Re: Asymmetrically routing through transparent fw (bridge)

From: prg (rdgentry1_at_cablelynx.com)
Date: 05/11/05 

Date: 11 May 2005 10:32:25 -0700

Wolfgang Kohnen wrote:
> Philippe WEILL schrieb:
>
> > if you want to do something like this it's doesn't work
> >
> > |------------|
> > ---------| Cisco |
> > |------------|
> > | | | | |
> > |- ---| Workstations
> > | FWB |
> > |-----|
> > could you explain with ascii art what you need
>
>
> It's more like this:
>
> -------
> |cisco|-----> metropolitan area net
> -------
> | ----------------
> | (----------------------------| other switch |
> | | ----------------
> --------- ------ ---------- |||||||| |
> | FWB |------> | FW |------| switch | third network
> --------- ------ ---------- |
> | |||||| |
> | |||||| ------
> | second network | FW |
> | ------
> ----------
> | switch |
> ----------
> ||||||
> ||||||
> first network
>
> The interesting part is on the left column: the cisco router, the
> bridging firewall (FWB) and the connected "first network". What I
need
> is, that the first network has a default gateway different to the
second
> and third network (which go to a different off-site uplink). But I
want
> to route package between these three networks. Cisco's IP is
> 10.121.64.1 and I would like to give the IP 10.121.64.15 (same
logical
> network, hence the bridging firewall) and default gateway 10.121.64.1
to
> the FWB and then give a default gateway of 10.121.64.15 to the
clients
> in the first network.

I must be missing something -- not the first time ;)

If FWB is to _bridge_ network-1 to the Cisco router, then the Cisco
would be the default GW. Why would you want FWB to be the default GW
for network-1?

If you need _routing_, what requirements do you have that would make
network-1 part of the same network as the Cisco? Why not just put them
on a separate subnet? Is this not possible/desired? Have you
considered proxy arp?

> Maybe it was misleading, that I wrote:
>
> >> But
> >> packages going the other way round will arrive from the internet
(or
> >> other off-site networks) at the cisco router and then they will be
sent
> >> from the cisco router directly to the client i.e. transparently
through
> >> the bridge.
>
> The FWB is between the first network and the cisco router, of course.

> If I didn't miss something important, the packages will all pass the
FWB
> from all directions, from cisco to first network, from first network
to
> cisco and to/from second network to the first network.

Bridge "devices" are virtual and you add interfaces (nics) to a single
bridge device to participate in the bridged net segment. So you can
bridge from network-1 to Cisco while routing from network-2,3. If I
understand your layout, you can't bridge to FW because it is _routing_
to network-2 and network-3 (through switches). If it is to bridge to
them, then all segments are on the same subnet.

> But there is still a asymmetry on the FWB: Cisco thinks it sends to
the
> network directly and it passes the FWB and the client in that network
> think the FWB is a router and the Cisco doesn't exist. My question
is
> theoretical "How does this asymmetry appear at the FWB? (routing
table/
> INPUT / FORWAD / OUTPUT)" or my question is pragmatical:
>
> >> 2.) How can I handle connections going through this transparent
> >> firewall? Am I able to [2]stateful inspect connections [0]easily
here!?
>
> I have no clue. Maybe the Linux can't do this at all, or there is
just
> no problem, or... I don't know?

It is not clear what segments/subnets/networks you want to bridge and
which you want to route.

Linux can do just about anything with the bridging code now built into
the 2.6 kernels.

However, I don't know that there is any (useful?) way to have it
_bridge_ in one direction, while _routing_ in another direction. Not
saying it's not possible (or if it would have any relevance for your
design), just can't imagine why you would do it.

Now Linux _can_ treat frames/packets arriving on an interface
differently (routed vs. bridged) in accordance with your configuration.
 This is sometimes called brouting (cute, huh?).

Anyway, you might want to look at this and see if it helps:
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html

Also, your ascii art would be much better if we knew which nics are
bridging and which are routing and which one(s) you would like to
broute. I _think_ I understand what you may be wanting, but not very
confident ;)

hth,
prg
email above disabled

Relevant Pages

  • Re: PROBLEM: Network sky2 Module
    ... one using X86_64 kernel version 2.6.23-rc5 on a 100Mbit network and one with i386 kernel version 2.6.23-rc6 on a 1Gbit network. ... 0cf8-0cff: PCI conf1 ... 00:00.0 Host bridge: Intel Corporation 82975X Memory Controller Hub ... Latency: 0, ...
    (Linux-Kernel)
  • RE: [Bridge] [PATCH] macvlan: add tap device backend
    ... of operation (bridge, NAT, VEPA, etc). ... machine to use VEPA to access the network? ... With the macvlan based mode, you use 'ip link' to add a new tap ...
    (Linux-Kernel)
  • Network Bridging Issues
    ... network bridge and now I am unable to connect to the wireless network by ... Laptop and it's Wireless Connection ...
    (microsoft.public.windowsxp.network_web)
  • em, bge, network problems survey.
    ... Network hangs, server becomes unreachable, and after a few minutes, console doesn't respond anymore. ... pcib0: <ACPI Host-PCI bridge> port ... vendor = 'Advanced Micro Devices ' ... subclass = HOST-PCI ...
    (freebsd-stable)
  • Re: [Bridge] [PATCH] macvlan: add tap device backend
    ... of operation (bridge, NAT, VEPA, etc). ... machine to use VEPA to access the network? ... With the macvlan based mode, you use 'ip link' to add a new tap ...
    (Linux-Kernel)