Setup a linux server between NAT firewall device and rest of network

scheidel21 · 06-03-2009, 04:00 PM

Hi all,

Sorry if this has been asked before, but I am not even sure what to google for an answer so I thought I'd ask all of you.

The company I work for has been having some slow Internet issues, after much investigation ATT our T1 provider told us our line was saturated with traffic. so we started analyzing our internal traffic and according to Wireshark over an hour period we averaged only .391 MBits/s for traffic, but our Internet connection was still very slow during that time frame.

So let me give you an idea of our network

Code:

JuniperSSG140--->switch--->network

I modified this to get my wireshark info and it looks like this

Code:

JuniperSSG140--->Hub--|-->switch----->Network
                      |-->Linux Server running Wireshark

What I would like to do is place the Linux server at this point between the firewall and switched network so it looks like this

Code:

SSG140--->eth1--->eth0--->switch---->network
         (Linux Server)

This way I could run a realtime bandwidth monitor on Network traffic inbound and outbound from our internet connection.

My issue is that I am unsure how to configure it to bridge this way. I know I could use IP tables to NAT, but I want everything on the same subnet. and only want to put the server in-line. Currently eth0 is configured as 192.168.100.11 and eth1 is 192.168.100.6 the DHCP server tells everything the gateway is 192.168.100.1 I would like to not change that either.

Is there any way to bridge this? Would I set up a bridge interface br0 and add eth1 and eth2 to it and would that allow all traffic to pass through it looking for the gateway, do I need to use IPtables to route traffic from eth1-->eth0 and back?

I appreciate all your help thanks.

Alex

billymayday · 06-03-2009, 04:27 PM

I don't see why you need a bridge, you should be able to simply enable forwarding (echo "1" > /proc/sys/net/ipv4/ip_forward) and make sure that your iptables rules are allowing forwarding of packets (see FORWARD chain).

ramram29 · 06-03-2009, 04:41 PM

You should bridge two nic cards. One nic connected directly to the juniper (the outside link) and the other nic connected the swith (the inside link). Then run your wireshark that way.

Also, you may a computer with a bad network card. I would recommend to go through the process of elimination first to narrow down where the problem is. Start by using one computer then one by one, until you can detect where the symptom is coming from.

scheidel21 · 06-03-2009, 07:49 PM

I appreciate the advice, I thought about a bad NC but nothing indicates that so far, and brnging one up at a time is easier said than done without interfering with operations. I also actually found iftop though, it seems to work great in promiscuous mode I probably will do bandwidth monitoring one day and sniff with wireshark once I get it in line hopefully I can sniff out the issue that way.