EBTables control bridges, switches, but not ports?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Thu Jun 16, 2022 11:11    Post subject: EBTables control bridges, switches, but not ports? Reply with quote
Let's say there is a router with the following interfaces:
eth0 - LAN port
eth1 - WAN port
br0 - bridge
switch0 - switch

Brctl command shows "br0" is interface name for "switch0" interface. That is very confusing... I think the correct description is that switch0 is enslaved to br0.

EBTables can independently filter not only bridge interface layer 2 frames and layer 3 packets, but also switch interface packets for switches enslaved to bridges. For example, the following rule drops all broadcast packets from switch0:
Code:
ebtables -I INPUT -i switch0 --pkttype-type broadcast -j DROP
. I am not sure if EBTables can independently filter layer 2 frames for switches enslaved to bridges.

If EBTables filter rules can specify and separately control switch interfaces (switch0) enslaved to bridges (br0), then why can't EBTables filter and separately control ethernet ports (eth0 and/or eth1)? For example, if:
Code:
ebtables -I INPUT -i eth0 --pkttype-type broadcast -j DROP

is the only EBTables rule, then eth0 broadcast packets are not filtered.

Here's what I notice:
IPTables can filter layer 3 packets for ethernet ports and bridges, but they can't filter packets for switches
EBTables can filter layer 2, layer 3 packets for bridges and layer 3 packets for switches, but they can't filter packets for bridges and switches.

A packet from client travels from PC port arrives to router port, gets filtered by IPTables, then packet travels from router port and arrives to switch, gets filtered by EBTables, and then the same packet travels from switch to bridge and gets filtered by EBTables again?

The flow chart below divided information flow by network layer, but it doesn't divide filtering process by bridges, switches, and ethernet ports.
http://inai.de/images/nf-packet-flow.png

Is there a better chart that explains how Layer 2 filtering can happens for bridges and switches?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Jun 16, 2022 12:19    Post subject: Reply with quote
https://linux.die.net/man/8/ebtables

I am not an expert in these maters, but I think when the ethernet frame enters the switch the switch fabric takes over.

You can use vlan tagging that is something the switch fabric understands.

Although you can use ebtables to filter layer 3 (as the information is in the ethernet frame) it is not something you want as ebtables is very resource intensive

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Jun 16, 2022 12:33    Post subject: Reply with quote
egc wrote:
https://linux.die.net/man/8/ebtables

I am not an expert in these maters, but I think when the ethernet frame enters the switch the switch fabric takes over.

You can use vlan tagging that is something the switch fabric understands.

Although you can use ebtables to filter layer 3 (as the information is in the ethernet frame) it is not something you want as ebtables is very resource intensive


in addition to egc post form above...not knowing what is your router model and current firmware on it...some routers dont have support of ebtables and some need to insmod those...
add those lines in firewall script...

insmod ebtables
insmod ebtable_filter
insmod ebt_pkttype

but bear in mind, those tend to be very resource demanding..
also there are some routers with dumb switch..not capable to extra stuff...ebtables or vlan's

if you want to filter stuff using switch ebtables between switch clients and bridges there is a lots to process...and its better to use another aproach..
to be honest the only use of ebtables i have is, to filter multicast on wifi

ebtables -A FORWARD -o wlan0 --pkttype-type multicast -j DROP
ebtables -A OUTPUT -o wlan0 --pkttype-type multicast -j DROP

in general bridges (br) are virtual interfaces where you link physical interfaces...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Jun 16, 2022 17:41    Post subject: Reply with quote
Managed switches FTW, no consumer router has those.
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jun 16, 2022 17:51    Post subject: Reply with quote
I can only speak to this issue from the perspective of an actual router I'm using, the ASUS RT-AC68U. So things may vary a bit for different routers. Even for the same router, it may differ from firmware to firmware.

Using DD-WRT, there is no switch0 network interface. Nor is a port defined by single network interface as eth0.

Specifically, I have VLAN1 which includes all the LAN ports. I also have an eth0, but it's mapped to VLAN2 (the WAN). I also have two radios, eth1 (2.4GHz) and eth2 (5GHz). That represents all the *physical* network interfaces.

I also have a bridge called br0 that has vlan1, eth1, and eth2 assigned to it, so that all are treated as a single entity, at least from the perspective of TCP/IP (layer 3). By definition, I can NOT address the individually assigned network interfaces in any way using layer 3. That's the whole point of assigning them to a common bridge. I can only address the bridge itself for the purpose of routing, firewall rules, etc.

ebtables (layer 2) is a different story. It is possible to address the individual network interfaces of a bridge w/ ebtables since it is NOT bound by the rules of layer 3.

