1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to manipulate packets within the same subnet?

Discussion in 'Tomato Firmware' started by Bird333, May 1, 2013.

  1. Bird333

    Bird333 Network Guru Member

    I think it is accepted knowledge that packet traveling in the same subnet are handled by the switch. However, my question is is there some way to control these packets? Possibly through arptables, ebtables, PREROUTING in iptables (may not ever get here that's a question also). For instance how does the switch and/or router know that two machines are even in the same subnet to begin with? There must be a way to distinguish and manipulate this traffic. Can someone answer these questions?
     
  2. Bird333

    Bird333 Network Guru Member

  3. jerrm

    jerrm Network Guru Member

    Not quite. Oversimplifying a little here, OSI purists may ream me:

    Packets traveling within one physical network segment are handled by the switch hardware without router software (linux) intervention. The default four ports are connected via a hardware bridge using dedicated and highly optimized circuitry and are essentially one physical segment, all effectively hard wired together.

    A physical network can actually host multiple IP subnets, and even multiple network protocols. There was a time it was not uncommon to have TCP/IP, IPX/SPX, and NetBios networks all running on the same physical ethernet.

    When dealing with a default, one IP subnet setup, the router software only gets involved when packets have to travel between physical segments. Linux will never see a packet between two wired clients - they are on the same physical segment. Linux will see traffic crossing from wireless<->wired because the wireless interface and the wired interface are separate physical adapters communicating across a software based bridge where linux moves the packets between adapters as needed. Because Linux moderates the traffic between these physical segments it is possible to control traffic crossing the bridge with ebtables and sometimes iptables.

    We have enough control of the switch to separate the ports from each other, and create separate physical segments for each port when creating "VLANs." I don't think the GUI allows it, but you could define each physical port as a separate "VLAN," then add all the VLAN interfaces to the same software bridge (br0). If you did this, then linux could moderate the trafic moving between ports as it crosses the bridge, but you would really only want this for special circumstances.

    The downside to doing this is performance. The switch circuitry moves packets from port to port essentially at full wire speed. Imagine the linux software bridge doing the same thing. Think of the performance complaints we hear from folks with 100mb WAN connections, then imagine having four 100mb (or 4 1Gbs) connections handled by the software. The linux bridge code operates at a lower level and is more efficient than routing, but there is still a real performance hit and you could overwhelm the router with lan<->lan traffic.
     
  4. Bird333

    Bird333 Network Guru Member

    Thanks for the response. It makes sense. However, for example if one computer is 192.168.1.4 and another is 192.168.1.5 both connected to the switch how does the switch know where to send a packet from 192.168.1.4 to the other? A switch will not send the packet to all ports so how does it know where to send it?
     
  5. humba

    humba Network Guru Member

    By a mechanism called ARP.
    Basically, at first your PC yells "who has 192.168.1.5, tell me", sends it down the wire to the next switch (could be the router, or maybe you have more switches), that consults its ARP table, if it's found, it sends the packet along to the proper port.If not found, it sends a broadcast (so to the whole subnet => all ports that are on the subnet, which unless you're using multiple VLANs is all your ports) to the local subnet, and so on. If you have just the router, the router will know which port "has" 192.168.1.5 if 192.168.1.5 has already communicated with it (if you're doing DHCP, and the machine is up, it has an entry in its ARP table from the DHCP request that 192.168.1.5 made in order to get its IP address).
     
  6. Bird333

    Bird333 Network Guru Member

    I guess that is part of what I am wondering. What software if any is responsible for completing the router's or switch's ARP table?
     
  7. jerrm

    jerrm Network Guru Member

    The switch keeps a table of which mac addresss are on which ports as it discovers them. It doesn't care about IP address.

    When on the same network and machine A broadcasts it's message "who has 192.168.1.5" the switch learns that mac aa.aa.aa.aa.aa.aa is on port 2 and saves the data, it sends that broadcast out to all ports. The switch does not really know machine A is asking for an address, it just sees a broadcast packet and sends it down all ports.

