How to connect 2 virtual bridges so traffic goes from one to the other?

linux debian networking bridge
6,926

There is no provision for specifically handling virtual dual interfaces type veth. So a bit of tinkering is in order mainly by using the pre-up option. I kept veth0 and veth1 here, but you should really consider choosing any other names (eg veth-br0 and veth-lanbr0), because those are the default names chosen if not supplied (eg: ip link add type veth), and they might clash.

For the veth interfaces:

iface veth0 inet manual
        pre-up ip link add veth0 type veth peer name veth1 || :
        hwaddress 02:00:00:01:00:00

iface veth1 inet manual
        pre-up ip link add veth1 type veth peer name veth0 || :
        hwaddress 02:00:00:01:00:01

This enables both interface when bringing up any of them. The || : is here to not fail because the peer interface was already set up by the "other" interface. Please note that for ifup's internal state's sake, both should be brought up in the end even if bringing up one will make the other appear. For the intended usage, the hwaddress is probably optional and can anyway be set to any other correct value. The bridge takes the MAC address of the first enslaved interface.

Now use them in the bridges. I won't put all your setup (because you didn't really give it), just the veth related parts. You will have to adapt what I couldn't guess and where I left some XXXX or ... (eg, is inet XXXX inet manual inet static or inet dhcp?)

auto br0
iface br0 inet XXXX
    pre-up ifup veth0
    bridge_ports eth0 veth0        
    ...

auto lanbr0
iface lanbr0 inet XXXX
    pre-up ifup veth1
    bridge_ports veth1 eth1
    address xx.xx.xx.xx
    netmask 255.255.255.0
    ...

Note I prepended an ifup vethX command inside, because else it will complain the interface didn't exist, will bring up the bridge without this interface and consider it done. I didn't have to use || : here because bringing up an already logically (meaning ifupdown's state) up interface isn't an error.

After completing the missing parts, put these in separate (or not) configuration files in /etc/network/interfaces.d (or even /etc/network/interfaces) and that should be working.

If it didn't work at first, try bringing logically down all interfaces (by logically I mean using ifdown) and try again: that would be because of a wrong logical state preventing some interfaces to be (re)configured correctly.

Also note that there might be interactions with other network managers, like... NetworkManager. There are probably options to have them ignore some interfaces, but that's out of the scope of this answer.

Share:
6,926

Related videos on Youtube

WU7
Author by

WU7

Updated on September 18, 2022

Comments

  • WU7
    WU7 almost 2 years

    Debian system, current situation, configured via etc/network/interfaces

    bridge "br0" has 2 physical ethernet interfaces eth0 (WAN side, connected to ISP modem/router) eth1 (LAN side going to a physical switch)

    Traffic between eth0 and eth1 is passing through the IPtables firewall and Suricata as an IPS. This setup is currently working ok.

    Now I want to add "pi-hole" to this setup via a Linux container. The linux container needs a virtual bridge to add its virtual ethernet interface.

    So I want to achieve the following:

    Virtual Bridge "br0" - with eth0 (WAN)

    <-->

    connected to virtual bridge "lanbr0" - with eth1 (LAN) - with veth0 (virtual ethernet interface for LXC)

    This way I can add more interfaces to the "lanbr0" bridge if needed in the future.

    edit I was able to do this via the following commands ip link add veth0 type veth peer name veth1

    then adding veth0 to br0 and veth1 to lanbr0 + moving eth1 from br0 to lanbr0 after bringing all interfaces up

    However, how do I do this via /etc/network/interfaces (so it loads during startup like this?

  • WU7
    WU7 almost 6 years
    Thank you very much for your time to reply with this answer. It worked perfectly.
  • WU7
    WU7 almost 6 years
    next challenge is to adjust my iptables and suricata... but that's a matter of setting some variables normally.
  • WU7
    WU7 almost 6 years
    Also thx for adding the explanation with it.. I’ll rename the veth interfaces so I still know what was done months after.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Packets not moving through linux ethernet bridge
tc on bridge port
Reverse DNS lookups slowing down network operations on LAN
How to find status of wlan0?
Connecting to a wireless network (open and protected) from terminal
How to set a routing table that prefers wlan dhcp interface as default route?
How do I set up several interfaces all bridged onto eth0?
opening port 7 (echo port) on Linux/Debian
Wifi adapter not working Kali linux
Why I cannot ping the ip after I bridged them?