In fact, using ASUS/Merlin, guest networks are defined within the *private* network of br0! Yet, that firmware is able to isolate guest users (which are defined as virtual network interfaces of either eth1 or eth2 (e.g., wl0.1, wl1.1, wl0.2, wl1.2, etc.)) from devices that are NOT guests, despite sharing the same layer 3 bridge. And that's because it uses ebtables to deny access from those virtual network interfaces to the IP network defined on br0. That's only possible if ebtables *can* filter traffic at layer 2 of br0. And we know it can; the ASUS/Merlin firmware does this all the time.

In fact, *any* firmware that supports its guest network(s) on the same private network as NON guests is forced to use ebtables for the purposes of isolation. It's one of the reasons many ppl don't like the idea of this approach (myself included), and much prefer keeping guests on their own separate network interfaces (and by extension, own separate IP networks), whether that be a raw VAP (e.g., wl0.1), or new bridge (e.g., br1) w/ the VAP assigned to it. Isolation management then becomes a layer 3 function exclusively (note: AP isolation plays a role as well, regardless of layer 2 or layer 3 isolation, but it's irrelevant to the point I'm addressing at the moment).

The following is a dump of ebtables w/ ASUS/Merlin, where guest #2 on 2.4GHz (wl0.2) has been isolated from other devices on the br0 network (192.168.1.0/24).

Code:
admin@lab-merlin1:/tmp/home/root# ebtables -t broute -L
Bridge table: broute

Bridge chain: BROUTING, entries: 5, policy: ACCEPT
-p IPv4 -i wl0.2 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP


No, it is NOT a complete and total isolation. I don't even know if that's actually possible. Broadcast packets are still available to guests for devices that those guests are ultimately denied access to at the IP level (layer 3). That's another one of the disadvantages of maintaining guests on the same network interface (br0, 192.168.1.0/24) as NON guests. It's why I detest how ASUS/Merlin implements guest networks. It leads to various issues that could be easily avoided by keeping them isolated on their own network interfaces @ layer 3. But manufacturers, for whatever reason, sometimes choose to do otherwise.

To be clear, I'm NOT an ebtables expert. I know enough to use it on occasion for specific purposes (e.g., blocking DHCP across the OpenVPN tunnel on a bridged (TAP) configuration) (yet another example of how it's possible to filter the tunnel's layer 2 network interface (e.g., tun0) despite it typically being assigned to the default bridge (br0)). And I know enough about it to appreciate the weaknesses in the ASUS/Merlin (and other manufacturers that use the same approach) guest networks implementation. But just how far you can push in terms of things like controlling broadcast messages in general (we know you can block DHCP broadcast messages specifically), I don't know. I've just never had the need, esp. since I always (like DD-WRT) maintain separation at layer 3, NOT layer 2.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)


Last edited by eibgrad on Thu Jun 16, 2022 19:31; edited 1 time in total
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Jun 16, 2022 18:55    Post subject: Reply with quote
cof cof cof... gasp, /me drinks water.

ebtables deals with Ethernet protocol which is simpler than the IP protocol which is what iptables deals with.

I dont think the router's unmanaged switch will ever be good enough to do this properly you can control LAN traffic via a managed switch at port level and specific device level MAC. but stranger things have happened, where there is a will, there is always a way. No matter if you end up with spaghetti on the other side.

eibgrad is ontop of it anyway.

What I will say is this, while you have aggregated interfaces under same bridge br0 by default, isolating bridged interfaces on same bridge is always gonna be a pita, but the creating other bridges for specific interfaces may leave you in a switch loop situation depending on where you zig instead of doing a zag.

Me I have a managed switch its boxed up but it works well when I used it last for my full network.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Jun 16, 2022 22:55    Post subject: Reply with quote
+1 for managed switch...VLAN capable...
that what i have to achieve IoT, Smart Devices isolation..
and a router Vlan on his own subnet on one of it switch ports..
Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Thu Jun 23, 2022 17:15    Post subject: Reply with quote
Thank you for the input!

Any idea why EBTables is such a performance hog? Having a ton of IPTables rules has negligable impact performance in modern routers, but EBTables reduces bandwidth drastically.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Jun 23, 2022 18:33    Post subject: Reply with quote
OpenSource Ghost wrote:
Thank you for the input!

Any idea why EBTables is such a performance hog? Having a ton of IPTables rules has negligable impact performance in modern routers, but EBTables reduces bandwidth drastically.


i guess if im correct...switch frames are processed by the switch CPU, not from the general router CPU..and there it goes...all the translation takes resources...

If your router supports those, for best filtering results use IPset rules ...
Actually if your work relays on any filtering rules, it's worth any penny to get router, that does support those...by default...as IPset rules are executed ultra fast..
But...for some things if you are not using vlans you may still need a managed switch...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum