Configure a bridge connection as a hub with netplan





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















My current problem hits the limits of my basic networking skills.



In short : I "tapped" a server with multiple network interfaces on a network cable linking my router and my media center. I try to make this happen in a transparent way.



The network topology was :



Other machine (192.168.0.2) -- Router (192.168.0.1) -- Media center (192.168.0.3)


Now it's :



Other machine (192.168.0.2) -- Router (192.168.0.1) -- New server (192.168.0.4) -- Media center (192.168.0.3)


I set up a bridge connection on the server like so on netplan:



network:

  version: 2

  ethernets:

    eno1:

      dhcp4: no

    eno2:

      dhcp4: no

  bridges:

    br0:

      interfaces: [eno1, eno2]

      addresses: [192.168.0.4/24]

      gateway4: 192.168.0.1

      nameservers:

        search: 

        addresses: [192.168.0.2]


The new server (192.168.0.4) can ping and ssh to the media center (192.168.0.3) and the router or the rest of the network (e.g. 192.168.0.2).



The media center (192.168.0.3) can ping and ssh the new server(192.168.0.4) but not the router nor the rest of the network. Conversely, the router and the rest of the network can not talk to the media center (192.168.0.3).



Can I achieve what I'm trying to do by defining routes in the netplan config (but I'm a bit out of my depth here, so help is welcome on how), or is it just not possible with this topology because I would have to somehow define the new server as a gateway to the media center in the routes of every machine of the network ?



Additional details :



me@newserver:~$ ip -br link

lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP> 

eno1             UP             00:22:19:cc:db:0c <BROADCAST,MULTICAST,UP,LOWER_UP> 

eno2             UP             00:22:19:cc:db:0e <BROADCAST,MULTICAST,UP,LOWER_UP> 

eno3             DOWN           00:22:19:cc:db:10 <BROADCAST,MULTICAST> 

eno4             DOWN           00:22:19:cc:db:12 <BROADCAST,MULTICAST> 

br0              UP             76:1b:8c:b8:3a:15 <BROADCAST,MULTICAST,UP,LOWER_UP> 

docker0          DOWN           02:42:17:43:24:12 <NO-CARRIER,BROADCAST,MULTICAST,UP> 

me@newserver:~$ ip -br a

lo               UNKNOWN        127.0.0.1/8 ::1/128 

eno1             UP             

eno2             UP             

eno3             DOWN           

eno4             DOWN           

br0              UP             192.168.0.4/24 fe80::741b:8cff:feb8:3a15/64 

docker0          DOWN           172.17.0.1/16 fe80::42:17ff:fe43:2412/64 

me@newserver:~$ cat /proc/net/arp 

IP address       HW type     Flags       HW address            Mask     Device

192.168.0.21     0x1         0x2         44:8a:5b:f1:d5:fb     *        br0

192.168.0.3      0x1         0x2         b8:27:eb:da:cb:20     *        br0

192.168.0.1      0x1         0x2         a0:1b:29:7d:d9:73     *        br0

192.168.0.2      0x1         0x2         d4:9a:20:c2:c8:c8     *        br0

me@newserver:~$ bridge link

2: eno1 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19 

3: eno2 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19 

me@newserver:~$ sudo iptables-save -c

# Generated by iptables-save v1.6.1 on Sun Jan 27 10:52:29 2019

*nat

:PREROUTING ACCEPT [213193:40208006]

:INPUT ACCEPT [3463:1018938]

:OUTPUT ACCEPT [766:58537]

:POSTROUTING ACCEPT [766:58537]

:DOCKER - [0:0]

[45:2724] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

[1:60] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

[0:0] -A DOCKER -i docker0 -j RETURN

COMMIT

# Completed on Sun Jan 27 10:52:29 2019

# Generated by iptables-save v1.6.1 on Sun Jan 27 10:52:29 2019

*filter

:INPUT ACCEPT [44978969:67464645682]

:FORWARD DROP [130478:14923761]

:OUTPUT ACCEPT [23637250:1293021280]

:DOCKER - [0:0]

:DOCKER-ISOLATION-STAGE-1 - [0:0]

:DOCKER-ISOLATION-STAGE-2 - [0:0]

:DOCKER-USER - [0:0]

[130478:14923761] -A FORWARD -j DOCKER-USER

[130478:14923761] -A FORWARD -j DOCKER-ISOLATION-STAGE-1

[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A FORWARD -o docker0 -j DOCKER

[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT

[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT

[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2

[130478:14923761] -A DOCKER-ISOLATION-STAGE-1 -j RETURN

[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP

[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN

[130478:14923761] -A DOCKER-USER -j RETURN

COMMIT

# Completed on Sun Jan 27 10:52:29 2019

me@newserver:~$ sudo bridge monitor

a0:1b:29:7d:d9:74 dev eno1 master br0 

a0:1b:29:7d:d9:72 dev eno1 master br0 

Deleted a0:1b:29:7d:d9:74 dev eno1 master br0 stale

Deleted 78:67:d7:21:56:34 dev eno1 master br0 stale

78:67:d7:21:56:34 dev eno1 master br0 

a0:1b:29:7d:d9:74 dev eno1 master br0 

dev br0 port eno1 grp ff02::fb temp 

Deleted a0:1b:29:7d:d9:72 dev eno1 master br0 stale

Deleted 30:07:4d:3e:2f:bb dev eno1 master br0 stale

98:b6:e9:cd:fb:4a dev eno1 master br0 

Deleted a0:1b:29:7d:d9:74 dev eno1 master br0 stale

Deleted dev br0 port eno1 grp ff02::fb temp 

Deleted dev br0 port br0 grp ff02::fb temp


bridge-netfilter is not installed and there is no filtering that I know of (it's basically a fresh install + docker)






networking bridge netplan







share|improve this question

























  • you should provide low level results from your settings, like ip -br link, ip -br a, bridge link , ebtables-save, iptables-save -c (in case bridge-netfilter is activated). If any filtering is activated, deactivate it. run tcpdump on each interface, bridge monitor to see what's going on etc

    – A.B
    Jan 26 at 22:45













  • ok sorry i can't help any more, but those informations might perhaps give a clue to somebody else.

    – A.B
    Jan 27 at 12:30











  • no problem and thanks, it was indeed a good clue !

    – user981733
    Jan 29 at 13:40


















0















My current problem hits the limits of my basic networking skills.



In short : I "tapped" a server with multiple network interfaces on a network cable linking my router and my media center. I try to make this happen in a transparent way.



The network topology was :



Other machine (192.168.0.2) -- Router (192.168.0.1) -- Media center (192.168.0.3)


Now it's :



Other machine (192.168.0.2) -- Router (192.168.0.1) -- New server (192.168.0.4) -- Media center (192.168.0.3)


I set up a bridge connection on the server like so on netplan:



network:

  version: 2

  ethernets:

    eno1:

      dhcp4: no

    eno2:

      dhcp4: no

  bridges:

    br0:

      interfaces: [eno1, eno2]

      addresses: [192.168.0.4/24]

      gateway4: 192.168.0.1

      nameservers:

        search: 

        addresses: [192.168.0.2]


The new server (192.168.0.4) can ping and ssh to the media center (192.168.0.3) and the router or the rest of the network (e.g. 192.168.0.2).



The media center (192.168.0.3) can ping and ssh the new server(192.168.0.4) but not the router nor the rest of the network. Conversely, the router and the rest of the network can not talk to the media center (192.168.0.3).



Can I achieve what I'm trying to do by defining routes in the netplan config (but I'm a bit out of my depth here, so help is welcome on how), or is it just not possible with this topology because I would have to somehow define the new server as a gateway to the media center in the routes of every machine of the network ?



Additional details :



me@newserver:~$ ip -br link

lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP> 

eno1             UP             00:22:19:cc:db:0c <BROADCAST,MULTICAST,UP,LOWER_UP> 

eno2             UP             00:22:19:cc:db:0e <BROADCAST,MULTICAST,UP,LOWER_UP> 

eno3             DOWN           00:22:19:cc:db:10 <BROADCAST,MULTICAST> 

eno4             DOWN           00:22:19:cc:db:12 <BROADCAST,MULTICAST> 

br0              UP             76:1b:8c:b8:3a:15 <BROADCAST,MULTICAST,UP,LOWER_UP> 

docker0          DOWN           02:42:17:43:24:12 <NO-CARRIER,BROADCAST,MULTICAST,UP> 

me@newserver:~$ ip -br a

lo               UNKNOWN        127.0.0.1/8 ::1/128 

eno1             UP             

eno2             UP             

eno3             DOWN           

eno4             DOWN           

br0              UP             192.168.0.4/24 fe80::741b:8cff:feb8:3a15/64 

docker0          DOWN           172.17.0.1/16 fe80::42:17ff:fe43:2412/64 

me@newserver:~$ cat /proc/net/arp 

IP address       HW type     Flags       HW address            Mask     Device

192.168.0.21     0x1         0x2         44:8a:5b:f1:d5:fb     *        br0

192.168.0.3      0x1         0x2         b8:27:eb:da:cb:20     *        br0

192.168.0.1      0x1         0x2         a0:1b:29:7d:d9:73     *        br0

192.168.0.2      0x1         0x2         d4:9a:20:c2:c8:c8     *        br0

me@newserver:~$ bridge link

2: eno1 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19 

3: eno2 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19 

me@newserver:~$ sudo iptables-save -c

# Generated by iptables-save v1.6.1 on Sun Jan 27 10:52:29 2019

*nat

:PREROUTING ACCEPT [213193:40208006]

:INPUT ACCEPT [3463:1018938]

:OUTPUT ACCEPT [766:58537]

:POSTROUTING ACCEPT [766:58537]

:DOCKER - [0:0]

[45:2724] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

[1:60] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

[0:0] -A DOCKER -i docker0 -j RETURN

COMMIT

# Completed on Sun Jan 27 10:52:29 2019

# Generated by iptables-save v1.6.1 on Sun Jan 27 10:52:29 2019

*filter

:INPUT ACCEPT [44978969:67464645682]

:FORWARD DROP [130478:14923761]

:OUTPUT ACCEPT [23637250:1293021280]

:DOCKER - [0:0]

:DOCKER-ISOLATION-STAGE-1 - [0:0]

:DOCKER-ISOLATION-STAGE-2 - [0:0]

:DOCKER-USER - [0:0]

[130478:14923761] -A FORWARD -j DOCKER-USER

[130478:14923761] -A FORWARD -j DOCKER-ISOLATION-STAGE-1

[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A FORWARD -o docker0 -j DOCKER

[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT

[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT

[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2

[130478:14923761] -A DOCKER-ISOLATION-STAGE-1 -j RETURN

[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP

[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN

[130478:14923761] -A DOCKER-USER -j RETURN

COMMIT

# Completed on Sun Jan 27 10:52:29 2019

me@newserver:~$ sudo bridge monitor

a0:1b:29:7d:d9:74 dev eno1 master br0 

a0:1b:29:7d:d9:72 dev eno1 master br0 

Deleted a0:1b:29:7d:d9:74 dev eno1 master br0 stale

Deleted 78:67:d7:21:56:34 dev eno1 master br0 stale

78:67:d7:21:56:34 dev eno1 master br0 

a0:1b:29:7d:d9:74 dev eno1 master br0 

dev br0 port eno1 grp ff02::fb temp 

Deleted a0:1b:29:7d:d9:72 dev eno1 master br0 stale

Deleted 30:07:4d:3e:2f:bb dev eno1 master br0 stale

98:b6:e9:cd:fb:4a dev eno1 master br0 

Deleted a0:1b:29:7d:d9:74 dev eno1 master br0 stale

Deleted dev br0 port eno1 grp ff02::fb temp 

Deleted dev br0 port br0 grp ff02::fb temp


bridge-netfilter is not installed and there is no filtering that I know of (it's basically a fresh install + docker)






networking bridge netplan







share|improve this question

























  • you should provide low level results from your settings, like ip -br link, ip -br a, bridge link , ebtables-save, iptables-save -c (in case bridge-netfilter is activated). If any filtering is activated, deactivate it. run tcpdump on each interface, bridge monitor to see what's going on etc

    – A.B
    Jan 26 at 22:45













  • ok sorry i can't help any more, but those informations might perhaps give a clue to somebody else.

