Isolating bridge interfaces from interfaces not connected to them
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am trying to build an emulation platform for emulating an LTE connection using ns-3 and tap interfaces inside a single real host. Since I am a complete beginner at linux networking and routing I have found this very complicated. I want to be able to create a client and a server using specific IoT application layer protocols and use the common libraries created for them (like the RabbitMQ Java Client for AMQP) and I want it to work as if I was using a real network to connect them.
One issue that I have encountered is routing traffic between the client and server program through the emulation instead of directly to each other. My first thought was to isolate the client and server programs by putting them in separate Docker containers which are connected to separate docker bridge networks but after trying this I had difficulties getting the traffic to route through the correct tap interfaces.
I have enslaved the corresponding tap interfaces to the bridges for the respective docker containers but I have not been able to get things to work the way I want. I want the client docker container to use its corresponding tap interface as a gateway for all traffic (or at least the traffic aimed at the server) but the only interfaces or IP-addresses the container knows about is the docker bridge network that it is connected to, not the tap interfaces connected to that bridge, so I can't set the gateway using the route command. I can ping that same tap interface, however, no matter if it is connected to the bridge or not. At first I could also ping Internet hosts from the container, but I managed to disable this in iptables.
My second hope was to set the tap interface as a gateway for all traffic inside the bridge that is addressed to intefaces or hosts which are not connected to it, but I don't know how to do that.
How should I proceed in order to achieve the isolation that I am after?
EDIT:
This is the topology I had in mind:
+------------------------------------------------------------------+
| Linux Host |
| +---------------------+ +---------------------+ |
| | Isolated network 1 | | Isolated network 2 | |
| | +--------+ | | +--------+ | |
| | | Client | | | | Server | | |
| | | | | | | | | |
| | +--------+ | | +--------+ | |
| | ^ | | ^ | |
| | | | | | | |
| | +---ˇ------+ | | +------ˇ---+ | |
| | | Bridge 1 | | | | Bridge 2 | | |
| | +----------+ | | +----------+ | |
| | ^ | | ^ | |
| +-----|---------------+ +---------------|-----+ |
| | | |
| +--ˇ----+ +----ˇ--+ |
| +--| Tap 1 |------------------------------------| Tap 2 |--+ |
| | +-------+ NS-3 Emulated LTE Network +-------+ | |
| | | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
ubuntu iptables routing bridge
asked Mar 14 at 12:58
Daniel ProosDaniel Proos
11
add a comment |
I am trying to build an emulation platform for emulating an LTE connection using ns-3 and tap interfaces inside a single real host. Since I am a complete beginner at linux networking and routing I have found this very complicated. I want to be able to create a client and a server using specific IoT application layer protocols and use the common libraries created for them (like the RabbitMQ Java Client for AMQP) and I want it to work as if I was using a real network to connect them.
One issue that I have encountered is routing traffic between the client and server program through the emulation instead of directly to each other. My first thought was to isolate the client and server programs by putting them in separate Docker containers which are connected to separate docker bridge networks but after trying this I had difficulties getting the traffic to route through the correct tap interfaces.
I have enslaved the corresponding tap interfaces to the bridges for the respective docker containers but I have not been able to get things to work the way I want. I want the client docker container to use its corresponding tap interface as a gateway for all traffic (or at least the traffic aimed at the server) but the only interfaces or IP-addresses the container knows about is the docker bridge network that it is connected to, not the tap interfaces connected to that bridge, so I can't set the gateway using the route command. I can ping that same tap interface, however, no matter if it is connected to the bridge or not. At first I could also ping Internet hosts from the container, but I managed to disable this in iptables.
My second hope was to set the tap interface as a gateway for all traffic inside the bridge that is addressed to intefaces or hosts which are not connected to it, but I don't know how to do that.
How should I proceed in order to achieve the isolation that I am after?
EDIT:
This is the topology I had in mind:
+------------------------------------------------------------------+
| Linux Host |
| +---------------------+ +---------------------+ |
| | Isolated network 1 | | Isolated network 2 | |
| | +--------+ | | +--------+ | |
| | | Client | | | | Server | | |
| | | | | | | | | |
| | +--------+ | | +--------+ | |
| | ^ | | ^ | |
| | | | | | | |
| | +---ˇ------+ | | +------ˇ---+ | |
| | | Bridge 1 | | | | Bridge 2 | | |
| | +----------+ | | +----------+ | |
| | ^ | | ^ | |
| +-----|---------------+ +---------------|-----+ |
| | | |
| +--ˇ----+ +----ˇ--+ |
| +--| Tap 1 |------------------------------------| Tap 2 |--+ |
| | +-------+ NS-3 Emulated LTE Network +-------+ | |
| | | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
ubuntu iptables routing bridge
asked Mar 14 at 12:58
Daniel ProosDaniel Proos
11
1
Instead of using Docker containers, just try to put the programs into separate network namespaces. Docker containers also use network namespaces, but they configure them in a certain way to allow for Docker swarms etc., so you want to do your own configuration. You also likely won't need the other features of a docker container.ip netns, and google "linux network namespace".
– dirkt
Mar 14 at 13:58
@dirkt Thank you for your comment! You are absolutely right that I do not need other features of docker containers. I have thought about using namespaces but I am not sure where I would put the tap interface that is connected to the emulator. If I put it inside the namespace, would I then have to run the emulator inside that namespace? If so, what would I do with the tap interface that is meant for communication with the server program?
– Daniel Proos
Mar 14 at 14:25
1
I don't completely understand your setup and what exactly you are trying to achieve, but in general: Yes, if you need to isolate applications that have a tap interface, you would put those applications (including the tap interface) in different namespaces. You can connect up namespaces with veth-pairs ("virtual LAN cables"), and route or bridge however you want. You can also put several applications with a tap interface into one single namespace, and bridge them if so desired. You can build arbitrarily complex networks this way.
– dirkt
Mar 15 at 7:24
@dirkt I updated the question to contain an ASCII-art drawing of the topology I had in mind. The part I couldn't figure out was how to properly isolate the two networks belonging to the client and server while at the same time allowing them both to connect to the LTE emulation through their respective taps. Can tap 1 be moved into isolated network 1 and still be connected to the emulation if the emulation is not moved to this namespace? If the emulation also has to be moved to isolated network 1, how is the server supposed to connect to tap 2?
– Daniel Proos
Mar 15 at 15:44
you could move directly the tap interfaces to each other net ns after ns-3 connected to/created them with file descriptors (and leave ns-3 on the host/init net namespace),but for better compatibility with the net namespace-unaware application, better use additional bridges on ns-3's net ns to plug the tap on, and veth pairs to bring traffic to other net ns. This avoids confusing the "ns-3" application when it wouldn't find the tap interfaces anymore (eg: to bring them up). You can also do both: 1st move/isolate ns-3 to its own netns then still add bridge+veth layers to avoid confusing the app.
– A.B
Mar 15 at 21:26
add a comment |
I am trying to build an emulation platform for emulating an LTE connection using ns-3 and tap interfaces inside a single real host. Since I am a complete beginner at linux networking and routing I have found this very complicated. I want to be able to create a client and a server using specific IoT application layer protocols and use the common libraries created for them (like the RabbitMQ Java Client for AMQP) and I want it to work as if I was using a real network to connect them.
One issue that I have encountered is routing traffic between the client and server program through the emulation instead of directly to each other. My first thought was to isolate the client and server programs by putting them in separate Docker containers which are connected to separate docker bridge networks but after trying this I had difficulties getting the traffic to route through the correct tap interfaces.
I have enslaved the corresponding tap interfaces to the bridges for the respective docker containers but I have not been able to get things to work the way I want. I want the client docker container to use its corresponding tap interface as a gateway for all traffic (or at least the traffic aimed at the server) but the only interfaces or IP-addresses the container knows about is the docker bridge network that it is connected to, not the tap interfaces connected to that bridge, so I can't set the gateway using the route command. I can ping that same tap interface, however, no matter if it is connected to the bridge or not. At first I could also ping Internet hosts from the container, but I managed to disable this in iptables.
My second hope was to set the tap interface as a gateway for all traffic inside the bridge that is addressed to intefaces or hosts which are not connected to it, but I don't know how to do that.
How should I proceed in order to achieve the isolation that I am after?
EDIT:
This is the topology I had in mind:
+------------------------------------------------------------------+
| Linux Host |
| +---------------------+ +---------------------+ |
| | Isolated network 1 | | Isolated network 2 | |
| | +--------+ | | +--------+ | |
| | | Client | | | | Server | | |
| | | | | | | | | |
| | +--------+ | | +--------+ | |
| | ^ | | ^ | |
| | | | | | | |
| | +---ˇ------+ | | +------ˇ---+ | |
| | | Bridge 1 | | | | Bridge 2 | | |
| | +----------+ | | +----------+ | |
| | ^ | | ^ | |
| +-----|---------------+ +---------------|-----+ |
| | | |
| +--ˇ----+ +----ˇ--+ |
| +--| Tap 1 |------------------------------------| Tap 2 |--+ |
| | +-------+ NS-3 Emulated LTE Network +-------+ | |
| | | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
ubuntu iptables routing bridge
asked Mar 14 at 12:58
Daniel ProosDaniel Proos
11
I am trying to build an emulation platform for emulating an LTE connection using ns-3 and tap interfaces inside a single real host. Since I am a complete beginner at linux networking and routing I have found this very complicated. I want to be able to create a client and a server using specific IoT application layer protocols and use the common libraries created for them (like the RabbitMQ Java Client for AMQP) and I want it to work as if I was using a real network to connect them.
One issue that I have encountered is routing traffic between the client and server program through the emulation instead of directly to each other. My first thought was to isolate the client and server programs by putting them in separate Docker containers which are connected to separate docker bridge networks but after trying this I had difficulties getting the traffic to route through the correct tap interfaces.
I have enslaved the corresponding tap interfaces to the bridges for the respective docker containers but I have not been able to get things to work the way I want. I want the client docker container to use its corresponding tap interface as a gateway for all traffic (or at least the traffic aimed at the server) but the only interfaces or IP-addresses the container knows about is the docker bridge network that it is connected to, not the tap interfaces connected to that bridge, so I can't set the gateway using the route command. I can ping that same tap interface, however, no matter if it is connected to the bridge or not. At first I could also ping Internet hosts from the container, but I managed to disable this in iptables.
My second hope was to set the tap interface as a gateway for all traffic inside the bridge that is addressed to intefaces or hosts which are not connected to it, but I don't know how to do that.
How should I proceed in order to achieve the isolation that I am after?
EDIT:
This is the topology I had in mind:
+------------------------------------------------------------------+
| Linux Host |
| +---------------------+ +---------------------+ |
| | Isolated network 1 | | Isolated network 2 | |
| | +--------+ | | +--------+ | |
| | | Client | | | | Server | | |
| | | | | | | | | |
| | +--------+ | | +--------+ | |
| | ^ | | ^ | |
| | | | | | | |
| | +---ˇ------+ | | +------ˇ---+ | |
| | | Bridge 1 | | | | Bridge 2 | | |
| | +----------+ | | +----------+ | |
| | ^ | | ^ | |
| +-----|---------------+ +---------------|-----+ |
| | | |
| +--ˇ----+ +----ˇ--+ |
| +--| Tap 1 |------------------------------------| Tap 2 |--+ |
| | +-------+ NS-3 Emulated LTE Network +-------+ | |
| | | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
ubuntu iptables routing bridge
ubuntu iptables routing bridge
asked Mar 14 at 12:58
Daniel ProosDaniel Proos
11
asked Mar 14 at 12:58
Daniel ProosDaniel Proos
11
edited Mar 15 at 15:36
Daniel Proos
asked Mar 14 at 12:58
Daniel ProosDaniel Proos
11
asked Mar 14 at 12:58
Daniel ProosDaniel Proos
11
asked Mar 14 at 12:58
Daniel ProosDaniel Proos
11
11
1
Instead of using Docker containers, just try to put the programs into separate network namespaces. Docker containers also use network namespaces, but they configure them in a certain way to allow for Docker swarms etc., so you want to do your own configuration. You also likely won't need the other features of a docker container.ip netns, and google "linux network namespace".
– dirkt
Mar 14 at 13:58
@dirkt Thank you for your comment! You are absolutely right that I do not need other features of docker containers. I have thought about using namespaces but I am not sure where I would put the tap interface that is connected to the emulator. If I put it inside the namespace, would I then have to run the emulator inside that namespace? If so, what would I do with the tap interface that is meant for communication with the server program?
– Daniel Proos
Mar 14 at 14:25
1
I don't completely understand your setup and what exactly you are trying to achieve, but in general: Yes, if you need to isolate applications that have a tap interface, you would put those applications (including the tap interface) in different namespaces. You can connect up namespaces with veth-pairs ("virtual LAN cables"), and route or bridge however you want. You can also put several applications with a tap interface into one single namespace, and bridge them if so desired. You can build arbitrarily complex networks this way.
– dirkt
Mar 15 at 7:24
@dirkt I updated the question to contain an ASCII-art drawing of the topology I had in mind. The part I couldn't figure out was how to properly isolate the two networks belonging to the client and server while at the same time allowing them both to connect to the LTE emulation through their respective taps. Can tap 1 be moved into isolated network 1 and still be connected to the emulation if the emulation is not moved to this namespace? If the emulation also has to be moved to isolated network 1, how is the server supposed to connect to tap 2?
– Daniel Proos
Mar 15 at 15:44
you could move directly the tap interfaces to each other net ns after ns-3 connected to/created them with file descriptors (and leave ns-3 on the host/init net namespace),but for better compatibility with the net namespace-unaware application, better use additional bridges on ns-3's net ns to plug the tap on, and veth pairs to bring traffic to other net ns. This avoids confusing the "ns-3" application when it wouldn't find the tap interfaces anymore (eg: to bring them up). You can also do both: 1st move/isolate ns-3 to its own netns then still add bridge+veth layers to avoid confusing the app.
– A.B
Mar 15 at 21:26
add a comment |
1
Instead of using Docker containers, just try to put the programs into separate network namespaces. Docker containers also use network namespaces, but they configure them in a certain way to allow for Docker swarms etc., so you want to do your own configuration. You also likely won't need the other features of a docker container.ip netns, and google "linux network namespace".
– dirkt
Mar 14 at 13:58
@dirkt Thank you for your comment! You are absolutely right that I do not need other features of docker containers. I have thought about using namespaces but I am not sure where I would put the tap interface that is connected to the emulator. If I put it inside the namespace, would I then have to run the emulator inside that namespace? If so, what would I do with the tap interface that is meant for communication with the server program?
– Daniel Proos
Mar 14 at 14:25
1
I don't completely understand your setup and what exactly you are trying to achieve, but in general: Yes, if you need to isolate applications that have a tap interface, you would put those applications (including the tap interface) in different namespaces. You can connect up namespaces with veth-pairs ("virtual LAN cables"), and route or bridge however you want. You can also put several applications with a tap interface into one single namespace, and bridge them if so desired. You can build arbitrarily complex networks this way.
– dirkt
Mar 15 at 7:24
@dirkt I updated the question to contain an ASCII-art drawing of the topology I had in mind. The part I couldn't figure out was how to properly isolate the two networks belonging to the client and server while at the same time allowing them both to connect to the LTE emulation through their respective taps. Can tap 1 be moved into isolated network 1 and still be connected to the emulation if the emulation is not moved to this namespace? If the emulation also has to be moved to isolated network 1, how is the server supposed to connect to tap 2?
– Daniel Proos
Mar 15 at 15:44
you could move directly the tap interfaces to each other net ns after ns-3 connected to/created them with file descriptors (and leave ns-3 on the host/init net namespace),but for better compatibility with the net namespace-unaware application, better use additional bridges on ns-3's net ns to plug the tap on, and veth pairs to bring traffic to other net ns. This avoids confusing the "ns-3" application when it wouldn't find the tap interfaces anymore (eg: to bring them up). You can also do both: 1st move/isolate ns-3 to its own netns then still add bridge+veth layers to avoid confusing the app.
– A.B
Mar 15 at 21:26
1
1
Instead of using Docker containers, just try to put the programs into separate network namespaces. Docker containers also use network namespaces, but they configure them in a certain way to allow for Docker swarms etc., so you want to do your own configuration. You also likely won't need the other features of a docker container.
ip netns, and google "linux network namespace".– dirkt
Mar 14 at 13:58
Instead of using Docker containers, just try to put the programs into separate network namespaces. Docker containers also use network namespaces, but they configure them in a certain way to allow for Docker swarms etc., so you want to do your own configuration. You also likely won't need the other features of a docker container.
ip netns, and google "linux network namespace".– dirkt
Mar 14 at 13:58
@dirkt Thank you for your comment! You are absolutely right that I do not need other features of docker containers. I have thought about using namespaces but I am not sure where I would put the tap interface that is connected to the emulator. If I put it inside the namespace, would I then have to run the emulator inside that namespace? If so, what would I do with the tap interface that is meant for communication with the server program?
– Daniel Proos
Mar 14 at 14:25
@dirkt Thank you for your comment! You are absolutely right that I do not need other features of docker containers. I have thought about using namespaces but I am not sure where I would put the tap interface that is connected to the emulator. If I put it inside the namespace, would I then have to run the emulator inside that namespace? If so, what would I do with the tap interface that is meant for communication with the server program?
– Daniel Proos
Mar 14 at 14:25
1
1
I don't completely understand your setup and what exactly you are trying to achieve, but in general: Yes, if you need to isolate applications that have a tap interface, you would put those applications (including the tap interface) in different namespaces. You can connect up namespaces with veth-pairs ("virtual LAN cables"), and route or bridge however you want. You can also put several applications with a tap interface into one single namespace, and bridge them if so desired. You can build arbitrarily complex networks this way.
– dirkt
Mar 15 at 7:24
I don't completely understand your setup and what exactly you are trying to achieve, but in general: Yes, if you need to isolate applications that have a tap interface, you would put those applications (including the tap interface) in different namespaces. You can connect up namespaces with veth-pairs ("virtual LAN cables"), and route or bridge however you want. You can also put several applications with a tap interface into one single namespace, and bridge them if so desired. You can build arbitrarily complex networks this way.
– dirkt
Mar 15 at 7:24
@dirkt I updated the question to contain an ASCII-art drawing of the topology I had in mind. The part I couldn't figure out was how to properly isolate the two networks belonging to the client and server while at the same time allowing them both to connect to the LTE emulation through their respective taps. Can tap 1 be moved into isolated network 1 and still be connected to the emulation if the emulation is not moved to this namespace? If the emulation also has to be moved to isolated network 1, how is the server supposed to connect to tap 2?
– Daniel Proos
Mar 15 at 15:44
@dirkt I updated the question to contain an ASCII-art drawing of the topology I had in mind. The part I couldn't figure out was how to properly isolate the two networks belonging to the client and server while at the same time allowing them both to connect to the LTE emulation through their respective taps. Can tap 1 be moved into isolated network 1 and still be connected to the emulation if the emulation is not moved to this namespace? If the emulation also has to be moved to isolated network 1, how is the server supposed to connect to tap 2?
– Daniel Proos
Mar 15 at 15:44
you could move directly the tap interfaces to each other net ns after ns-3 connected to/created them with file descriptors (and leave ns-3 on the host/init net namespace),but for better compatibility with the net namespace-unaware application, better use additional bridges on ns-3's net ns to plug the tap on, and veth pairs to bring traffic to other net ns. This avoids confusing the "ns-3" application when it wouldn't find the tap interfaces anymore (eg: to bring them up). You can also do both: 1st move/isolate ns-3 to its own netns then still add bridge+veth layers to avoid confusing the app.
– A.B
Mar 15 at 21:26
you could move directly the tap interfaces to each other net ns after ns-3 connected to/created them with file descriptors (and leave ns-3 on the host/init net namespace),but for better compatibility with the net namespace-unaware application, better use additional bridges on ns-3's net ns to plug the tap on, and veth pairs to bring traffic to other net ns. This avoids confusing the "ns-3" application when it wouldn't find the tap interfaces anymore (eg: to bring them up). You can also do both: 1st move/isolate ns-3 to its own netns then still add bridge+veth layers to avoid confusing the app.
– A.B
Mar 15 at 21:26
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506274%2fisolating-bridge-interfaces-from-interfaces-not-connected-to-them%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506274%2fisolating-bridge-interfaces-from-interfaces-not-connected-to-them%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Instead of using Docker containers, just try to put the programs into separate network namespaces. Docker containers also use network namespaces, but they configure them in a certain way to allow for Docker swarms etc., so you want to do your own configuration. You also likely won't need the other features of a docker container.
ip netns, and google "linux network namespace".– dirkt
Mar 14 at 13:58
@dirkt Thank you for your comment! You are absolutely right that I do not need other features of docker containers. I have thought about using namespaces but I am not sure where I would put the tap interface that is connected to the emulator. If I put it inside the namespace, would I then have to run the emulator inside that namespace? If so, what would I do with the tap interface that is meant for communication with the server program?
– Daniel Proos
Mar 14 at 14:25
1
I don't completely understand your setup and what exactly you are trying to achieve, but in general: Yes, if you need to isolate applications that have a tap interface, you would put those applications (including the tap interface) in different namespaces. You can connect up namespaces with veth-pairs ("virtual LAN cables"), and route or bridge however you want. You can also put several applications with a tap interface into one single namespace, and bridge them if so desired. You can build arbitrarily complex networks this way.
– dirkt
Mar 15 at 7:24
@dirkt I updated the question to contain an ASCII-art drawing of the topology I had in mind. The part I couldn't figure out was how to properly isolate the two networks belonging to the client and server while at the same time allowing them both to connect to the LTE emulation through their respective taps. Can tap 1 be moved into isolated network 1 and still be connected to the emulation if the emulation is not moved to this namespace? If the emulation also has to be moved to isolated network 1, how is the server supposed to connect to tap 2?
– Daniel Proos
Mar 15 at 15:44
you could move directly the tap interfaces to each other net ns after ns-3 connected to/created them with file descriptors (and leave ns-3 on the host/init net namespace),but for better compatibility with the net namespace-unaware application, better use additional bridges on ns-3's net ns to plug the tap on, and veth pairs to bring traffic to other net ns. This avoids confusing the "ns-3" application when it wouldn't find the tap interfaces anymore (eg: to bring them up). You can also do both: 1st move/isolate ns-3 to its own netns then still add bridge+veth layers to avoid confusing the app.
– A.B
Mar 15 at 21:26