My Linode is the Slackware 10.0 image with the latest version of bridge-utils. I'm trying to create a bridge ("br0") between eth0 and tap0. This is using the sample "bridge-start" script that comes with OpenVPN that I've used successfully before.

I get to the point where the br0 interface has my Linode IP, and eth0 and tap0 are both up, but have no addresses (I believe this is the normal state). My routing table looks okay too. Oh, and "brctl show" shows tap0 and eth0 indeed bridged on br0.

However once I'm here, I don't have any connectivity -- can't ping my gateway, or anything. I can only use the AJAX terminal (by the way...cool feature!!...)

Any ideas?

How about the output of:

brctl show
ifconfig
route -n

-Chris

Here you go:

[root@orion ~]$ brctl show                                                                          
bridge name     bridge id               STP enabled     interfaces                                  
br0             8000.00ff6b4b8097       no              eth0                                        
                                                        tap0                                        
[root@orion ~]$ ifconfig | more                                                                     
br0       Link encap:Ethernet  HWaddr 00:FF:6B:4B:80:97                                             
          inet addr:207.192.70.105  Bcast:207.192.70.255  Mask:255.255.255.0                        
          inet6 addr: fe80::2ff:6bff:fe4b:8097/64 Scope:Link                                        
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1                                        
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0                                        
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0                                     
          collisions:0 txqueuelen:0                                                                 
          RX bytes:661 (661.0 b)  TX bytes:1350 (1.3 Kb)                                            
                                                                                                    
eth0      Link encap:Ethernet  HWaddr FE:FD:CF:C0:46:69                                             
          inet6 addr: fe80::fcfd:cfff:fec0:4669/64 Scope:Link                                       
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1                                
          RX packets:2713 errors:0 dropped:0 overruns:0 frame:0                                     
          TX packets:1673 errors:0 dropped:0 overruns:0 carrier:0                                   
          collisions:0 txqueuelen:1000                                                              
          RX bytes:586429 (572.6 Kb)  TX bytes:262755 (256.5 Kb)                                    
          Interrupt:16                                                                              
                                                                                                    
lo        Link encap:Local Loopback                                                                 
          inet addr:127.0.0.1  Mask:255.0.0.0                                                       
          inet6 addr: ::1/128 Scope:Host                                                            
          UP LOOPBACK RUNNING  MTU:16436  Metric:1                                                  
          RX packets:68 errors:0 dropped:0 overruns:0 frame:0                                       
          TX packets:68 errors:0 dropped:0 overruns:0 carrier:0                                     
          collisions:0 txqueuelen:0                                                                 
          RX bytes:7895 (7.7 Kb)  TX bytes:7895 (7.7 Kb)                                            
                                                                                                    
tap0      Link encap:Ethernet  HWaddr 00:FF:6B:4B:80:97                                             
          inet6 addr: fe80::2ff:6bff:fe4b:8097/64 Scope:Link                                        
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1                                
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0                                        
          TX packets:0 errors:0 dropped:20 overruns:0 carrier:0                                     
          collisions:0 txqueuelen:0                                                                 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)                                                    

[root@orion ~]$ route -n                                                                            
Kernel IP routing table                                                                             
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface                       
207.192.70.0    0.0.0.0         255.255.255.0   U     0      0        0 br0                         
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo                          
0.0.0.0         207.192.70.1    0.0.0.0         UG    0      0        0 br0

Ahh! I think I figured it out. The hardware/MAC address for br0 needed to be the same as eth0's hardware/MAC address. I changed it manually with "ifconfig", and it appears to be working now. If I find out anything else, I will follow up...

Okay, I've gotten this somewhat working, but I've still hit another snag.

My client machine connects over OpenVPN to my Linode with bridging. Then I configure the client's tap0 as my second Linode IP.

If I try to connect to my Linode IP externally, I see an arp who-has (public IP), which gets forwarded over the OpenVPN tunnel to the client. The client then responds with its tap0 MAC address (which I guess is just generated randomly).

However, at this point, it seems like the Linode routers just discard the response (maybe because they don't like the MAC address?)

What seems to work, although I don't know how to persist this setting, is if I use my first Linode/first IP to do proxy ARP for the second IP. That is, I temporarily bring up the second IP on my Linode, ping it (thus caching the MAC <==> IP relationship in Linode's routers, I suppose), and then bring it back down, and then bring back up the tunnel.

So then, if I enable IP forwarding on my Linode, my machine answers with "itself" for the ARP request (for the second IP), and then forwards the packets down the tunnel, and everything is working. However, this doesn't stay because eventually the ARP entry expires out of the Linode routers, and everything dies.

After looking around for a long time, it doesn't seem possible any more to add a manual published ARP entry (either with 'ip neigh add proxy' or 'arp -s ..... pub') -- this seems to have been replaced with "auto" proxy ARP, where Linux will proxy for you automatically if you set the flag in /proc to 1 and it detects an attempt to cross two divergent subnets (but this doesn't help when the IPs are adjacent to each other!).

So two questions:

1) Is there a way I can report back a MAC address in response to the ARP from the Linode routers that will be "accepted"?, or

2) Is it possible (in any way) to set manual proxy ARP entries in Linux 2.6, such that I can use IP forwarding from my first IP?

I did a quick experiment -- I bumped my MAC address by one (for eth0) and then tried to send out some traffic -- no luck. So I guess traffic is filtered by MAC address also. Would it be possible to get a second MAC address assigned to my Linode? Given that I have a second IP and I'm using bridging?

Try:
ifconfig ethx hw ether 00:E0:29:6E:04:78

ie make up a mac address or use one of your local ones.

I'm sorry..I read your message again. This is probably not what you want.

Fred B.

Right. Unless I use the MAC address that was already assigned to my eth0 interface on my Linode, I can't send out any traffic.

Well, I'm fairly certain I've figured out a way. It's sort of a hack, but it seems to work.

Basically, I wrote a small daemon that uses libpcap to watch for incoming ARP requests. If it sees one for my second IP, it answers automatically with my own Linode MAC address.

From there, I get packets for both IP addresses on my Linode, but IP forwarding in the Linux kernel sends (another) ARP request down my tap0 tunnel to my home machine (which is actually really configured with my second address) which answers with *its* MAC address. The Linode then forwards the traffic right along.

One little snag is that this is all a little confusing to the kernel and it's sending out ICMP redirects to anyone who contacts the second address, because it thinks there's a shorter route through the Linode gateway (when there really isn't). I'm going to hunt through /proc to see if I can turn that off....and if not, I'll just firewall it out. (update: this is easily disabled via /proc/sys/net/ipv4/conf/br0/send_redirects)

Anyway, if anyone wants the code for my little daemon gizmo, just let me know.

Ophidian14,

I am trying to set up a bridged OpenVPN server on my VM. The only difference between my configuration and yours seems to be that I'm bridging eth0:0 and not eth0. However, when I bring up the br0 interface, my Linode loses connectivity after a short while, which might (or might not) be related to the MAC address filtering happening at Linode's side.

Would you be able to share your ARP daemon?

Cheers,
osierra