I''m converting my network from a "one interface per segment"
to a
"single connection with vlans", well, some hardware I have requires
using different vlan IDs. suffice it to say I need bridges to connect a
few different vlans that should all be one but can''t be because of
firmware constraints. so my first step is to get shorewall to know
about bridges. I convert my existing config to a bunch of bridges lan0
becomes a member of br-lan0, lan1 becomes a member of br-lan1, and
shorewall gets edited. interfaces and routestopped, I prefix lan0 and
lan1 with br- and I restart shorewall (sudo shorewall safe-restart).
This is a ubuntu system, and far as I can tell everything is right.
I''m
using shroewall 4.4 so I add routeback to the interface options (I''ve
tried with and without bridge in them as well), and nothing works.
every packet into or out of the firewall on the LAN side drops dead.
far as I can tell, the bridges are set up right and working, and the
interfaces are set up right and working, but shorewall is somehow TKOing
everything (I think) :(.
did I miss a crucial config somewhere?
is there more I need to do to handle a bridge device in ubuntu (my
interfaces looks liek this:)
auto lo
iface lo inet loopback
auto wan0
iface wan0 inet dhcp
auto lan0
iface lan0 inet static
address 10.0.0.254
netmask 255.255.255.0
network 10.0.0.0
broadcast 10.0.0.255
auto lan1
iface lan1 inet static
address 10.0.1.254
netmask 255.255.255.0
network 10.0.1.0
broadcast 10.0.1.255
#auto br-lan0
#iface br-lan0 inet static
# address 10.0.0.254
# netmask 255.255.255.0
# network 10.0.0.0
# broadcast 10.0.0.255
# bridge_ports lan0
#auto br-lan1
#iface br-lan1 inet static
# address 10.0.1.254
# netmask 255.255.255.0
# network 10.0.1.0
# broadcast 10.0.1.255
# bridge_ports lan1
and my interfaces looks like this:
wan wan0 detect dhcp,tcpflags,nosmurfs,routefilter
users lan0 detect dhcp,tcpflags,routefilter
games lan1 detect dhcp,tcpflags,routefilter
and looked like this when not working:
wan wan0 detect dhcp,tcpflags,nosmurfs,routefilter
users br-lan0 detect
dhcp,tcpflags,routefilter,routeback
games br-lan1 detect
dhcp,tcpflags,routefilter,routeback
I had to revert changes because I couldn''t finish the update in the
hour
I had allotted, so It''ll be a few hours before I can gather more
detailed information if needed, but I suspect that the problem was
actually some minor oversight.
------------------------------------------------------------------------------
Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL,
new data types, scalar functions, improved concurrency, built-in packages,
OCI, SQL*Plus, data movement tools, best practices and more.
http://p.sf.net/sfu/oracle-sfdev2dev
Christ Schlacta wrote:>... far as I can tell, the bridges are set up right and working,Does traffic flow if you clear Shorewall (ie do "shorewall clear") ? If not then you need to fix that before trying to get Shorewall working.>is there more I need to do to handle a bridge device in ubuntu (my >interfaces looks liek this:) > >auto lo >iface lo inet loopback > >auto wan0 >iface wan0 inet dhcp > >auto lan0 >iface lan0 inet static > address 10.0.0.254 > netmask 255.255.255.0 > network 10.0.0.0 > broadcast 10.0.0.255 > >auto lan1 >iface lan1 inet static > address 10.0.1.254 > netmask 255.255.255.0 > network 10.0.1.0 > broadcast 10.0.1.255 > >#auto br-lan0 >#iface br-lan0 inet static ># address 10.0.0.254 ># netmask 255.255.255.0 ># network 10.0.0.0 ># broadcast 10.0.0.255 ># bridge_ports lan0 > >#auto br-lan1 >#iface br-lan1 inet static ># address 10.0.1.254 ># netmask 255.255.255.0 ># network 10.0.1.0 ># broadcast 10.0.1.255 ># bridge_ports lan1Going entirely from memory (so there are probably loads of syntax errors), and it''s a while since I last set one up, on Debian systems I do something like this : auto br0 iface br0 inet static address ... ... pre-up brctl addbr br0 pre-up ip link set up dev eth0 pre-up brctl addif br0 eth0 pre-up ip link set up dev ethn pre-up brctl addif br0 ethn ... There''s probably a more elegant way to do it, and it really needs a script that can check if the bridge already exists and so on - otherwise any error in the pre-up commands causes the system to abort bringing up the interface. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