    – A.B
    Jan 27 at 12:30











  • no problem and thanks, it was indeed a good clue !

    – user981733
    Jan 29 at 13:40














0












0








0








My current problem hits the limits of my basic networking skills.



In short : I "tapped" a server with multiple network interfaces on a network cable linking my router and my media center. I try to make this happen in a transparent way.



The network topology was :



Other machine (192.168.0.2) -- Router (192.168.0.1) -- Media center (192.168.0.3)


Now it's :



Other machine (192.168.0.2) -- Router (192.168.0.1) -- New server (192.168.0.4) -- Media center (192.168.0.3)


I set up a bridge connection on the server like so on netplan:



network:

  version: 2

  ethernets:

    eno1:

      dhcp4: no

    eno2:

      dhcp4: no

  bridges:

    br0:

      interfaces: [eno1, eno2]

      addresses: [192.168.0.4/24]

      gateway4: 192.168.0.1

      nameservers:

        search: 

        addresses: [192.168.0.2]


The new server (192.168.0.4) can ping and ssh to the media center (192.168.0.3) and the router or the rest of the network (e.g. 192.168.0.2).



The media center (192.168.0.3) can ping and ssh the new server(192.168.0.4) but not the router nor the rest of the network. Conversely, the router and the rest of the network can not talk to the media center (192.168.0.3).



Can I achieve what I'm trying to do by defining routes in the netplan config (but I'm a bit out of my depth here, so help is welcome on how), or is it just not possible with this topology because I would have to somehow define the new server as a gateway to the media center in the routes of every machine of the network ?



Additional details :



me@newserver:~$ ip -br link

lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP> 

eno1             UP             00:22:19:cc:db:0c <BROADCAST,MULTICAST,UP,LOWER_UP> 

eno2             UP             00:22:19:cc:db:0e <BROADCAST,MULTICAST,UP,LOWER_UP> 

eno3             DOWN           00:22:19:cc:db:10 <BROADCAST,MULTICAST> 

eno4             DOWN           00:22:19:cc:db:12 <BROADCAST,MULTICAST> 

br0              UP             76:1b:8c:b8:3a:15 <BROADCAST,MULTICAST,UP,LOWER_UP> 

docker0          DOWN           02:42:17:43:24:12 <NO-CARRIER,BROADCAST,MULTICAST,UP> 

me@newserver:~$ ip -br a

lo               UNKNOWN        127.0.0.1/8 ::1/128 

eno1             UP             

eno2             UP             

eno3             DOWN           

eno4             DOWN           

br0              UP             192.168.0.4/24 fe80::741b:8cff:feb8:3a15/64 

docker0          DOWN           172.17.0.1/16 fe80::42:17ff:fe43:2412/64 

me@newserver:~$ cat /proc/net/arp 

IP address       HW type     Flags       HW address            Mask     Device

192.168.0.21     0x1         0x2         44:8a:5b:f1:d5:fb     *        br0

192.168.0.3      0x1         0x2         b8:27:eb:da:cb:20     *        br0

192.168.0.1      0x1         0x2         a0:1b:29:7d:d9:73     *        br0

192.168.0.2      0x1         0x2         d4:9a:20:c2:c8:c8     *        br0

me@newserver:~$ bridge link

2: eno1 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19 

3: eno2 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19 

me@newserver:~$ sudo iptables-save -c

# Generated by iptables-save v1.6.1 on Sun Jan 27 10:52:29 2019

*nat

:PREROUTING ACCEPT [213193:40208006]

:INPUT ACCEPT [3463:1018938]

:OUTPUT ACCEPT [766:58537]

:POSTROUTING ACCEPT [766:58537]

:DOCKER - [0:0]

[45:2724] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

[1:60] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

[0:0] -A DOCKER -i docker0 -j RETURN

COMMIT

# Completed on Sun Jan 27 10:52:29 2019

# Generated by iptables-save v1.6.1 on Sun Jan 27 10:52:29 2019

*filter

:INPUT ACCEPT [44978969:67464645682]

:FORWARD DROP [130478:14923761]

:OUTPUT ACCEPT [23637250:1293021280]

:DOCKER - [0:0]

:DOCKER-ISOLATION-STAGE-1 - [0:0]

:DOCKER-ISOLATION-STAGE-2 - [0:0]

:DOCKER-USER - [0:0]

[130478:14923761] -A FORWARD -j DOCKER-USER

[130478:14923761] -A FORWARD -j DOCKER-ISOLATION-STAGE-1

[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A FORWARD -o docker0 -j DOCKER

[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT

[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT

[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2

[130478:14923761] -A DOCKER-ISOLATION-STAGE-1 -j RETURN

[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP

[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN

[130478:14923761] -A DOCKER-USER -j RETURN

COMMIT

# Completed on Sun Jan 27 10:52:29 2019

me@newserver:~$ sudo bridge monitor

a0:1b:29:7d:d9:74 dev eno1 master br0 

a0:1b:29:7d:d9:72 dev eno1 master br0 

Deleted a0:1b:29:7d:d9:74 dev eno1 master br0 stale

Deleted 78:67:d7:21:56:34 dev eno1 master br0 stale

78:67:d7:21:56:34 dev eno1 master br0 

a0:1b:29:7d:d9:74 dev eno1 master br0 

dev br0 port eno1 grp ff02::fb temp 

Deleted a0:1b:29:7d:d9:72 dev eno1 master br0 stale

Deleted 30:07:4d:3e:2f:bb dev eno1 master br0 stale

98:b6:e9:cd:fb:4a dev eno1 master br0 

Deleted a0:1b:29:7d:d9:74 dev eno1 master br0 stale

Deleted dev br0 port eno1 grp ff02::fb temp 

Deleted dev br0 port br0 grp ff02::fb temp


bridge-netfilter is not installed and there is no filtering that I know of (it's basically a fresh install + docker)






networking bridge netplan







share|improve this question
















My current problem hits the limits of my basic networking skills.



In short : I "tapped" a server with multiple network interfaces on a network cable linking my router and my media center. I try to make this happen in a transparent way.



The network topology was :



Other machine (192.168.0.2) -- Router (192.168.0.1) -- Media center (192.168.0.3)


Now it's :



Other machine (192.168.0.2) -- Router (192.168.0.1) -- New server (192.168.0.4) -- Media center (192.168.0.3)


I set up a bridge connection on the server like so on netplan:



network:

  version: 2

  ethernets:

    eno1:

      dhcp4: no

    eno2:

      dhcp4: no

  bridges:

    br0:

      interfaces: [eno1, eno2]

      addresses: [192.168.0.4/24]

      gateway4: 192.168.0.1

      nameservers:

        search: 

        addresses: [192.168.0.2]


The new server (192.168.0.4) can ping and ssh to the media center (192.168.0.3) and the router or the rest of the network (e.g. 192.168.0.2).



The media center (192.168.0.3) can ping and ssh the new server(192.168.0.4) but not the router nor the rest of the network. Conversely, the router and the rest of the network can not talk to the media center (192.168.0.3).



Can I achieve what I'm trying to do by defining routes in the netplan config (but I'm a bit out of my depth here, so help is welcome on how), or is it just not possible with this topology because I would have to somehow define the new server as a gateway to the media center in the routes of every machine of the network ?



