ebtables mysteries, no ebtables traversed for LAN traffic?

[Jochem]

Using a wifi guest network without intranet/LAN acces. But it would be nice if the guest network users could use a wired printer etc. So, after working hard i found a cure. Just add the following rules to ebtables to enable arp request & replies to/from your printer (use your local printer ip address in stead of 10.0.0.2 please):

• ebtables -t filter -A FORWARD -p ARP --arp-opcode 1 --arp-ip-dst 10.0.0.2
• ebtables -t filter -A FORWARD -p ARP --arp-opcode 2 --arp-ip-src 10.0.0.2

Now the funny thing: I was expecting to need a rule for the IP traffic aswell. But this is not needed. I could not find the ebtables/chains which are traversed by this IP traffic (made log files for all tables/chains).

So, it seems that guest network IP traffic is not traversing any ebtable. But this is nonsens, is it not? In fact, no local 10.0.0.0/24 traffic is logged using rules like this for all tables/chains:

• ebtables -t filter -A INPUT -p IPv4 --ip-src 10.0.0.2 -j CONTINUE --log-prefix "filter input"

Clearly, i must be doing something wrong. How can i catch the IP traffic? i can acces my printer, so i know the traffic is present somewhere..

[disable CTF doesn't help]
[fresh latest Merlin install on N66, factory reset]

 

[A.D.]

[...] How can i catch the IP traffic? i can acces my printer, so i know the traffic is present somewhere..

I'm not quite sure what exactly you're asking, since the headline suggests that you're looking for "LAN traffic" (which sounds a bit like you're potentially also intereseted in the traffic between the LAN ports) but then, you're saying that you're interested in the IP traffic of the guest WLAN network (which more matches your use case).

The differentiation is important on technical detail level because the traffic between the LAN ports is definitiely handled in a hardware accelerated way (unless you switch it off) and usually there's no software bridge configured between LAN ports (although one can create bridged groups there I think) so ebtables will never get involved by definition there (it's a switch, not a bridge). Opposed to that, a software bridge is active between LAN and any WLAN by default, so ebtables always come into play there. I'm not 100 % sure about HW accel in this case -- I wouldn't exclude the possibility regarding one important aspect of it; see below.

Now regarding the hardware acceleration: My impression is that in general it may be applied even where there's a bridge, but only after a connection has been established; e.g. the first packet of a TCP connection will undergo bridging and / or routing decisions and the following packets may not. At least that's what I seem to have observed. (I'm very interested in any insight you may have because I'm not yet finished with a fully flavoured guest WLAN isolation approach.)

Having said that, it helps to visualise how ebtables work. If you take a look at the following image which originates from http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html:

Obviously, there's something going on in <Processing> which may result in |Bridging| not being applied.

Let's look at the details:

Even worse, the FORWARD chain which you use does not always come into play. You may want to read the linked article to understand which rules belong where.

Conclusion: The first packet of a TCP connection may have to undergo <Routing> (aka iptables) and the following packets may even bypass the ebtables / iptables decisions due to HW accel.

No offense but all ebtables related posts which I found here so far were either not helpful for my case (guest network isolation) or BS (meaning not exactly wrong, but at the same time not right or lacking in-depth insights -- more located at the "it somehow works" level) so my personal advise would be to stick more to manuals, reference examples etc while keeping ASUS specialties (HW accel) on one's mind. Of course, that all depends on how professional your setup needs to be.

And please share your insights and results. I believe you'll get a lot of attention and this powerful topic does not seem to be understood very well so far.