Bridge redirect vlan

Hi,

I'm having trouble with this infrastructure and hope someone can help me.

I'm being given two vlan on one cable : 8 and 9.
vlan 8 : 192.168.32.0/24 - gateway .254
vlan 9 : 172.16.0.0/16 - gateway .254

I need to meet two requirements :

• The clients need to be connected on vlan 9.
• Packets from the above clients that are destinated to port 500 need to be redirected to vlan 8. Those packets also need to be sent out on vlan 8 with the same ip source (192.168.32.1)

So far, I have an openwrt device inbetween the cable and my clients.
I have a brctl bridge set up with 2 virtual interface eth0.50 and eth0.9.

I have the clients connected on eth0.50 so they are on vlan 9 through the bridge. It was necessary to add this interface in order to apply iptables rules since I have an Openwrt router with only one physical interface.

At this point I have the following rules :
ebtables -I FORWARD -j ACCEPT
iptables -I FORWARD -j ACCEPT
All others chain are also set to ACCEPT
net.bridge.bridge-nf-call-iptables = 1
ip addr add 192.168.32.1/24 dev br-users
ip route add 192.168.32.0/24 dev br-users
ip addr add 172.16.0.1/16 dev br-users
ip route add 172.16.0.0/16 dev br-users

Now Im not sure how to redirect the 500 port dest packets to vlan 8

I tried two differents set up:

The first one :
I added eth0.8 on the same bridge and applied snat
iptables -t nat -I POSTROUTING -p tcp --dport 500 -s 172.16.0.0/16 -j MASQUERADE
iptables -t nat -I POSTROUTING -p icmp -s 172.16.0.0/16 -j MASQUERADE (for testing purpose)

It is actually working to some extent (FOWARD chain LOG):
IN=br-users OUT=br-users PHYSIN=eth0.50 PHYSOUT=eth0.8 SRC=172.16.0.45 DST=192.168.32.200
IN=br-users OUT=br-users PHYSIN=eth0.50 PHYSOUT=eth0.8 SRC=172.16.0.45 DST=192.168.32.200
IN=br-users OUT=br-users PHYSIN=eth0.50 PHYSOUT=eth0.9 SRC=172.16.0.45 DST=192.168.32.200
IN=br-users OUT=br-users PHYSIN=eth0.50 PHYSOUT=eth0.8 SRC=172.16.0.45 DST=192.168.32.200
IN=br-users OUT=br-users PHYSIN=eth0.50 PHYSOUT=eth0.9 SRC=172.16.0.45 DST=192.168.32.200

From 192.168.32.254 icmp_seq=167 Destination Port Unreachable
64 bytes from 192.168.32.200: icmp_seq=168 ttl=64 time=46.6 ms
64 bytes from 192.168.32.200: icmp_seq=169 ttl=64 time=71.5 ms
From 192.168.32.254 icmp_seq=170 Destination Port Unreachable
From 192.168.32.254 icmp_seq=171 Destination Port Unreachable
64 bytes from 192.168.32.200: icmp_seq=172 ttl=64 time=46.5 ms
64 bytes from 192.168.32.200: icmp_seq=173 ttl=64 time=46.6 ms
From 192.168.32.254 icmp_seq=174 Destination Port Unreachable
From 192.168.32.254 icmp_seq=175 Destination Port Unreachable

As you can see, it juggles between eth0.8 and eth0.9. How can I constantly send those packets to eth0.8 ?

The second one did not get me too far :
I simply have eth0.8 on another seperate bridge but I did not found the solution to redirect those packets to this new bridge.

I appreciate any help.

Edit 1 : I can't ping 192.168.32.1 from vlan 50. I dont understand why.

Try to avoid bridging when possible, especially when you need to apply different firewall policies, it makes firewall configuration much easier to manage.
You should use only custom chains for your rules, otherwise it may result in a conflict with dynamic firewall configuration.
Also, do not manage addresses and routes manually as there is netifd to do the job.

It would be indeed much easier to manage it without bridging. Unfortunately, in this case, I dont know how it would be achievable without using a bridge. This is a very restrict environment and client device on vlan 9 are already configured with static ip.

As for the ip and route, they are not added manually, I put it this way so you can better understand the state of the openwrt router.

Did you consider this option?
You should be able to create a bunch of zones for different IPs/subnets on the same interface.