Additional details :



me@newserver:~$ ip -br link

lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP> 

eno1             UP             00:22:19:cc:db:0c <BROADCAST,MULTICAST,UP,LOWER_UP> 

eno2             UP             00:22:19:cc:db:0e <BROADCAST,MULTICAST,UP,LOWER_UP> 

eno3             DOWN           00:22:19:cc:db:10 <BROADCAST,MULTICAST> 

eno4             DOWN           00:22:19:cc:db:12 <BROADCAST,MULTICAST> 

br0              UP             76:1b:8c:b8:3a:15 <BROADCAST,MULTICAST,UP,LOWER_UP> 

docker0          DOWN           02:42:17:43:24:12 <NO-CARRIER,BROADCAST,MULTICAST,UP> 

me@newserver:~$ ip -br a

lo               UNKNOWN        127.0.0.1/8 ::1/128 

eno1             UP             

eno2             UP             

eno3             DOWN           

eno4             DOWN           

br0              UP             192.168.0.4/24 fe80::741b:8cff:feb8:3a15/64 

docker0          DOWN           172.17.0.1/16 fe80::42:17ff:fe43:2412/64 

me@newserver:~$ cat /proc/net/arp 

IP address       HW type     Flags       HW address            Mask     Device

192.168.0.21     0x1         0x2         44:8a:5b:f1:d5:fb     *        br0

192.168.0.3      0x1         0x2         b8:27:eb:da:cb:20     *        br0

192.168.0.1      0x1         0x2         a0:1b:29:7d:d9:73     *        br0

192.168.0.2      0x1         0x2         d4:9a:20:c2:c8:c8     *        br0

me@newserver:~$ bridge link

2: eno1 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19 

3: eno2 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19 

me@newserver:~$ sudo iptables-save -c

# Generated by iptables-save v1.6.1 on Sun Jan 27 10:52:29 2019

*nat

:PREROUTING ACCEPT [213193:40208006]

:INPUT ACCEPT [3463:1018938]

:OUTPUT ACCEPT [766:58537]

:POSTROUTING ACCEPT [766:58537]

:DOCKER - [0:0]

[45:2724] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

[1:60] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

[0:0] -A DOCKER -i docker0 -j RETURN

COMMIT

# Completed on Sun Jan 27 10:52:29 2019

# Generated by iptables-save v1.6.1 on Sun Jan 27 10:52:29 2019

*filter

:INPUT ACCEPT [44978969:67464645682]

:FORWARD DROP [130478:14923761]

:OUTPUT ACCEPT [23637250:1293021280]

:DOCKER - [0:0]

:DOCKER-ISOLATION-STAGE-1 - [0:0]

:DOCKER-ISOLATION-STAGE-2 - [0:0]

:DOCKER-USER - [0:0]

[130478:14923761] -A FORWARD -j DOCKER-USER

[130478:14923761] -A FORWARD -j DOCKER-ISOLATION-STAGE-1

[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A FORWARD -o docker0 -j DOCKER

[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT

[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT

[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2

[130478:14923761] -A DOCKER-ISOLATION-STAGE-1 -j RETURN

[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP

[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN

[130478:14923761] -A DOCKER-USER -j RETURN

COMMIT

# Completed on Sun Jan 27 10:52:29 2019

me@newserver:~$ sudo bridge monitor

a0:1b:29:7d:d9:74 dev eno1 master br0 

a0:1b:29:7d:d9:72 dev eno1 master br0 

Deleted a0:1b:29:7d:d9:74 dev eno1 master br0 stale

Deleted 78:67:d7:21:56:34 dev eno1 master br0 stale

78:67:d7:21:56:34 dev eno1 master br0 

a0:1b:29:7d:d9:74 dev eno1 master br0 

dev br0 port eno1 grp ff02::fb temp 

Deleted a0:1b:29:7d:d9:72 dev eno1 master br0 stale

Deleted 30:07:4d:3e:2f:bb dev eno1 master br0 stale

98:b6:e9:cd:fb:4a dev eno1 master br0 

Deleted a0:1b:29:7d:d9:74 dev eno1 master br0 stale

Deleted dev br0 port eno1 grp ff02::fb temp 

Deleted dev br0 port br0 grp ff02::fb temp


bridge-netfilter is not installed and there is no filtering that I know of (it's basically a fresh install + docker)






networking bridge netplan




networking bridge netplan






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 27 at 10:10







user981733

















asked Jan 26 at 21:55









user981733user981733

1113




1113













  • you should provide low level results from your settings, like ip -br link, ip -br a, bridge link , ebtables-save, iptables-save -c (in case bridge-netfilter is activated). If any filtering is activated, deactivate it. run tcpdump on each interface, bridge monitor to see what's going on etc

    – A.B
    Jan 26 at 22:45













  • ok sorry i can't help any more, but those informations might perhaps give a clue to somebody else.

