[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Bridged interface bug?
 Date:  Mon, 14 Dec 2009 20:45:29 +0000 
A bit of background to this problem first...  I've been running 1.234
for a long time and not had a problem!  I have a Compaq EN small form
factor with an on-board NIC (fxp) and two 3com 3c905b NICs (xl).

They were configured as:

xl0	WAN
xl1	Internet DMZ
fxp0	VLAN trunk with LAN and other VLANs

These three NICs were connected to the same 3com 3300 switch albeit in
separate VLANs.  I originally planned on a single interface with VLAN
tagging but then discovered that it wasn't possibly to usably bridge
virtual interfaces!

Everything was working fine until I decided to change my switch for a
Linksys SRW224G4P...  I trunked a connection between the switches and
slowly moved the various connections across.  Everything was fine until
I got to the WAN connection of the firewall - the link would come up but
nothing would appear in the forwarding database on the switch!

I assumed that this was some interaction between the switch and NICs so
dug out my spare Compaq EN SFF along with two 3c905c NICs.  I took the
opportunity to upgrade to 1.3 at the same time, too!

I then discovered that 1.3 with polling enabled on this setup caused the
fxp0 interface to be unresponsive!  Disabling polling resolved this issue.

Everything then started working...  that's when I then discovered that
my mail and DNS server in the Internet DMZ couldn't initiate outbound
connections.  The packets were being dropped on the WAN interface!

Migrating the rules for the server to the WAN interface resolved the
issue (even though it was physically on the DMZ!).

Last night I had to reboot the switch (as the admin interface wasn't
responding...  it wasn't even pinging but that's another story).

Once the switch was back, I then discovered that the server on the DMZ
couldn't initiate outbound connections!  So I migrated all of the rules
back to the Internet DMZ interface and everything burst into life.

Later this morning I checked my e-mails and once again outbound
connections were failing!  I migrated the rules back to the WAN
interface and once again everything was working!

So there seems to be a bit of a problem with the rules and how they
apply to the interfaces in a bridge and it even seems to change whilst
the firewall is up and running!

Any advice would be appreciated as I fear I might have to revert to
1.235 or at least apply the rules to both interfaces just in case!

Many thanks in advance,


Neil.