down files for the bridge to enable custom scripts to run - one good example maybe sending mails out to indicate up and down status of the interface.
+
<code class="filename">bridge.lrp</code>, when installed, provides <code class="filename">if-up</code> and <code class="filename">if-down</code> files for the bridge to enable custom scripts to run - one good example may be sending mails out to indicate up and down status of the interface.
  
 
<span class="emphasis">''brctl''</span> is the bridge control utility. <span class="emphasis">''brctl show''</span> shows all bridges with enslaved interfaces. Since this is most likely the only bridge, you can switch the Spanning Tree Protocol off by giving:
 
<span class="emphasis">''brctl''</span> is the bridge control utility. <span class="emphasis">''brctl show''</span> shows all bridges with enslaved interfaces. Since this is most likely the only bridge, you can switch the Spanning Tree Protocol off by giving:
Line 114: Line 105:
 
----
 
----
 
{| summary="Navigation footer" width="100%"
 
{| summary="Navigation footer" width="100%"
| width="40%" align="left"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a File Server|Prev]]
+
| width="40%" align="left"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a RADIUS Server|Prev]]
 
| width="20%" align="center" | [[Bering-uClibc 4.x - User Guide - Advanced Topics|Up]]
 
| width="20%" align="center" | [[Bering-uClibc 4.x - User Guide - Advanced Topics|Up]]
 
| width="40%" align="right"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Network Emulator|Next]]
 
| width="40%" align="right"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Network Emulator|Next]]

Latest revision as of 13:23, 9 April 2011

Advanced Topics - Setting Up a Bridge
Prev Bering-uClibc 4.x - User Guide Next


Objectives

We assume here that you want to implement a Bering-uClibc 4.x machine as an Ethernet "Bridge" which connects together two Ethernet network segments at Layer 2 of the OSI model. This can be desirable for a number of reasons:

  • To overcome the physical limitations of Ethernet installations (such as maximum cable lengths).
  • In order to implement some sort of processing or filtering of traffic passing through the bridge:
    • Emulation of WAN characteristics on a LAN link.
    • Quality of Service or Bandwidth Management.

Note: This procedure configures Bering-uClibc 4.x as a Bridge rather than a Router and hence firewalling cannot be done with Shorewall. Bridge supports only filtering on the FORWARD Chain. Shorewall defines rules on input, output, forward and its own tables. If the custom built tables get packets redirected from the FORWARD table, filtering would work. If Shorewall based firewalling is also needed, then the bridge should be replaced by a ARP Proxy set-up for which a quick and dirty setup document is available from Rick Onanian. This setup is, however, simpler to configure and manage.

Importance of such a configuration: If we were to plug a LEAF box in as a bandwidth manager or a firewall and can do so in a transparent fashion - meaning none of the computers need to be reconfigured in any form for IP gateways or subnets. This makes it easy to plug this in and out of a production network without users realizing except for maybe throttling of bandwidth. This also improves the capability to provide greater uptimes.

Step 1: Declare the bridge.lrp Package

The bridge.lrp Package implements the brctl command and also if-up and if-down hooks.

Add the bridge Package to the LRP list in leaf.cfg as described in the LEAF Packages Chapter.

Step 2: Install the kernel Modules

In order to have the bridge working, you need to have bridging support enabled through the appropriate kernel Modules.

You also need to load the driver Module of the network cards assigned to your "External" and "Internal" network links. With Bering-uClibc 4.x this is most easily accomplished by using the automatic hardware detection facility described in the Basic System Configuration Chapter.

The extra kernel Modules which implement the bridging functionality need to be installed into directory /lib/modules/. Once present in this directory they will be loaded automatically when required. Note that this is rather different from the behaviour with Bering-uClibc 3.x where the Modules also had to be explicitly declared in file /etc/modules.

Extract the following Module files from modules.tgz and copy them to directory /lib/modules/. Take care to remove the directory structure levels - the .ko files need to be located directly in /lib/modules/ and not in a sub-directory of that.

  • kernel/net/bridge/bridge.ko
  • kernel/net/llc/llc.ko
  • kernel/net/802/stp.ko

Once these files have been copied to directory /lib/modules/ they need to be registered with the module loading system. This can be done manually by running the following command: 

depmod

Note that this is done automatically at boot time.

Step 3: Configure the bridge system

Invoke lrcfg and choose 1) Network configuration and then 1) Network Interfaces. In the interface file, comment out all lines except those for the bridge (also leave the "loopback" lines un-commented): 

(...)
 #Step 4 (optional): configure a bridge
 auto br0
 iface br0 inet static
        address 192.168.1.254
        netmask 255.255.255.0
        broadcast 192.168.1.255
        bridge_ports all

The address is not mandatory for the system to work as a bridge but will be necessary if you want to log into the system and manage / configure / monitor the system over the network.

Note: Please remember that all other auto configuration and address configurations for all other interfaces should be commented out as they become slaves to the bridge and do not have an individual identity.

Step 4: Check if the bridge is working properly

Save the configuration (through the LEAF backup menu entry - remember to save the Modules as well as the Configuration). Physically connect the bridge machine into the network.

Reboot, the system should show a message similar to: 

Configuring network interfaces: Waiting for br0 to get ready (MAXWAIT is 30 seconds).

In logfile /var/log/messages you should see messages similar to the following: 

Bridge firewalling registered
NET: Registered protocol family 10
device eth0 entered promiscuous mode
e100 0000:00:0a.0: eth0: NIC Link is Up 100 Mbps Full Duplex
ADDRCONF(NETDEV_UP): eth0: link is not ready
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
device eth1 entered promiscuous mode
eth1: DSPCFG accepted after 0 usec.
eth1: link up.
eth1: Setting full-duplex based on negotiated link capability.
br0: port 2(eth1) entering learning state
br0: port 2(eth1) entering learning state
br0: port 1(eth0) entering learning state
br0: port 1(eth0) entering learning state
br0: port 2(eth1) entering forwarding state
br0: port 1(eth0) entering forwarding state

Try to ping the gateway from any system. If the ping goes through well, the bridge is working properly. If not, check the cables and the type of cable used. If a straight cable is used between the Bering box and the router, switch it for a crossed cable and re-try the ping.

Try the following command: 

ip addr show dev br0

A device called br0 should show up with the IP address details configured.

Note: The bridge to router cable would need to be a straight CAT5 cable as switch to router would normally be a crossed cable. It would do good to have a straight and a crossed cable handy so that both can be tried out.

Step 5: Using the utilities

bridge.lrp, when installed, provides if-up and if-down files for the bridge to enable custom scripts to run - one good example may be sending mails out to indicate up and down status of the interface.

brctl is the bridge control utility. brctl show shows all bridges with enslaved interfaces. Since this is most likely the only bridge, you can switch the Spanning Tree Protocol off by giving: 

brctl br0 stp off


Prev Up Next
Retrieved from "http://bering-uclibc.zetam.org/index.php?title=Bering-uClibc_4.x_-_User_Guide_-_Advanced_Topics_-_Setting_Up_a_Bridge&oldid=642"