    – A.B
    Jan 27 at 12:30











  • no problem and thanks, it was indeed a good clue !

    – user981733
    Jan 29 at 13:40



















  • you should provide low level results from your settings, like ip -br link, ip -br a, bridge link , ebtables-save, iptables-save -c (in case bridge-netfilter is activated). If any filtering is activated, deactivate it. run tcpdump on each interface, bridge monitor to see what's going on etc

    – A.B
    Jan 26 at 22:45













  • ok sorry i can't help any more, but those informations might perhaps give a clue to somebody else.

    – A.B
    Jan 27 at 12:30











  • no problem and thanks, it was indeed a good clue !

    – user981733
    Jan 29 at 13:40

















you should provide low level results from your settings, like ip -br link, ip -br a, bridge link , ebtables-save, iptables-save -c (in case bridge-netfilter is activated). If any filtering is activated, deactivate it. run tcpdump on each interface, bridge monitor to see what's going on etc

– A.B
Jan 26 at 22:45







you should provide low level results from your settings, like ip -br link, ip -br a, bridge link , ebtables-save, iptables-save -c (in case bridge-netfilter is activated). If any filtering is activated, deactivate it. run tcpdump on each interface, bridge monitor to see what's going on etc

– A.B
Jan 26 at 22:45















ok sorry i can't help any more, but those informations might perhaps give a clue to somebody else.

– A.B
Jan 27 at 12:30





ok sorry i can't help any more, but those informations might perhaps give a clue to somebody else.

– A.B
Jan 27 at 12:30













no problem and thanks, it was indeed a good clue !

– user981733
Jan 29 at 13:40





no problem and thanks, it was indeed a good clue !

– user981733
Jan 29 at 13:40










1 Answer
1






active

oldest

votes


















1














It is indeed possible to achieve such a network setup, and the netplan configuration is correct. The problem actually came from iptable which dropped packets going over the bridge. More details on the issue here



The fix is simply to accept packets on the bridge :



me@newserver:~$ sudo iptables -A FORWARD -p all -i br0 -j ACCEPT


(and make the change permanent with :



me@newserver:~# iptables-save > /etc/iptables/rules.v4


)






share|improve this answer
























  • fwiw, this looks typically like bridge-netfilter activated: rules meant for layer 3 (ip/routing) having an effect on layer 2 (ethernet/switching).

    – A.B
    Jan 29 at 18:52














Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1398813%2fconfigure-a-bridge-connection-as-a-hub-with-netplan%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














It is indeed possible to achieve such a network setup, and the netplan configuration is correct. The problem actually came from iptable which dropped packets going over the bridge. More details on the issue here



The fix is simply to accept packets on the bridge :



me@newserver:~$ sudo iptables -A FORWARD -p all -i br0 -j ACCEPT


(and make the change permanent with :



me@newserver:~# iptables-save > /etc/iptables/rules.v4


)






share|improve this answer
























  • fwiw, this looks typically like bridge-netfilter activated: rules meant for layer 3 (ip/routing) having an effect on layer 2 (ethernet/switching).

    – A.B
    Jan 29 at 18:52


















1














It is indeed possible to achieve such a network setup, and the netplan configuration is correct. The problem actually came from iptable which dropped packets going over the bridge. More details on the issue here



The fix is simply to accept packets on the bridge :



me@newserver:~$ sudo iptables -A FORWARD -p all -i br0 -j ACCEPT


(and make the change permanent with :



me@newserver:~# iptables-save > /etc/iptables/rules.v4


)






share|improve this answer
























  • fwiw, this looks typically like bridge-netfilter activated: rules meant for layer 3 (ip/routing) having an effect on layer 2 (ethernet/switching).

