Posted: Thu Jun 16, 2022 11:11 Post subject: EBTables control bridges, switches, but not ports?
Let's say there is a router with the following interfaces:
eth0 - LAN port
eth1 - WAN port
br0 - bridge
switch0 - switch
Brctl command shows "br0" is interface name for "switch0" interface. That is very confusing... I think the correct description is that switch0 is enslaved to br0.
EBTables can independently filter not only bridge interface layer 2 frames and layer 3 packets, but also switch interface packets for switches enslaved to bridges. For example, the following rule drops all broadcast packets from switch0:
Code:
ebtables -I INPUT -i switch0 --pkttype-type broadcast -j DROP
. I am not sure if EBTables can independently filter layer 2 frames for switches enslaved to bridges.
If EBTables filter rules can specify and separately control switch interfaces (switch0) enslaved to bridges (br0), then why can't EBTables filter and separately control ethernet ports (eth0 and/or eth1)? For example, if:
Code:
ebtables -I INPUT -i eth0 --pkttype-type broadcast -j DROP
is the only EBTables rule, then eth0 broadcast packets are not filtered.
Here's what I notice:
IPTables can filter layer 3 packets for ethernet ports and bridges, but they can't filter packets for switches
EBTables can filter layer 2, layer 3 packets for bridges and layer 3 packets for switches, but they can't filter packets for bridges and switches.
A packet from client travels from PC port arrives to router port, gets filtered by IPTables, then packet travels from router port and arrives to switch, gets filtered by EBTables, and then the same packet travels from switch to bridge and gets filtered by EBTables again?
The flow chart below divided information flow by network layer, but it doesn't divide filtering process by bridges, switches, and ethernet ports.
http://inai.de/images/nf-packet-flow.png
Is there a better chart that explains how Layer 2 filtering can happens for bridges and switches?
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Jun 16, 2022 12:33 Post subject:
egc wrote:
https://linux.die.net/man/8/ebtables
I am not an expert in these maters, but I think when the ethernet frame enters the switch the switch fabric takes over.
You can use vlan tagging that is something the switch fabric understands.
Although you can use ebtables to filter layer 3 (as the information is in the ethernet frame) it is not something you want as ebtables is very resource intensive
in addition to egc post form above...not knowing what is your router model and current firmware on it...some routers dont have support of ebtables and some need to insmod those...
add those lines in firewall script...
but bear in mind, those tend to be very resource demanding..
also there are some routers with dumb switch..not capable to extra stuff...ebtables or vlan's
if you want to filter stuff using switch ebtables between switch clients and bridges there is a lots to process...and its better to use another aproach..
to be honest the only use of ebtables i have is, to filter multicast on wifi
ebtables -A FORWARD -o wlan0 --pkttype-type multicast -j DROP
ebtables -A OUTPUT -o wlan0 --pkttype-type multicast -j DROP
in general bridges (br) are virtual interfaces where you link physical interfaces... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I can only speak to this issue from the perspective of an actual router I'm using, the ASUS RT-AC68U. So things may vary a bit for different routers. Even for the same router, it may differ from firmware to firmware.
Using DD-WRT, there is no switch0 network interface. Nor is a port defined by single network interface as eth0.
Specifically, I have VLAN1 which includes all the LAN ports. I also have an eth0, but it's mapped to VLAN2 (the WAN). I also have two radios, eth1 (2.4GHz) and eth2 (5GHz). That represents all the *physical* network interfaces.
I also have a bridge called br0 that has vlan1, eth1, and eth2 assigned to it, so that all are treated as a single entity, at least from the perspective of TCP/IP (layer 3). By definition, I can NOT address the individually assigned network interfaces in any way using layer 3. That's the whole point of assigning them to a common bridge. I can only address the bridge itself for the purpose of routing, firewall rules, etc.
ebtables (layer 2) is a different story. It is possible to address the individual network interfaces of a bridge w/ ebtables since it is NOT bound by the rules of layer 3.
In fact, using ASUS/Merlin, guest networks are defined within the *private* network of br0! Yet, that firmware is able to isolate guest users (which are defined as virtual network interfaces of either eth1 or eth2 (e.g., wl0.1, wl1.1, wl0.2, wl1.2, etc.)) from devices that are NOT guests, despite sharing the same layer 3 bridge. And that's because it uses ebtables to deny access from those virtual network interfaces to the IP network defined on br0. That's only possible if ebtables *can* filter traffic at layer 2 of br0. And we know it can; the ASUS/Merlin firmware does this all the time.
In fact, *any* firmware that supports its guest network(s) on the same private network as NON guests is forced to use ebtables for the purposes of isolation. It's one of the reasons many ppl don't like the idea of this approach (myself included), and much prefer keeping guests on their own separate network interfaces (and by extension, own separate IP networks), whether that be a raw VAP (e.g., wl0.1), or new bridge (e.g., br1) w/ the VAP assigned to it. Isolation management then becomes a layer 3 function exclusively (note: AP isolation plays a role as well, regardless of layer 2 or layer 3 isolation, but it's irrelevant to the point I'm addressing at the moment).
The following is a dump of ebtables w/ ASUS/Merlin, where guest #2 on 2.4GHz (wl0.2) has been isolated from other devices on the br0 network (192.168.1.0/24).
No, it is NOT a complete and total isolation. I don't even know if that's actually possible. Broadcast packets are still available to guests for devices that those guests are ultimately denied access to at the IP level (layer 3). That's another one of the disadvantages of maintaining guests on the same network interface (br0, 192.168.1.0/24) as NON guests. It's why I detest how ASUS/Merlin implements guest networks. It leads to various issues that could be easily avoided by keeping them isolated on their own network interfaces @ layer 3. But manufacturers, for whatever reason, sometimes choose to do otherwise.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Jun 16, 2022 18:55 Post subject:
cof cof cof... gasp, /me drinks water.
ebtables deals with Ethernet protocol which is simpler than the IP protocol which is what iptables deals with.
I dont think the router's unmanaged switch will ever be good enough to do this properly you can control LAN traffic via a managed switch at port level and specific device level MAC. but stranger things have happened, where there is a will, there is always a way. No matter if you end up with spaghetti on the other side.
eibgrad is ontop of it anyway.
What I will say is this, while you have aggregated interfaces under same bridge br0 by default, isolating bridged interfaces on same bridge is always gonna be a pita, but the creating other bridges for specific interfaces may leave you in a switch loop situation depending on where you zig instead of doing a zag.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Jun 16, 2022 22:55 Post subject:
+1 for managed switch...VLAN capable...
that what i have to achieve IoT, Smart Devices isolation..
and a router Vlan on his own subnet on one of it switch ports..
_________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Any idea why EBTables is such a performance hog? Having a ton of IPTables rules has negligable impact performance in modern routers, but EBTables reduces bandwidth drastically.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Jun 23, 2022 18:33 Post subject:
OpenSource Ghost wrote:
Thank you for the input!
Any idea why EBTables is such a performance hog? Having a ton of IPTables rules has negligable impact performance in modern routers, but EBTables reduces bandwidth drastically.
i guess if im correct...switch frames are processed by the switch CPU, not from the general router CPU..and there it goes...all the translation takes resources...
If your router supports those, for best filtering results use IPset rules ...
Actually if your work relays on any filtering rules, it's worth any penny to get router, that does support those...by default...as IPset rules are executed ultra fast..
But...for some things if you are not using vlans you may still need a managed switch... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913