(SOLVED) How do I install ebtables or kmod-ebtable on LEDE 17.01.4

Installing and Using OpenWrt
1

Hi.

Preconditions: Netgear R6100, flashed by *.img file through Web interface, successfully.
Firmware version: LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685)

Objective: create portable transparent packet-modifying L3-Switch of all physical interfaces (1 per Eth0, 4 per Eth1, 2 per WiFi).
ShortWhy: portability, ability to share/inject at existing network, zero-conf.

Physical Testing Environment:

  • Having 192.168.1.1/24 existing Main Router connected through eth0 of Netgear.
  • Having PC connected to eth1 of Netgear.

Diagnostic setup I:

  • eth0 as DHCP client, eth1 as DHCP server with different subnet.
  • packet-modifying WORKS.

Diagnostic setup II(as continuatuon of setup I):

  • bridge between eth0, eth1, wifi.
  • packet-modifying STOPS WORKING.

iptables are configured accepting any proto any ip, but filtered by destination (lan IPs are ignored).
The only reason I see for them to stop working is to stop visit iptables.
I have some kind of a proof: I download 5GB videos in Setup II but none of that is displayed on iptables at mangle/nat/filter at any predefined chain.(In Diagnostic setup I it DOES.)

Going further: as soon you turn bridge on the traffic seems to bypass iptables at all.
I made a lot of googling and I found that net.bridge.bridge-nf-call-iptables=1 should be set.
But that didn't work, and after googling more I found that this won't work unless you have ebtables installed.
This topic: (SOLVED) Firewall on the same Network
refers the package as kmod-ebtable.
I tried a lot more while googling, but none of this was installing on LEDE 17.01.4.
Message is the same for every package request:

Unknown package '$ebtables$'.
Collected errors:

  • opkg_install_cmd: Cannot install package $ebtables$.

Main question: How do I install ebtables or kmod-ebtable or something else to trigger iptables for packets inside bridge? That one I didn't find answer for. Like it's already installed in every router but mine.

2

If there is any way to solve this issue via mangling only one physical interface output - it also fits. It's just vital to me that device should act like L3-Switch not knowing anything about network it is connected with.

3

If you can't install any package then there seems to be a problem with the opkg configuration or package database. Is the database up-to-date using opkg update? Both kmod-ebtables and ebtables seem to be available for your device anyway, when I checked available packages in http://downloads.openwrt.org/releases/17.01.4/.

4

You are right. I edited /etc/opkg/customfeeds.conf several times to get what I want. It seems like when I had original config I didn't use the correct package name. But then I changed opkg conf and never would get the desired package.
Original config successfully installs kmod-ebtables. Thanks.

I didn't check if I get any benefit from it yet(like triggering iptables), but the question may be closed. I'm not the first one who configures L3-switch here, so if I find something interesting about config I'll post it here under "Solved".

5

I do get benefits.
net.bridge.bridge-nf-call-iptables=1 and kmod-ebtables are the minimum config to get it done.

Next step in my journey: avoiding routing decision after mangling :slight_smile: