[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Re: M0n0wall v1.2b3 in Bridge Mode
 Date:  Wed, 09 Feb 2005 01:35:26 -0500
Chris Buechler wrote:

> On Tue, 08 Feb 2005 22:21:46 -0500, Jesse Guardiani <jesse at wingnet dot net>
> wrote:
>> 
>>    Why would you want an IP-less bridge? I couldn't get my bridge to be
>>     completely transparent with an IP on the WAN interface. The bridge
>>     wouldn't pass traffic outside the WAN's subnet. This was a problem
>>     for me because I have multiple subnets attached to the bridge. The
>>     workaround is fairly simple, but I think this deserves some sort of
>>     GUI solution.
>> 
> 
> The bridge should be completely transparent, i.e. will forward
> anything so long as it matches your rule set.  Maybe a firewall rule
> put in by the back end is somehow messing with it?  Did you check
> status.php to see which rule is dropping the traffic (assuming it's
> getting dropped) and find the rule number?

I've created and tested this setup at least 2 times now. Each config
takes between an hour and two hours to setup, debug, and test. Both
previous tests had the same result. I don't have time to do it again
tonight, and my remaining m0n0wall is going into production tommorrow
morning.

If you don't believe me (and you shouldn't!), then please setup and
test the following network:

router ----- WAN (m0n0) OPT1 ----- workstation

router = 192.168.1.1/24
WAN = static 192.168.5.2/24 gateway 192.168.5.1
OPT1 = bridged to WAN
workstation = 192.168.1.3/24 gateway 192.168.1.1

And see if you can get to 'router' from 'workstation'. I couldn't.
Then I changed the WAN's static IP to 192.168.1.2/24 gateway 192.168.1.1
and it suddenly worked. This doesn't fly in an environment where you
have multiple subnets on either end of the m0n0 bridge. It has to be fully
transparent. To make it fully transparent I had to remove the IP from the
WAN interface.

Let me know if anyone can get the above setup working with a 192.168.5.2
static IP and 192.168.5.1 gateway on the WAN. If so, then I'm wrong, and
I must have had other problems. It's possible, but I'll act surprised
anyway. :)


>> 2.) Anti spoofing rules are preventing me from managing my bridged
>>     m0n0wall from outside the LAN interfaces subnet. See this thread
>>     for more info:
>> 
> 
> That's not a bug, it's a design decision.  If your LAN interface
> actually was a LAN interface, that wouldn't be an issue.  m0n0wall
> doesn't allow outbound traffic from networks it doesn't know about.
> If you add a static route on the LAN interface, it changes that rule
> to allow traffic from that network that it has a route for.  There's
> no reason for it to accept traffic it doesn't know how to return.
> 
> The way to resolve this is to figure out why you can't put an IP on
> your WAN, then this becomes a non-issue.

Test the above setup and let me know if it works for you. If so, then
we'll go from there.


>> 3.) WAN interface sometimes steals packets from LAN interface when LAN
>>     is used for management and OPT1 is bridged with WAN. See this post
>>     for details:
>> 
> 
> I'm sure that's a limitation from having the LAN plugged in where it
> shouldn't be.

Yup. I agree.


-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net