    When machine B replies back to mac aa.aa.aa.aa.aa "Hey that's me!!!," the switch learns that mac bb.bb.bb.bb.bb.bb is on port 4, remembers and sends the response out port 2 to machine A. Now that both A and B have communicated and know each other's macs, subsequent communication is all done via mac address. The ip addresses are still part of the packet, but they are not looked at by the switch when routing traffic.

    The linux bridge essentially uses the same "mac only" logic. At the bridge level, IP addresses do not normally come into play.

    If machine A needs to talk to an address on another IP subnet, it always sends the packet directly to the router mac, the router looks up where it should go in it's routing table, and sends it to the next hop in the chain.
     
  8. Bird333

    Bird333 Network Guru Member

    So with ebtables can we manipulate packets in br0 that are connected to the wired ports?
     
  9. jerrm

    jerrm Network Guru Member

    Only if they cross the bridge. You would have to have each port defined as a separate "vlan" port and all assigned to br0.

    EDIT: To clarify a little:

    A normal dual frequency bridge is set up as follows.
    Code:
    root@Gateway:/# brctl show
    bridge name    bridge id              STP enabled    interfaces
    br0            8000.944452e53c46      no            vlan1
                                                        eth1
                                                        eth2
    
    vlan1 is the "switch" - all four ports
    eth1 is 2.4ghz wireless
    eth2 is 5 ghz wireless.

    Ebtables can manage traffic moving between vlan1 and/or eth1 and/or eth2 . Linux never sees wired-to-wired traffic, because it is all "behind" vlan1.

    If you assign each physical port to a separate "vlan" and then use brctl to move them all into br0, it would look something like:
    Code:
    root@Gateway:/# brctl show
    bridge name    bridge id              STP enabled    interfaces
    br0            8000.944452e53c46      no            vlan1
                                                        eth1
                                                        eth2
                                                        vlan3
                                                        vlan4
                                                        vlan5
    
    vlan1 is port 1 of the switch
    eth1 is 2.4ghz wireless
    eth2 is 5 ghz wireless.
    vlan3 is port 2 of the switch
    vlan4 is port 3 of the switch
    vlan5 is port 4 of the switch

    At that point all traffic passing port to port is exposed to linux, but there is a performance and load hit.

    vlan2 is not shown, because it is not part of the bridge - it is the WAN port.
     
  10. Bird333

    Bird333 Network Guru Member

    I gotcha. :) So the answer is no with the stock config. So I guess the switch chip has some memory where it stores the ARP data?
     
  11. bortle

    bortle Reformed Router Member

    edit: The switch doesn't handle ARP, because ARP requires knowledge of IP (layer three). The switch is just at layer 2. The things that have an arp table are:
    • the computers (to know about their own MAC and the MAC of the router), and
    • the router itself. It keeps a table of every MAC:IP address pair it knows about on each interface.
    The switch has a table of MAC addresses and which port it's "heard" each MAC on.

    The performance load coming because you're making the CPU process traffic. The switch operation on the frame is able to be done in faster circuitry. To have the bridge set up this way means that the CPU needs to process each switched frame, which will add load to the CPU and eventually slow things down. Anything further you do to change the frame/packet will slow it down further. This is usually a pretty bad strategy.

    The real question is what you're trying to do. Your packet mangling might be do-able in another way, and more simply. My gut says what you want to do is route and have a firewall in between, or you're looking for port mirroring.
     
  12. jerrm

    jerrm Network Guru Member

    As bortle said, the switch doesn't do ARP. ARP is Address Resolution Protocol for TCP/IP. ARP translates IPs to macs.

    The switch ONLY cares about macs, it doesn't understand or care about IPs at all.
     
  13. Bird333

    Bird333 Network Guru Member

    Ok, same question though. Does the switch chip have some memory where MAC are stored?
     
  14. jerrm

    jerrm Network Guru Member

    Yes. It's usually listed on the spec sheet, not in bytes but in number of macs supported.
     
  15. bortle

    bortle Reformed Router Member

    You're not going to run out of MAC table space with a four-port switch unless you're doing it wrong.
     

Share This Page