[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] vlan bridging broken?
 Date:  Sat, 8 Apr 2006 11:02:47 +0100
Hi again,

>        I seem to remember a while back that someone posted a similar
>problem but I appear to have recreated it myself!  The full details are:
>
>I'm running 1.22 Generic PC version.
>
>I have the following interfaces configured:
>
>vlan0   LAN
>vlan1   WAN
>vlan2   OPT1
>vlan3   OPT2
>vlan4   OPT3
>
>OPT1 is bridged with WAN.  I have advanced outbound NAT set and am not
>NATing traffic from LAN -> OPT1 so that I can still access the servers
>by their real IP addresses.
>
>I can access OPT1 from LAN no problem at all but OPT1 cannot get
>anything from the WAN!
>
>
>As I have a managed switch, I've setup a spanned port and can see the
>SYN go out from the server on OPT1, I can see it leave the WAN
>interface.  I then see the SYN-ACK return to the WAN interface but I
>don't see it return to OPT1.
>
>I can also see the connection entered into the state table.
>
>I normally have 'Enable filtering bridge' selected but even if I disable
>it, it still doesn't work.
>
>This was all working fine on 1.21 when I had separate NICs but I've now
>moved to one VLAN trunk and it no longer seems to work.
>
>I'm going to try a separate physical NIC for OPT1 to see if that makes a
>difference but I'd rather not have to - the whole point of the exercise
>was to reduce cabling and try to simplify things!

Apologies for following up my own post but I've now tried with a second
interface in my firewall.  I can now confirm:

1) With a real interface as OPT1 the problem still exists.

2) With a real interface as WAN the problem is resolved.


It would appear that if any interface is bridged with a vlan interface
it is destined not to work.

If anyone has any ideas why then I'd love to know as I'd like to resolve
this.  I have WAN patched in to my managed switched so I can still use
the roving analysis port to perform packet captures if necessary but I'd
like to end up with a single interface for the firewall.

Many thanks in advance,


                                Neil.

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk