Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
root@endian:~ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 br1
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
XX.22.XX.0 * 255.255.240.0 U 0 0 0 eth1
default XX-22-XX-1.acc 0.0.0.0 UG 0 0 0 eth1
Eth0 (192.168.1.250) is connected to the br0
Eth2 (192.168.2.1) is connected to the br1
Eth1 is the WAN-interface
Why can't my Nagios-server reach the ClarkConnect-server ??
The default gateway is set correctly (192.168.2.1 = Endian). So when the DNS-server resides on network 192.168.1, then it should go through Endian, right ??
Last edited by jonaskellens; 11-13-2009 at 04:32 AM.
What is the reason for the bridges in the Edian firewall? A bridge joins network segments. You have a LAN network and a DMZ on different network subnets, not segments. Joining different networks is what routing does.
Suppose you wanted to bridge together a wireless and a wired device to join your wired LAN and wireless networks. (This example is taken from the Network Administrator's Guide 3rd Edition. You can get the 2nd edition on the www.tldp.org website)
# remove the ip addresses
ifcfg eth01 0.0.0.0 down
ifcfg wlan0 0.0.0.0 down
# add interfaces to be bridged
brctl addif br0 wlan0
brctl addif br0 eth1
Bridging is done at layer two, which uses the mac addresses. Adding an IP address to the bridge allows you to remotely manage the gateway host.
ifconfig br0 192.168.1.1 up
ifconfig wlan0 up
ifconfig eth0 up
Now if you had a third interface eth1, for the Internet connection, a common mistake would be to set up the routes before building the bridge. I suspect that may be your problem, but you shouldn't have bridges in the first place.
What is the reason for the bridges in the Edian firewall?
Is the default configuration of Endian and the way Endian Firewall works.
It immediately creates a bridge for the GREEN & ORANGE network. Suppose you want to add a VLAN, a second GREEN lan, it's as easy (for Endian) as adding the VLAN to the bridge.
I cannot control this bridge-creation, but I am not opposed to it.
In my opinion, it is not these bridges that creates the problem.
If there were a bridge between the interfaces, you would have an IP address for the bridge and not the interfaces. This address would be for configuring the firewall and not for routing. You could have a bridge with no IP address on the bridge device or NIC devices. If this sounds like a switch, that's because a switch is a bridge which joins network segments.
Quote:
Eth0 (192.168.1.250) is connected to the br0
Eth2 (192.168.2.1) is connected to the br1
Eth1 is the WAN-interface
Also show how the bridges are setup. I looked in their website. They seem to use different subnets/network addresses between zones. This sounds like a router as I would expect and not bridge config. in see any advantage to having a bridge device as an alias for an ethernet device, which is what you seem to be describing.
A bridge that doesn't bridge anything sounds odd IMHO. How many ports does it have. It there are several ports that you can use to connect to a single zone, then you would bridge those NICs together. Perhaps they configure a bridge device for each zone so that you can add or remove particular interfaces on one zone or another. Then the routing and firewall rules would use bridge device names and not NIC names. Which zone a port is on would depend on which which bridge that device is attached to and the rules wouldn't need to be updated when ports are added or reassigned.
Run "brctl show" to show how the bridges are set up. Let's double check that the bridge is made up of the interfaces we think they are.
Run "ifconfig" to show the configurations of the interfaces and bridges.
Run "route" again to show the routing rules.
Also, why is the nagios server in the DMZ? Doesn't it monitor the condition of hosts on the LAN? I don't believe that the interfaces between the DMZ and LAN are bridged together. Whether you have connectivity between the nagios server and the LAN may be due to either the routing between the two bridges which seems OK from what you posted, or the firewall rules.
Perhaps they configure a bridge device for each zone so that you can add or remove particular interfaces on one zone or another. Then the routing and firewall rules would use bridge device names and not NIC names. Which zone a port is on would depend on which which bridge that device is attached to and the rules wouldn't need to be updated when ports are added or reassigned.
As I said it in short : even with 1 GREEN interface, Endian already creates a bridge to be able to attach multiple NIC's together. You explain it in long version...
Quote:
Originally Posted by jschiwal
Also, why is the nagios server in the DMZ? Doesn't it monitor the condition of hosts on the LAN?
My Nagios monitors public servers on the internet which are widespread. I think therefore it belongs in the ORANGE zone.
Quote:
Originally Posted by jschiwal
I don't believe that the interfaces between the DMZ and LAN are bridged together.
They aren't.
Quote:
Originally Posted by jschiwal
Whether you have connectivity between the nagios server and the LAN may be due to either the routing between the two bridges which seems OK from what you posted, or the firewall rules.
If you say the routing seems OK, then I need to dig into the firewall of Endian to know why there is no traffic between ORANGE & GREEN.
Last edited by jonaskellens; 11-16-2009 at 02:47 AM.
192.168.2.0 * 255.255.255.0 U 0 0 0 br1
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
These are the routes between the LAN and DMZ. You could double check whether ip_forward forwarding is enabled. It probably is. Also check the kernel modules that are loaded. I had a similar problem with forwarding not working. It worked after I enabled the nf_conntrack_ipv4 kernel module. ( This module was named something else back then. ) I don't think this will be the case as other traffic is forwarded.
Again the Nagios server only has one interface, and the default gateway is set properly.
Other than that, check the firewall settings of the Endian firewall. Be sure to check the Endians logs. If you need to enable logging, do so and try reaching a host on the lan from the Nagios server. Check the Nagios Server's firewall setting as well. Maybe pings are being dropped but other traffic is forwarded. Determine a port that is open on a LAN host, and try using the telnet client: e.g. telnet 192.168.1.5 22. Try ports that the Nagios server will be using, e.g. for dns. Connect your laptop to the DNS port, configure it's interface & route appropriately and see if it can reach hosts on the LAN.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.