How make a switch in linux

I have this clearfog pro router board with an armbian image. What I want to do is to have 6 raspberryPi's connected to the internet via the clearfog pro. In the end I want all 7 computers to have a IP address so I can say into everyone of them. After reading on internet I saw that that I needed to setup a network bridge to make this happen.

I firstly tried these configurations here. But they didn't work for me.

this is the current configuration in my /etc/network/interfaces file

auto lo br0 eth1 lan1
iface lo inet loopback

iface br0 inet dhcp
  bridge_ports eth0 lan1

this is the output from ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether fe:cc:39:e2:0e:81 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP mode DEFAULT group default qlen 532 link/ether 00:50:43:25:fb:84 brd ff:ff:ff:ff:ff:ff
4: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 532 link/ether 00:50:43:84:25:2f brd ff:ff:ff:ff:ff:ff
5: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 532 link/ether 00:50:43:0d:19:18 brd ff:ff:ff:ff:ff:ff
6: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1 link/ipip 0.0.0.0 brd 0.0.0.0
7: lan1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP mode DEFAULT group default qlen 1000 link/ether 00:50:43:84:25:2f brd ff:ff:ff:ff:ff:ff
13: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 00:50:43:25:fb:84 brd ff:ff:ff:ff:ff:ff

and ip route

    192.168.178.0/24 dev br0  proto kernel  scope link  src 192.168.178.44

so I tried to ssh into 192.168.178.44 thinking it would lead me to the computer on lan1 but it didn't. I connected to the clearfog again.

I also tried to bridge eth1 and eth0 but it returned can't add eth1 to bridge br0: Invalid argument

so my question is: what is the correct bridge setup?

EDIT: as requested my brctl show

bridge name bridge id       STP enabled interfaces
br0         8000.00504325fb84   no      eth0
                                        lan1

ifconfig

br0    Link encap:Ethernet  HWaddr 00:50:43:25:fb:84  
      inet addr:192.168.178.44  Bcast:192.168.178.255  Mask:255.255.255.0
      inet6 addr: fe80::250:43ff:fe25:fb84/64 Scope:Link
      inet6 addr: 2001:984:6433:1:250:43ff:fe25:fb84/64 Scope:Global
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:572 errors:0 dropped:0 overruns:0 frame:0
      TX packets:86 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000 
      RX bytes:147582 (144.1 KiB)  TX bytes:11762 (11.4 KiB)

 eth0      Link encap:Ethernet  HWaddr 00:50:43:25:fb:84  
      inet addr:192.168.178.44  Bcast:192.168.178.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:1225 errors:0 dropped:0 overruns:0 frame:0
      TX packets:118 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:532 
      RX bytes:318910 (311.4 KiB)  TX bytes:15514 (15.1 KiB)
      Interrupt:38 

 eth1      Link encap:Ethernet  HWaddr 00:50:43:84:25:2f  
      UP BROADCAST MULTICAST  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:532 
      RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
      Interrupt:39 

lan1      Link encap:Ethernet  HWaddr 00:50:43:84:25:2f  
      UP BROADCAST MULTICAST  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000 
      RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
      inet addr:127.0.0.1  Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:65536  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1 
      RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

and ip route show

default via 192.168.178.1 dev br0 
192.168.178.0/24 dev br0  proto kernel  scope link  src 192.168.178.44 
192.168.178.0/24 dev eth0  proto kernel  scope link  src 192.168.178.44

Maarten de Klerk

Posted 2016-09-03T22:20:40.940

Reputation: 15

Can you please show me the output of the following commands:

ifconfig, brctl show, ip route show – Gregory Wolf – 2016-09-03T23:01:14.280

You don't want to bridge your wan interface to your lan, that's what routing is for. You want them to be separate. A bridge acts very similar to a hardware switch. – Gregory Wolf – 2016-09-03T23:03:11.130

@GregoryWolf Than how should I achieve my goal? Also sorry if I sometimes use the incorrect terms. I am a beginner in networking – Maarten de Klerk – 2016-09-04T09:33:45.600

Answers

Just so that I understand correctly, you have 6 RPi's connected to a switch that is also connected to the clearfrog. You simply want the RPi's to be able to communicate with eachother as well as access the internet thru the clearfrog. I'll refer to Clearfrog as CF from now on.

Now let's take a look at your ip links:

1: lo <- loopback
2: bond0 <- special interface for traffic aggregation/bonding
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> <- Assuming this is your uplink
4: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> <- Assuming this is physically connected to your switch
5: eth2: <BROADCAST,MULTICAST>  <- Assuming this is inactive
6: tunl0@NONE: <NOARP> <- Tunnel interface for vpn
7: lan1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> <- Lan1 isn't physical, it's a VLAN inteface.
13: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> <- bridge interface you created

What isn't clear to me is if your router will receive a public IP address on the WAN side or if it will remain behind another gateway. In the case that it is behind another gateway, you need to have your RPi's on a separate subnet and instruct CF to route the traffic for you.

SO for example:

*internets*
   ^
|modem| -> |gateway| -> |    switch    |
                        ^    ^    ^    ^         
   192.168.178.0/25     PC1  PC2  PC3  CF           Primary Network
                                       ^
                                  |   switch    |
                                  ^  ^  ^  ^  ^  ^
   192.168.178.128/25             Pi Pi Pi Pi Pi Pi    Pi Network

I've assigned your primary network the subnet 192.168.178.0/25 which will have a usable range .1-.126 ; I have assigned the subnet 192.168.178.128/25 to your Pi network, which will have a usable range .129-.254

I think what you were attempting to do before was bridge the two adapters together. When you have multiple hosts behind two adapters that also have mac addresses then you need to do routing, not bridging.

After all, this is a router isn't it? The questestion was "how to make a switch", but aren't you using this device to control traffic between the two networks? Otherwise, you could remove CF and throw in a dumb switch, no embedded linux required.

To remove br0:

    brctl show | awk '{if(NR>1)print}' | awk '{print $NF}' | while read line ; do brctl delif br0 $line ; done

ifconfig br0 down

brctl delbr br0

Next, let's prep the router to do router things.

Edit /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
       address 192.168.178.126
       network 192.168.178.0
       netmask 255.255.255.128
       gateway 192.168.178.1
       broadcast 192.168.178.127

auto eth1
iface eth1 inet static
       address 192.168.178.129
       network 192.168.178.128
       netmask 255.255.255.128
       broadcast 192.168.178.255

Then edit /etc/sysctl.conf and enable forwarding. You really only need the first line, but this is what I generally use for routers:

net.ipv4.conf.all.forwading=1
net.ipv4.conf.default.accept_source_route = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.all.send_redirects = 1                                                                                                                                                                                                         
net.ipv4.conf.default.send_redirects = 1                                                                                                                                                                                                                                                                                                                                                                                                            
net.ipv4.conf.all.accept_source_route = 1                                                                                                                                                                                                                                                                                                                                                                                                     
net.ipv4.conf.all.accept_redirects = 1                                                                                                                                                                                                       
net.ipv4.conf.all.secure_redirects = 1

Then run: sysctl -p

Now we're going to add the routes. I am going to suggest performing an ip route flush all, however you'll want to be at the console when you do this because it will immediately disconnect you from ssh.

ip route flush all
ip rule flush
ip route add 192.168.178.0/25 via 192.168.178.1 dev eth0
ip route add 192.168.178.128/25 src 192.168.178.129
ip route add default via 192.168.178.1 dev eth0

Now you want to go to your Primary network router and add a static route: 192.168.178.128/25 via 192.168.178.129 This tells your main gateway/router that when a host on the internal network wants to connect to your RPi network, to forward the requests to CF (acting as the gateway) to be routed further.

Back to CF, the last thing I would do is add forwarding rules in iptables:

#Allow rpi's to connect to the outside world but not initiate new connections to hosts on your primary network
iptables -I FORWARD -i eth1 -o eth0 -s 192.168.178.128/25 ! -d 192.168.178.0/25  -m conntrack --ctstate NEW -j ACCEPT
# Allow forwarding for established connections
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow hosts on your primary network to initiate new connections to pi's
iptables -I FORWARD -i eth0 -o eth1 -s 192.168.178.0/25 -d 192.168.178.128/25  -m conntrack --ctstate NEW -j ACCEPT

You'll want to save these rules with iptables-save > /etc/iptables/rules.v4

Now you will either need a dhcp server on CF to assign IP's to the Pi's or you will need to assign them static addresses. In either case, you'll want to set their default gateway to CF's IP 192.168.178.129

That should be all you need. If you have any trouble, feel free to comment and I'll assist you as best I can.

Gregory Wolf

Posted 2016-09-03T22:20:40.940

Reputation: 326

You say that the gateway for the static route on my main router should be 192.168.178.129. But the main router is not part of that subnet right? shouldn't it be 192.168.178.126? – Maarten de Klerk – 2016-09-06T11:41:21.160

in your network/interfaces file:

auto lo br0 eth1 lan1
iface lo inet loopback

iface br0 inet dhcp
bridge_ports eth0 lan1

It helps to separate things out some

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet manual
auto br0
iface br0 inet static #or dhcp
address <your address>
netmask  255.255.255.0
gateway  <your gateway>
bridge_ports eth1
bridge_stp off
bridge_fd 0

Hope this helps

archae0pteryx

Posted 2016-09-03T22:20:40.940

Reputation: 136

I tried to add eth1 to the bridge but it returned this error: can't add eth1 to br0: invalid argument – Maarten de Klerk – 2016-09-04T20:00:40.770

@MaartendeKlerk i fixed it. sry – archae0pteryx – 2016-09-04T20:14:47.857

I'm pretty sure lan1 is a vlan tag. – Gregory Wolf – 2016-09-04T23:11:42.373