ebtables - sourceforge page - downloads - browse cvs - bridge - netfilter

Free firewall software distributed under GNU General Public License

This example was given by Mike Ireton.

We're a wireless isp and our wireless subscribers all have inexpensive soho routers with fixed ip addresses. We recently had to change out the hardware at one of our main towers (software upgrades, faster cpu, etc etc) and as a result of doing this, we discovered that numerous subscribers all of a sudden could not resolve dns. Everyone continued to have ping and tcp connectivity, but dns wasn't resolving for them. Rebooting their routers would solve the problem, but there's a lot of subscribers who depend on this site and we coulnd't possibly call them all. After looking over packet dumps, it appears that most of these cheap soho routers have a very subtle bug which was responsable for the problem - their dns requests were still bearing the old mac address of the router, while test pings to them bore the new! (In effect, the embedded dns client in the router was not re-arping for the gateway and instead using an outdated cache). This is across several brands of routers too. So the solution was to install ebtables mac address nat'ing so that received frames destined for the old mac addresses would be changed to the new address, thus solving the problem site wide.