I have quite limited networking experience, so probably i'm asking about very simple things. I'm reading about linux bridge interfaces, and documentation states that there is no NAT by default and bridge interface just passes over packets as-is from one network to another. That confuses me: i'm imagining a LAN-behind-WiFi setup where my machine (let's name it access-point) can be connected to WiFi access point and share internet connection by bridging wireless0 to eth0. The LAN itself would have some own address range (say, 192.168.0.0/24) and, if i understand it correctly, connection would be processed in following way:
- lan-device-1: send this frame with MAC 00::01 and with encapsulated dns query and source address 192.168.0.1 / target address 8.8.8.8
to eth0 - access-point: just pushes frame from eth0 to wireless0
- 8.8.8.8: extracts DNS query, prepares answer, but sees source address 192.168.0.1
- some wild magic appears and forces response to go out to access-point IP address rather than to lan-device-1 address
- access-point: receives answer from 8.8.8.8, wild magic reappears and tells access-point that this response belongs to lan-device-1 rather than access-point, so response is flushed down to eth0 with correct MAC address
Of course we live in world with no magic, so those assumptions are wrong. But how then packets are routed to correct destinations? It would be simple if NAT would be in place, but it isn't and i can't understand how A) remote machine knows where to send response and B) how intermediatry (access-point in example) differentiates it's own traffic from bridged traffic.
Best Answer
You seem to be confusing layer-2 and layer-3. Bridging is not routing. Bridging has nothing to do with layer-3 addresses, and routing removes the layer-2 addresses. Routers route packets, and bridges switch frames.
Routing happens at layer-3 with layer-3, e.g. IP, addresses. Routing routes layer-3 packets between networks.
Bridging happens with layer-2, e.g. MAC, addresses. Bridging delivers layer-2 frames directly from host-to-host on the same network.
If a packet is destined for a different network, the host will address the layer-3 packet to the destination host and the layer-2 frame used to encapsulate the layer-3 packet to the layer-2 address of its configured gateway (normally a router). A router will strip off the layer-2 frame, losing the layer-2 frame and addresses, inspect the destination layer-3 address on the packet, and forward the packet to the next interface, building a new frame for the next network.
Bridges that have all interfaces using the same layer-2 protocol, e.g. ethernet switches, are called transparent bridges, and they simply inspect the frame for the layer-2 address, switching it to an interface found in its MAC address table, or flooding it to all other interfaces if the destination MAC address is not in its MAC address table.
If a bridge connects two different layer-2 protocols, e.g. a WAP connecting ethernet and Wi-Fi, it must translate the frames between the different layer-2 protocols, and they are called translating bridges. They still use a MAC address table to determine the interface to which they will switch frames. Both ethernet and Wi-Fi use compatible 48-bit MAC addresses, so the addressing can remain the same, although the frames are different.
NAT really has nothing to do with routing or bridging. NAT is simply translating either the source, destination, or both layer-3 addresses in layer-3 packets, which are never seen by a layer-2 bridge.
Remember, bridging is on the same network, routing is between networks, and NAT is translating addresses to other addresses.
You cannot use RFC 1918 (or some other) addresses on the public internet, e.g. to
8.8.8.8. Non-global addresses must be translated to public addresses before they are sent on the public Internet. Not all networks use private addressing, but any that do must use some form of NAT to translate private addresses to public addresses before sending packets to the public Internet.Your WAP (access point) is simply a bridge, and the NAT happens somewhere else before the packets from your
192.168.0.0/24network are sent to the public Internet.