Mac-Passthrough feature

[steven@…]

It would be great to have the mac-passthrough feature. This would enable me to use a Fonera between my Digital TV decoder and my adsl/cablemodem. Now I have to use a powerplug between my Cable modem & Decoder and a switch between my Cable modem and my Fonera

At the moment other brands & firmwares allow allready mac-passthrough to avoid extra hardware & costs... Even the new wireless cablemodems come with this feature now ... only the foneras do not allow this yet.

The Decoders request an ip not on the Fonera Dhcp but the WANside of the router...and get another ip range thus....

[matthijs]

I don't completely understand the setup yet. Initially I thought you meant to make the Fonera use a different MAC address on its WAN side to fool your ISP's DHCP server, but I don't think this is it.

Are you suggesting that some clients (your decoder) are bridged into the WAN network (e.g., takes its DHCP address from your ISP) based on its MAC address?

[steven@…]

Yes, decoders have a unique mac adress which will get another kind of ipadress and are thus in a "digital tv" vlan so to speak. Someone who tries to explain it as well :  https://forum.openwrt.org/viewtopic.php?id=20372

untill recently the only solution would have been "vlan"...eg you could use dd-wrt and choose to put the 1 lan port or one of the 4 lan ports of a fonera into a 2nd WAN port..whatever is branched to this one...is as if it's branched directly to the wan of your fonera and thus get's their own ipadress (10.160.0.0/24 in this case)

but now i'm seeing solutions like "mac passthrough" where you can choose to have certain devices think they are connected to a dump switch and thus get traffic from the wan and such...

I believe one part of the solution is a "dnsmasq" parameter like this: --dhcp-host=00:20:e0:3b:13:*,ignore the next part of the solution would be an iptables rule that would do a 1-1 nat based on mac adres?

This would allow one to use the same cable upto their respective decoder in the house and not need to have a 2nd cable upto the 2nd wan connection or switch next to the cablemodem or adsl modem offering an "iptv" out

[matthijs]

Right, I think I understand what happens. It's slightly funny that the ISP uses two different IP subnets on a single ethernet subnet, but well :-) I don't think I've seen a mac-passthrough feature on any other router so far, but I haven't been buying any new routers recently...

As for implementing this on the Fonera. The easiest way to do this on 2.0n would be to mark one LAN port as a WAN port, and put just that port into "bridge mode". This does need a dedicated cable from the Fonera to the decoder, you can't have a single cable from the Fonera to a switch somewhere and have both your decoder and normal PC's on that switch. To allow that, one could use tagged VLANs, but you'd need a professional switch on the other end for that to work. This VLAN / dedicated port thing also doesn't work over wireless, but I'm not sure if that would work anyway (bandwith-wise).

The solution you propose is to do either bridging or routing based on the MAC address. I'm not exactly sure how to configure this in Linux. Making dnsmasq ignore the mac address is a first step, but there also needs to be some DHCP forwarding for this mac address (normally, DHCP requests from LAN don't reach WAN). As for the iptables part, 1-1 nat isn't gonna work, since the Fonera doesn't have the Decoder IP address configured.

There are some non-trivial routing issues here. If the decoder gets a DHCP lease from the ISP, it will also have a default gateway configured. However, to make sure the Decoder can find its gateway, the Fonera should then do some kind of ARP proxying. The reverse is also true. I'm not convinced a proxy-based solution will work here.

A quick google shows that the Linux vlan tools have some support for mac-based VLANs. However, I'm not entirely sure how it is supposed to work. The  old-style tools mention MAC-VLAN support as early as 2003, but these tools might only use with 2.4 kernels with custom patches (though I'm not completely sure about this). The Fonera doesn't have these tools right now (it has vconfig because busybox implements it, but it doesn't have the mac_vconfig that the old tools ship, or used to ship since the Debian version doesn't have it (anymore)).

The "new" way of configuring vlans seems to be to use the ip command. However, the ip manpage doesn't document this (the ip link add command), so I'm uncertain what the options are. Also, the ip version on the 2.0n doesn't support the command either.

There is a macvlan module in the official kernel source, but a quick glance of the source suggests that it only supports destination-mac-based vlans (e.g., to have multiple virtual interfaces on a single physical interface, each with a different MAC address). Also, according to  this page, the macvlan module was not addded until 2.6.23 (while the 2.0n runs 2.6.21).

I had hoped that this was easy to configure, but this stuff is so undocumented that I'm unsure if it's even possible at all...

[steven@…]

Most tutorials I can find about using "vlan" to allow one of the 4 lan ports of eg a fonera 2.0n bridge to the wan part...(eg turn that 1 port into a switch...in thesame vlan as the wan)... is done in dd-wrt... which still uses "nvram" ... I have also not yet seen this for a "fonera"

I haven't tried yet the "bridging" that currently exists because then the entire "dhcp" is turned off... the ISP's ask 5 euro/month per pc extra just to provide an ip or go to the more expensive subscriptions of 40-50euro/month for 2-4 pc's

the "mac passthrough" is a very recent solution offered by this same isp... so they don't have to give a switch/powerplugs anymore... they even offer 4 ports on their cablemodem now...and not like with vdsl 2 lan/2iptv... it's a very nice solution ...people can extend with switches... but at thesame time people can't turn off dhcp anymore... or switch to "bridged" mode... they will have to learn to cope with double nat...double routers... and a 1,2,4 or 20 dhcpclient licenses depending if you pay 20/40/70-99euro a month :(

[steven.leeman@…]

I believe this is the RFC :  http://www.faqs.org/rfcs/rfc4562.html "MAC-Forced Forwarding"

[matthijs]

I don't think that RFC is related, it concerns how cable providers set up their network to prevent customers from accessing each other's machines (which was a problem in the early days of cable internet).

Bridge mode won't help you, since you need NAT. I was just thinking that bridge mode with the DHCP server enabled might be enough, but the Fonera cannot assign addresses from your ISP's address block. These might be in use by other customers of the ISP and might be blocked at the cable modem anyway. So you really need (selective) NAT.

The usecase is clear to me, but we will need to investigate how this works in Linux and what the requirements are. Don't count on this being implemented anytime soon...

[steven@…]

in the meanwhile this feature exists in alternative firmwares and also the new FAI modems are now becoming routers with this feature built in incl wifi. Most people that requested this feature have installed dd-wrt on their fonera to have it