Question of understanding: Bridges

[haemse]

Hi,

I've got a question: I understand bridges as software links of at least two interfaces belonging to different ethernet networks. Therefore a bridge connects two networks on OSI layer 2, enabling communication by intelligent packet distribution. Please correct me, if my understanding is wrong.

However, do the bridged networks have to have different IP subnets? Or since bridges are on layer 2, may the networks all be eg. in 192.168.1.1 range with DCHP Server in one network?

I really want to understand this.

Thank you,

Jacob

 

[System Error Message]

bridges can have the same IP subnet. You assign the IP to the bridge not the ethernet ports. What a normal consumer wifi router does is bridge wifi to ethernet.

 

[haemse]

Thanks System Error Message!

So lets say we have two interfaces that are bridged. Network is 192.168.1.x. One interface is ethernet network, where the DCHP Server is aktive. What IP adress would be assigned to the bridge?

Since a bridge is OSI2, why do I assign an IP to the bridge. Is the bridge itself a new device with a seperate IP?

Sorry, but this confuses me a little ...

PS: Maybe you can illustrate this with an example?

 

[System Error Message]

the bridge can have any IP address. The only reason to have an IP on a bridge is for managing it.
The bridge is an interface, not a new device just like any wifi or ethernet or sfp interface on a router. Switches for example do not require an IP to function and its the same with bridge. A bridge connects multiple physical networks but in the hardware wiring the ports are connected to a single line (such as a CPU bus) whereas in a switch each port has its own line connected to a central switching circuit.

 

[haemse]

The only reason to have an IP on a bridge is for managing it.

You mean for something like a web gui for managment or SSH ... ?

So is something like the attached network diagram possible?

 

[System Error Message]

the network diagram is correct but the bridge can also replace the switches if it has enough ports and CPU power for the throughput for becoming a central switch. it basically serves the same function as a switch but with more features and throughput limitations by the hardware.

I have a mikrotik CCR1036 acting as both router and bridge as it has no switch chips. It also bridges the VPN server it hosts to LAN. It has wirespeed throughput for both NAT and L2 and it is acting as my central switch.

 

[haemse]

the bridge can also replace the switches

Sure, basically I made it as an example. In real life I need to understand it for my router running dd-wrt - for bridges between virtual wlan adapters and ethernet for iptables/firewall.

What I also find interesting is that you can setup firewall rules and iptables for bridges, since they are osi2 ... however I now understand it as software links at osi2 with "additional" package analizing/routing etc. and firewall capabilities. Hope that understanding is right.

Thanks for sharing your knowledge.

 

[System Error Message]

Sure, basically I made it as an example. In real life I need to understand it for my router running dd-wrt - for bridges between virtual wlan adapters and ethernet for iptables/firewall.

What I also find interesting is that you can setup firewall rules and iptables for bridges, since they are osi2 ... however I now understand it as software links at osi2 with "additional" package analizing/routing etc. and firewall capabilities. Hope that understanding is right.

Thanks for sharing your knowledge.

It is correct in that you can apply more features and that it is software based most of the time as long as it follows the layer 2 protocols so while you can apply QoS on it you can only use priorities but rate limitting would need to be done via the firewall rule whereas on layer 3 and above the QoS is able to work with priorities, rate limitting, ensured bandwidth, change in algorithms and so on.

 

[haemse]

Dear System Error Message,

one more question. Will I be able to set up iptable rules for that bridge (diagram) without NAT enabled for that bridge (since both networks are on the same subnet 192.168.1.x) ???

 

[System Error Message]

No because bridges use MAC addresses. iptables is layer 3. If you use layer 3 routing than you will be able to.

 

[haemse]

So without NAT no iptables/firewall?
Or is there another way to keep the restricted/firewalled network in the same subnet (192.168.1.x)?

 

[System Error Message]

So without NAT no iptables/firewall?
Or is there another way to keep the restricted/firewalled network in the same subnet (192.168.1.x)?

THeres iptables without NAT but using layer 3 routing.
You can use the firewall with bridge but that depends on the router.

 

[coxhaus]

Bridges are not an efficient use for networking. Sometimes you need to use for different media types. It is much better to increase the scope of the network.

 

[haemse]

So for iptable filters between two bridged networks (but no NAT) I would have to configure routing between those bridges? Does anyone know how to do that with dd-wrt (routing between two bridges - but no NAT)?

 

[AdvHomeServer]

So for iptable filters between two bridged networks (but no NAT) I would have to configure routing between those bridges? Does anyone know how to do that with dd-wrt (routing between two bridges - but no NAT)?

Think of a bridge as a dumb switch connected by a wireless tether, instead of a cat6 wire. It's just a wireless device with many of the characteristics of any other wireless device attached to your network. Instead of functioning as a smart device, it's a dumb switch. Devices attached to it configure to the network like any other devices that connect with a switch. DHCP handles the client addressing, just like it would with any switch. Other than the wireless hoo doo, there's nothing special or mystical about a wireless bridge.

In my former network, I used a wireless bridge to get the internet from one place in the house to a media area. The tether was on 5GHz. There is no routing to configure. The bridge works or it doesn't, just like any other wireless device connects or it doesn't.

You don't need iptables or routing or anything else. You just need to configure the 2nd router according to the conversion specs ... assuming it can be configured as a wireless bridge. Not all routers can. You can buy a wireless bridge. Think of it as a switch that connects to the main network wirelessly, because that's all it is regardless of if it's a dedicated wireless bridge or a router conversion.

Everything resides on the same subnet. A dedicated bridge is probably assigned an ip address via DHCP. A conversion is given one by you on the same subnet as everything else on the network. The conversion instructions will tell you how to do it. The main router needs no configuration of any kind. It just sits there and treats the bridge like any other attached device. It doesn't know or care that one or more bridges are attached. The main router just sees it as another attached switch.

 

[coxhaus]

There is no routing in bridging. It is just passing data from one media type to another, in this case wireless to Ethernet.