[ previous ] [ next ] [ threads ]
 
 From:  "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
 To:  "Bostjan Hojkar" <bostjan dot hojkar at fov dot uni dash mb dot si>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: [m0n0wall] Filtering Bridge blocking traffic for clients with multiple IP/subnets
 Date:  Wed, 14 Dec 2005 15:04:38 +0100

> Von: Bostjan Hojkar [mailto:bostjan dot hojkar at fov dot uni dash mb dot si]
> Gesendet: Mittwoch, 14. Dezember 2005 15:02
> An: Holger Bauer
> Betreff: Re: [m0n0wall] Filtering Bridge blocking traffic for clients
> with multiple IP/subnets
> 
> 
> What do you have under:
> Interfaces -> WAN -> Block Private Networks?
> 
No, block private networks is disabled. This even shouldn't matter for attemot 2 where LAN and OPT
is bridged.


> Under your results - 1. attempt:
> "only clients with 2 IPs and the same MAC for both are 
> blocked and only the 
> IP that's not in the range of the m0n0's IP."
> 
> Do i understand this correctly:
> One PC has 2 IP addressess, for different subnets and one 
> NIC. The client's 
> IP#1, NOT in m0n0's WAN subnet is blocked, and the client's 
> IP #2, that is 
> in m0n0's WAN subnet is working?
> 
correct. If I change the IP/subnet of the m0n0 the other subnet for that macadress is not working.

> Regards, Bostjan
> 
> ----- Original Message ----- 
> From: "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
> To: "Bostjan Hojkar" <bostjan dot hojkar at fov dot uni dash mb dot si>
> Cc: <monowall at lists dot m0n0 dot ch>
> Sent: Wednesday, December 14, 2005 2:43 PM
> Subject: AW: [m0n0wall] Filtering Bridge blocking traffic for 
> clients with 
> multiple IP/subnets
> 
> 
> It doesn't matter if LAN is connected to a managing subnet 
> (with which I 
> started, subnet in a different range) or if it not connected at all.
> 
> Here is what I have already tried, ending up with always the 
> same results:
> 
> 1. attempt:
> 
> WAN 192.168.1.100/24 GW 192.168.1.254 (gateway to other 
> locations, so I can 
> configure it from there remotely via WebGUI at WAN adress)
> 
> LAN 192.168.99.1/24 (only for Management, not connected; doesn't make 
> difference if connected or not)
> 
> OPT1 bridged to WAN
> 
> rsult: other subnets pass the bridge just fine, only clients 
> with 2 IPs and 
> the same MAC for both are blocked and only the IP that's not 
> in the range of 
> the m0n0's IP.
> 
> 
> 2. attempt:
> 
> WAN (tried DHCP, PPPoE with invalid Useraccount to keep this 
> interface down 
> and have no IP ther; tried static with a complete different 
> range as well)
> 
> LAN 192.168.1.100/24 (if I set that one to 10.1.1.100/24 the 
> 192.168.1.x/24 
> subnet is blocked)
> 
> OPT1 bridged to LAN
> 
> same result: other subnets pass the bridge just fine, only 
> clients with 2 
> IPs and the same MAC for both are blocked and only the IP 
> that's not in the 
> range of the m0n0's IP.
> 
> 
> ....and yes, if I replace the bridge with a cable everything 
> is working fine 
> like I said before. I'm really lost here.
> 
> Holger
> 
> 
> 

> > Von: Bostjan Hojkar [mailto:bostjan dot hojkar at fov dot uni dash mb dot si]
> > Gesendet: Mittwoch, 14. Dezember 2005 14:30
> > An: Holger Bauer
> > Betreff: Re: [m0n0wall] Filtering Bridge blocking traffic 
> for clients
> > with multiple IP/subnets
> >
> >
> > If you disconnect bridge and connect networks directly - is
> > it working? It
> > should work..
> > Where is your LAN connected? Only for managing directly (to
> > laptop?) or to
> > some network in this scheme?
> >
> > Regards, Bostjan
> >
> > ----- Original Message ----- 
> > From: "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
> > To: "Bostjan Hojkar" <bostjan dot hojkar at fov dot uni dash mb dot si>;
> > <m0n0wall at lists dot m0n0 dot ch>
> > Sent: Wednesday, December 14, 2005 2:24 PM
> > Subject: AW: [m0n0wall] Filtering Bridge blocking traffic for
> > clients with
> > multiple IP/subnets
> >
> >
> > I know that bridge != routing and that it should work. If you
> > don't believe
> > me just see
> > for yourself. If it's working please send me the config. I'm
> > not sure if it
> > has something to do
> > with the fact that the ARP for both IPs the client has show the same
> > macadress. Without testing
> > this I would have said "sure, should work just fine" but it
> > really doesn't
> > seem to work. I have
> > made extensive tests and I'm using filtering bridges in other
> > scenarios with
> > multisubnets that
> > cross the bridge fine.
> >
> > Holger
> >

> > > Von: Bostjan Hojkar [mailto:bostjan dot hojkar at fov dot uni dash mb dot si]
> > > Gesendet: Mittwoch, 14. Dezember 2005 14:22
> > > An: m0n0wall at lists dot m0n0 dot ch
> > > Betreff: Re: [m0n0wall] Filtering Bridge blocking traffic
> > for clients
> > > with multiple IP/subnets
> > >
> > >
> > > Filtering bridge is not router, so it's not realy important
> > > what subnets and
> > > how many are on each end of bridge.
> > >
> > > Use recomended (and documented) transparent bridge
> > configurations with
> > > WAN-OPT1 bridging and get things working. Be carefull with
> > > predifined rules
> > > (block private networks), not to interfere with your setup.
> > >
> > > Mono's IP on WAN can be of any subnets you connect to (or
> > > ip-less if you
> > > want), but mono's IP on LAN shoudn't be in those subnets, if
> > > you want to
> > > keep things simple.
> > >
> > > Maybe your LAN is connected to the wrong "place". I didn't
> > > find anything to
> > > imply where goes your m0n0's LAN connection.
> > >
> > > Regards, Bostjan
> > >
> > >
> > > ----- Original Message ----- 
> > > From: "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
> > > To: <m0n0wall at lists dot m0n0 dot ch>
> > > Sent: Wednesday, December 14, 2005 12:12 PM
> > > Subject: [m0n0wall] Filtering Bridge blocking traffic for
> > > clients with
> > > multiple IP/subnets
> > >
> > >
> > > I want to setup a transparent filtering bridge. This device
> > > only should
> > > provide
> > > trafficshaping and nothing else. I have set up this in the
> > > past with success
> > > and
> > > I'm running multiple locations with that kind of setup.
> > > However I now have
> > > to
> > > install filtering bridges at a location where Clients have
> > > multiple IP
> > > adresses
> > > (at the same physical NIC) from different subnets:
> > >
> > > Example:
> > >
> > > ClientA--------bridged m0n0--------ClientB
> > >
> > >
> > > ClientA IPs:
> > > 192.168.1.1/24
> > > 10.1.1.1/24
> > >
> > > ClientB IPs:
> > > 192.168.1.2/24
> > > 10.1.1.2/24
> > >
> > > I tried bridging WAN to OPT1 and later LAN to OPT1. Rules at
> > > all interfaces
> > > are
> > > any protocol, any source, any destination, allow 
> fragmented packets.
> > > Filtering bridge
> > > is enabled at advanced settings.
> > >
> > > If the m0n0s IP at the interface the other one is bridged to
> > > is in the range
> > > of 192.168.1.x/24
> > > all 10.1.1.x/24 traffic is blocked. If the IP of the m0n0 is
> > > something like
> > > 10.1.1.x/24 all
> > > 192.168.1.x/24 traffic is blocked (entries in the firewall
> > > logs). It appears
> > > that all non
> > > m0n0-range IPs are always blocked.
> > >
> > > Replacing the m0n0-bridge with a cable makes the connection
> > > happy again. Any
> > > thoughts?
> > >
> > > Thanks for any suggestions,
> > > Holger
> > >
> > > ____________
> > > Virus checked by G DATA AntiVirusKit
> > >
> > >
> > >
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > >
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> >
> > ____________
> > Virus checked by G DATA AntiVirusKit
> >
> >
> >
> 
> ____________
> Virus checked by G DATA AntiVirusKit
> 
> 
> 

____________
Virus checked by G DATA AntiVirusKit