[ previous ] [ next ] [ threads ]
 
 From:  "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
 To:  "Bostjan Hojkar" <bostjan dot hojkar at fov dot uni dash mb dot si>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: [m0n0wall] Filtering Bridge blocking traffic for clients with multiple IP/subnets
 Date:  Wed, 14 Dec 2005 14:24:40 +0100
I know that bridge != routing and that it should work. If you don't believe me just see 
for yourself. If it's working please send me the config. I'm not sure if it has something to do
with the fact that the ARP for both IPs the client has show the same macadress. Without testing
this I would have said "sure, should work just fine" but it really doesn't seem to work. I have 
made extensive tests and I'm using filtering bridges in other scenarios with multisubnets that 
cross the bridge fine.

Holger


> Von: Bostjan Hojkar [mailto:bostjan dot hojkar at fov dot uni dash mb dot si]
> Gesendet: Mittwoch, 14. Dezember 2005 14:22
> An: m0n0wall at lists dot m0n0 dot ch
> Betreff: Re: [m0n0wall] Filtering Bridge blocking traffic for clients
> with multiple IP/subnets
> 
> 
> Filtering bridge is not router, so it's not realy important 
> what subnets and
> how many are on each end of bridge.
> 
> Use recomended (and documented) transparent bridge configurations with
> WAN-OPT1 bridging and get things working. Be carefull with 
> predifined rules
> (block private networks), not to interfere with your setup.
> 
> Mono's IP on WAN can be of any subnets you connect to (or 
> ip-less if you
> want), but mono's IP on LAN shoudn't be in those subnets, if 
> you want to
> keep things simple.
> 
> Maybe your LAN is connected to the wrong "place". I didn't 
> find anything to
> imply where goes your m0n0's LAN connection.
> 
> Regards, Bostjan
> 
> 
> ----- Original Message ----- 
> From: "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Wednesday, December 14, 2005 12:12 PM
> Subject: [m0n0wall] Filtering Bridge blocking traffic for 
> clients with 
> multiple IP/subnets
> 
> 
> I want to setup a transparent filtering bridge. This device 
> only should 
> provide
> trafficshaping and nothing else. I have set up this in the 
> past with success 
> and
> I'm running multiple locations with that kind of setup. 
> However I now have 
> to
> install filtering bridges at a location where Clients have 
> multiple IP 
> adresses
> (at the same physical NIC) from different subnets:
> 
> Example:
> 
> ClientA--------bridged m0n0--------ClientB
> 
> 
> ClientA IPs:
> 192.168.1.1/24
> 10.1.1.1/24
> 
> ClientB IPs:
> 192.168.1.2/24
> 10.1.1.2/24
> 
> I tried bridging WAN to OPT1 and later LAN to OPT1. Rules at 
> all interfaces 
> are
> any protocol, any source, any destination, allow fragmented packets. 
> Filtering bridge
> is enabled at advanced settings.
> 
> If the m0n0s IP at the interface the other one is bridged to 
> is in the range 
> of 192.168.1.x/24
> all 10.1.1.x/24 traffic is blocked. If the IP of the m0n0 is 
> something like 
> 10.1.1.x/24 all
> 192.168.1.x/24 traffic is blocked (entries in the firewall 
> logs). It appears 
> that all non
> m0n0-range IPs are always blocked.
> 
> Replacing the m0n0-bridge with a cable makes the connection 
> happy again. Any 
> thoughts?
> 
> Thanks for any suggestions,
> Holger
> 
> ____________
> Virus checked by G DATA AntiVirusKit
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

____________
Virus checked by G DATA AntiVirusKit