    – A.B
    Jan 29 at 18:52
















1












1








1







It is indeed possible to achieve such a network setup, and the netplan configuration is correct. The problem actually came from iptable which dropped packets going over the bridge. More details on the issue here



The fix is simply to accept packets on the bridge :



me@newserver:~$ sudo iptables -A FORWARD -p all -i br0 -j ACCEPT


(and make the change permanent with :



me@newserver:~# iptables-save > /etc/iptables/rules.v4


)






share|improve this answer













It is indeed possible to achieve such a network setup, and the netplan configuration is correct. The problem actually came from iptable which dropped packets going over the bridge. More details on the issue here



The fix is simply to accept packets on the bridge :



me@newserver:~$ sudo iptables -A FORWARD -p all -i br0 -j ACCEPT


(and make the change permanent with :



me@newserver:~# iptables-save > /etc/iptables/rules.v4


)







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 29 at 13:39









user981733user981733

1113




1113













  • fwiw, this looks typically like bridge-netfilter activated: rules meant for layer 3 (ip/routing) having an effect on layer 2 (ethernet/switching).

    – A.B
    Jan 29 at 18:52





















  • fwiw, this looks typically like bridge-netfilter activated: rules meant for layer 3 (ip/routing) having an effect on layer 2 (ethernet/switching).

    – A.B
    Jan 29 at 18:52



















fwiw, this looks typically like bridge-netfilter activated: rules meant for layer 3 (ip/routing) having an effect on layer 2 (ethernet/switching).

– A.B
Jan 29 at 18:52







fwiw, this looks typically like bridge-netfilter activated: rules meant for layer 3 (ip/routing) having an effect on layer 2 (ethernet/switching).

– A.B
Jan 29 at 18:52




















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1398813%2fconfigure-a-bridge-connection-as-a-hub-with-netplan%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

If I really need a card on my start hand, how many mulligans make sense? [duplicate]

Image
5 This question already has an answer here: How do you calculate the likelihood of drawing certain cards in your opening hand? 3 answers There is a funny modern deck where you play Treasure Hunt, but you really need to have it on the starting hand. How many mulligans should I take, if my deck contains 60 cards and contains 4 copies of Treasure Hunt? magic-the-gathering probability share | improve this question asked Nov 23 '18 at 12:12 dan dan 152 4
Read more

Alcedinidae

Image
Alcedinidae Martin-pêcheur à dos bleu ( Alcedo azurea ) Classification (COI) Règne Animalia Embranchement Chordata Sous-embr. Vertebrata Classe Aves Ordre Coraciiformes Famille Alcedinidae Rafinesque, 1815 Les Alcédinidés ou Alcedinidae forment une famille d'oiseaux plus connus sous les noms de martins-pêcheurs et martins-chasseurs. Sommaire 1 Description 2 Répartition et habitat 3 Systématique 3.1 Liste alphabétique des genres 3.2 Liste des espèces 4 Chez les Anciens : l'alcyon 4.1 Étymologie (Littré) 4.2 Oiseau « fabuleux » ? 5 Notes 6 Articles connexes 7 Liens externes 7.1 Bibliographie Description | Ce sont des oiseaux compacts de taille petite à moyenne (10 à 46 cm), au bec droit et long, en forme de poignard. Leurs pattes sont courtes, et ils portent un plumage aux couleurs vives. Répartition et habitat | Cosmopolites, ils fréquentent surtout
Read more

Can an atomic nucleus contain both particles and antiparticles? [duplicate]

Image
9 $begingroup$ This question already has an answer here: What happens if we put together a proton and an antineutron? 2 answers Is it theoretically possible to make a "deuterium" atom containing a proton and an antineutron in its nucleus? Would the strong nuclear force cause attraction between a proton and an antineutron? Would such a nucleus be stable, or would the proton somehow annihilate the antineutron when close enough? nuclear-physics antimatter share | cite | improve this question asked yesterday
Read more