AW: [m0n0wall] Filtering Bridge blocking traffic for clients with multiple IP/subnets

From:	"Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	AW: [m0n0wall] Filtering Bridge blocking traffic for clients with multiple IP/subnets
Date:	Wed, 14 Dec 2005 14:45:45 +0100
It doesn't matter if LAN is connected to a managing subnet 
 (with which I started, subnet in a different range) or if it 
 not connected at all.
 
 Here is what I have already tried, ending up with always the 
 same results:
 
 1. attempt:
 
 WAN 192.168.1.100/24 GW 192.168.1.254 (gateway to other 
 locations, so I can configure it from there remotely via 
 WebGUI at WAN adress)
 
 LAN 192.168.99.1/24 (only for Management, not connected; 
 doesn't make difference if connected or not)
 
 OPT1 bridged to WAN
 
 rsult: other subnets pass the bridge just fine, only clients 
 with 2 IPs and the same MAC for both are blocked and only the 
 IP that's not in the range of the m0n0's IP.
 
 
 2. attempt:
 
 WAN (tried DHCP, PPPoE with invalid Useraccount to keep this 
 interface down and have no IP ther; tried static with a 
 complete different range as well)
 
 LAN 192.168.1.100/24 (if I set that one to 10.1.1.100/24 the 
 192.168.1.x/24 subnet is blocked)
 
 OPT1 bridged to LAN
 
 same result: other subnets pass the bridge just fine, only 
 clients with 2 IPs and the same MAC for both are blocked and 
 only the IP that's not in the range of the m0n0's IP.
 
 
 ...and yes, if I replace the bridge with a cable everything 
 is working fine like I said before. I'm really lost here.
 
 Holger
 
 
 
> > -----Ursprüngliche Nachricht-----
> > Von: Bostjan Hojkar [mailto:bostjan dot hojkar at fov dot uni dash mb dot si]
> > Gesendet: Mittwoch, 14. Dezember 2005 14:30
> > An: Holger Bauer
> > Betreff: Re: [m0n0wall] Filtering Bridge blocking traffic 
> for clients
> > with multiple IP/subnets
> > 
> > 
> > If you disconnect bridge and connect networks directly - is 
> > it working? It 
> > should work..
> > Where is your LAN connected? Only for managing directly (to 
> > laptop?) or to 
> > some network in this scheme?
> > 
> > Regards, Bostjan
> > 
> > ----- Original Message ----- 
> > From: "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
> > To: "Bostjan Hojkar" <bostjan dot hojkar at fov dot uni dash mb dot si>; 
> > <m0n0wall at lists dot m0n0 dot ch>
> > Sent: Wednesday, December 14, 2005 2:24 PM
> > Subject: AW: [m0n0wall] Filtering Bridge blocking traffic for 
> > clients with 
> > multiple IP/subnets
> > 
> > 
> > I know that bridge != routing and that it should work. If you 
> > don't believe 
> > me just see
> > for yourself. If it's working please send me the config. I'm 
> > not sure if it 
> > has something to do
> > with the fact that the ARP for both IPs the client has show 
> the same 
> > macadress. Without testing
> > this I would have said "sure, should work just fine" but it 
> > really doesn't 
> > seem to work. I have
> > made extensive tests and I'm using filtering bridges in other 
> > scenarios with 
> > multisubnets that
> > cross the bridge fine.
> > 
> > Holger
> > 
> > > -----Ursprüngliche Nachricht-----
> > > Von: Bostjan Hojkar [mailto:bostjan dot hojkar at fov dot uni dash mb dot si]
> > > Gesendet: Mittwoch, 14. Dezember 2005 14:22
> > > An: m0n0wall at lists dot m0n0 dot ch
> > > Betreff: Re: [m0n0wall] Filtering Bridge blocking traffic 
> > for clients
> > > with multiple IP/subnets
> > >
> > >
> > > Filtering bridge is not router, so it's not realy important
> > > what subnets and
> > > how many are on each end of bridge.
> > >
> > > Use recomended (and documented) transparent bridge 
> > configurations with
> > > WAN-OPT1 bridging and get things working. Be carefull with
> > > predifined rules
> > > (block private networks), not to interfere with your setup.
> > >
> > > Mono's IP on WAN can be of any subnets you connect to (or
> > > ip-less if you
> > > want), but mono's IP on LAN shoudn't be in those subnets, if
> > > you want to
> > > keep things simple.
> > >
> > > Maybe your LAN is connected to the wrong "place". I didn't
> > > find anything to
> > > imply where goes your m0n0's LAN connection.
> > >
> > > Regards, Bostjan
> > >
> > >
> > > ----- Original Message ----- 
> > > From: "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
> > > To: <m0n0wall at lists dot m0n0 dot ch>
> > > Sent: Wednesday, December 14, 2005 12:12 PM
> > > Subject: [m0n0wall] Filtering Bridge blocking traffic for
> > > clients with
> > > multiple IP/subnets
> > >
> > >
> > > I want to setup a transparent filtering bridge. This device
> > > only should
> > > provide
> > > trafficshaping and nothing else. I have set up this in the
> > > past with success
> > > and
> > > I'm running multiple locations with that kind of setup.
> > > However I now have
> > > to
> > > install filtering bridges at a location where Clients have
> > > multiple IP
> > > adresses
> > > (at the same physical NIC) from different subnets:
> > >
> > > Example:
> > >
> > > ClientA--------bridged m0n0--------ClientB
> > >
> > >
> > > ClientA IPs:
> > > 192.168.1.1/24
> > > 10.1.1.1/24
> > >
> > > ClientB IPs:
> > > 192.168.1.2/24
> > > 10.1.1.2/24
> > >
> > > I tried bridging WAN to OPT1 and later LAN to OPT1. Rules at
> > > all interfaces
> > > are
> > > any protocol, any source, any destination, allow 
> fragmented packets.
> > > Filtering bridge
> > > is enabled at advanced settings.
> > >
> > > If the m0n0s IP at the interface the other one is bridged to
> > > is in the range
> > > of 192.168.1.x/24
> > > all 10.1.1.x/24 traffic is blocked. If the IP of the m0n0 is
> > > something like
> > > 10.1.1.x/24 all
> > > 192.168.1.x/24 traffic is blocked (entries in the firewall
> > > logs). It appears
> > > that all non
> > > m0n0-range IPs are always blocked.
> > >
> > > Replacing the m0n0-bridge with a cable makes the connection
> > > happy again. Any
> > > thoughts?
> > >
> > > Thanks for any suggestions,
> > > Holger
> > >
> > > ____________
> > > Virus checked by G DATA AntiVirusKit
> > >
> > >
> > > 
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > > 
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > 
> > ____________
> > Virus checked by G DATA AntiVirusKit
> > 
> > 
> > 
> 

____________
Virus checked by G DATA AntiVirusKit