On 12/12/2010 2:39 PM, Simon Hobson wrote:> Christ Schlacta wrote: >> ... far as I can tell, the bridges are set up right and working, > Does traffic flow if you clear Shorewall (ie do "shorewall clear") ? > If not then you need to fix that before trying to get Shorewall > working. > >> is there more I need to do to handle a bridge device in ubuntu (my >> interfaces looks liek this:) >> >> auto lo >> iface lo inet loopback >> >> auto wan0 >> iface wan0 inet dhcp >> >> auto lan0 >> iface lan0 inet static >> address 10.0.0.254 >> netmask 255.255.255.0 >> network 10.0.0.0 >> broadcast 10.0.0.255 >> >> auto lan1 >> iface lan1 inet static >> address 10.0.1.254 >> netmask 255.255.255.0 >> network 10.0.1.0 >> broadcast 10.0.1.255 >> >> #auto br-lan0 >> #iface br-lan0 inet static >> # address 10.0.0.254 >> # netmask 255.255.255.0 >> # network 10.0.0.0 >> # broadcast 10.0.0.255 >> # bridge_ports lan0 >> >> #auto br-lan1 >> #iface br-lan1 inet static >> # address 10.0.1.254 >> # netmask 255.255.255.0 >> # network 10.0.1.0 >> # broadcast 10.0.1.255 >> # bridge_ports lan1 > Going entirely from memory (so there are probably loads of syntax > errors), and it''s a while since I last set one up, on Debian systems > I do something like this : > > auto br0 > iface br0 inet static > address ... > ... > pre-up brctl addbr br0 > pre-up ip link set up dev eth0 > pre-up brctl addif br0 eth0 > pre-up ip link set up dev ethn > pre-up brctl addif br0 ethn > ... > > There''s probably a more elegant way to do it, and it really needs a > script that can check if the bridge already exists and so on - > otherwise any error in the pre-up commands causes the system to abort > bringing up the interface. >I found the problem, I think. ubuntu 10.10 has a new feature (not sure when it was introduced) but the iface lan0 inet manual is the key. it does the ip link set up that you mentioned, but handles it the ubuntoid way. Shorewall was indeed handling everything right, thank you for helping me figure this out :) On another note: Tom, you might considder adding a recommendation to the howtos and guides that even on a multiple interface router, that it be configured to use bridges. I''ve found that swapping interfaces, enabling or disabling vlans, and other simple updates are greatly simplified by using bridges. the working final config is below: auto lo iface lo inet loopback auto wan0 iface wan0 inet manual auto br-wan0 iface br-wan0 inet dhcp bridge_ports wan0 bridge_fd 0 bridge_hello 0 auto lan0 iface lan0 inet manual auto br-lan0 iface br-lan0 inet static address 10.0.0.254 netmask 255.255.255.0 network 10.0.0.0 broadcast 10.0.0.255 bridge_ports lan0 bridge_fd 0 bridge_hello 0 auto lan1 iface lan1 inet manual auto br-lan1 iface br-lan1 inet static address 10.0.1.254 netmask 255.255.255.0 network 10.0.1.0 broadcast 10.0.1.255 bridge_ports lan1 bridge_fd 0 bridge_hello 0 ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
Christ Schlacta wrote:>On another note: Tom, you might considder adding a recommendation to >the howtos and guides that even on a multiple interface router, that it >be configured to use bridges. I''ve found that swapping interfaces, >enabling or disabling vlans, and other simple updates are greatly >simplified by using bridges.How so ? Bridges introduce a new layer of complication, and importantly, prevent some configurations - specifically you CANNOT filter outbound traffic originating on the firewall machine and exiting via a bridge interface. Most of my systems have a default policy of FW->ALL REJECT and stopping outbound traffic filtering would be a significant backwards step. You should take a look at udev persistent rules - specifically /dev/udev/rules.d/xx-persistent-net-rules IIRC on Debian derived systems. This allows you to name interfaces and greatly improves things - for example you can name your outside and inside devices ethext and ethint which makes keeping track of what''s what a lot easier. I gues this won''t help for VLANs though. The biggest help is that should you have to change a NIC, or migrate the system to different hardware, you can just change the MAC addresses in the persistent rules and carry on with the same config - none of this "oh bother*, eth0 is now eth3" stuff ! * Insert own choice of expletive here :) -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev