DNS-problem from orange zone to green zone
 

I have an Endian firewall that connects a RED zone (internet), a GREEN zone (LAN) and a ORANGE zone (DMZ).

Interzone traffic is allowed, so GREEN can talk to ORANGE and visa versa.

I have a ClarkConnect-server that serves as DNS & DHCP-server on the GREEN zone : 192.168.1.5

I have a Nagios-server with fixed IP-address in the ORANGE zone: 192.168.2.20.

My laptop is a client on the GREEN network that receives an IP-address from the DHCP-server, ClarkConnect, namely 192.168.1.11.

On my laptop-client :
On the Nagios-server :
On Endian, the gateway/firewall :
Eth0 (192.168.1.250) is connected to the br0
Eth2 (192.168.2.1) is connected to the br1
Eth1 is the WAN-interface


Why can't my Nagios-server reach the ClarkConnect-server ??
The default gateway is set correctly (192.168.2.1 = Endian). So when the DNS-server resides on network 192.168.1, then it should go through Endian, right ??

What is the reason for the bridges in the Edian firewall? A bridge joins network segments. You have a LAN network and a DMZ on different network subnets, not segments. Joining different networks is what routing does.

Suppose you wanted to bridge together a wireless and a wired device to join your wired LAN and wireless networks. (This example is taken from the Network Administrator's Guide 3rd Edition. You can get the 2nd edition on the www.tldp.org website)

# remove the ip addresses
ifcfg eth01 0.0.0.0 down
ifcfg wlan0 0.0.0.0 down

# add interfaces to be bridged
brctl addif br0 wlan0
brctl addif br0 eth1

Bridging is done at layer two, which uses the mac addresses. Adding an IP address to the bridge allows you to remotely manage the gateway host.

ifconfig br0 192.168.1.1 up
ifconfig wlan0 up
ifconfig eth0 up

Now if you had a third interface eth1, for the Internet connection, a common mistake would be to set up the routes before building the bridge. I suspect that may be your problem, but you shouldn't have bridges in the first place.

Is the default configuration of Endian and the way Endian Firewall works.

It immediately creates a bridge for the GREEN & ORANGE network. Suppose you want to add a VLAN, a second GREEN lan, it's as easy (for Endian) as adding the VLAN to the bridge.

I cannot control this bridge-creation, but I am not opposed to it.

In my opinion, it is not these bridges that creates the problem.

If there were a bridge between the interfaces, you would have an IP address for the bridge and not the interfaces. This address would be for configuring the firewall and not for routing. You could have a bridge with no IP address on the bridge device or NIC devices. If this sounds like a switch, that's because a switch is a bridge which joins network segments.

Also show how the bridges are setup. I looked in their website. They seem to use different subnets/network addresses between zones. This sounds like a router as I would expect and not bridge config. in see any advantage to having a bridge device as an alias for an ethernet device, which is what you seem to be describing.

A bridge that doesn't bridge anything sounds odd IMHO. How many ports does it have. It there are several ports that you can use to connect to a single zone, then you would bridge those NICs together. Perhaps they configure a bridge device for each zone so that you can add or remove particular interfaces on one zone or another. Then the routing and firewall rules would use bridge device names and not NIC names. Which zone a port is on would depend on which which bridge that device is attached to and the rules wouldn't need to be updated when ports are added or reassigned.

Run "brctl show" to show how the bridges are set up. Let's double check that the bridge is made up of the interfaces we think they are.
Run "ifconfig" to show the configurations of the interfaces and bridges.
Run "route" again to show the routing rules.

Also, why is the nagios server in the DMZ? Doesn't it monitor the condition of hosts on the LAN? I don't believe that the interfaces between the DMZ and LAN are bridged together. Whether you have connectivity between the nagios server and the LAN may be due to either the routing between the two bridges which seems OK from what you posted, or the firewall rules.

As I said it in short : even with 1 GREEN interface, Endian already creates a bridge to be able to attach multiple NIC's together. You explain it in long version...

My Nagios monitors public servers on the internet which are widespread. I think therefore it belongs in the ORANGE zone.

They aren't.

If you say the routing seems OK, then I need to dig into the firewall of Endian to know why there is no traffic between ORANGE & GREEN.

From a previous post:
These are the routes between the LAN and DMZ. You could double check whether ip_forward forwarding is enabled. It probably is. Also check the kernel modules that are loaded. I had a similar problem with forwarding not working. It worked after I enabled the nf_conntrack_ipv4 kernel module. ( This module was named something else back then. ) I don't think this will be the case as other traffic is forwarded.

Again the Nagios server only has one interface, and the default gateway is set properly.

Other than that, check the firewall settings of the Endian firewall. Be sure to check the Endians logs. If you need to enable logging, do so and try reaching a host on the lan from the Nagios server. Check the Nagios Server's firewall setting as well. Maybe pings are being dropped but other traffic is forwarded. Determine a port that is open on a LAN host, and try using the telnet client: e.g. telnet 192.168.1.5 22. Try ports that the Nagios server will be using, e.g. for dns. Connect your laptop to the DNS port, configure it's interface & route appropriately and see if it can reach hosts on the LAN.