[CentOS] A bridge problem

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[CentOS] A bridge problem

m.roth
We just went to replace the bridge/firewall services one one server with
the same on another. It's pretty simple, and I literally cloned (w/ rsync)
a third server that does this onto the one that will be the new one. Then
copied the /etc/sysconfig/iptables from the one being replaced, and
brought it up this morning.

Nope. We had to put everything back the way it was.

The new one sees the two or three servers behind the firewall, and we can
ping them, from the new box. On one, we see IPP broadcasts; in fact, we
see lots of broadcast packets using tcpdump. From outside, though, you
can't see the servers. Trying to ping them, they see nothing. It seems to
be the case that tcp and icmp packets are blocked, and we can't figure out
why.

CentOS 5.6.

ifcfg-eth0

DEVICE=eth0
BRIDGE=br3
BOOTPROTO=dhcp
HWADDR=aa:bb:cc:dd:ee:ff
ONBOOT=yes

ifcfg-eth1

DEVICE=eth1
BRIDGE=br3
HWADDR=aa:bb:cc:dd:ee:gg
ONBOOT=yes

ifcfg-br3

DEVICE=br3
ONBOOT=yes
TYPE=Bridge
BOOTPROTO=static
IPADDR=<our ip>
NETMASK=255.255.254.0
NETWORK=<our nw>
GATEWAY=<our gw>

Any ideas?

          mark

_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] EXTERNAL: A bridge problem

Massey, Ricky
I thought all we were going to is remove the IA_REMOTE Banner for the BYG-1 Display applications.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Monday, June 13, 2011 2:02 PM
To: CentOS mailing list
Subject: EXTERNAL: [CentOS] A bridge problem

We just went to replace the bridge/firewall services one one server with
the same on another. It's pretty simple, and I literally cloned (w/ rsync)
a third server that does this onto the one that will be the new one. Then
copied the /etc/sysconfig/iptables from the one being replaced, and
brought it up this morning.

Nope. We had to put everything back the way it was.

The new one sees the two or three servers behind the firewall, and we can
ping them, from the new box. On one, we see IPP broadcasts; in fact, we
see lots of broadcast packets using tcpdump. From outside, though, you
can't see the servers. Trying to ping them, they see nothing. It seems to
be the case that tcp and icmp packets are blocked, and we can't figure out
why.

CentOS 5.6.

ifcfg-eth0

DEVICE=eth0
BRIDGE=br3
BOOTPROTO=dhcp
HWADDR=aa:bb:cc:dd:ee:ff
ONBOOT=yes

ifcfg-eth1

DEVICE=eth1
BRIDGE=br3
HWADDR=aa:bb:cc:dd:ee:gg
ONBOOT=yes

ifcfg-br3

DEVICE=br3
ONBOOT=yes
TYPE=Bridge
BOOTPROTO=static
IPADDR=<our ip>
NETMASK=255.255.254.0
NETWORK=<our nw>
GATEWAY=<our gw>

Any ideas?

          mark

_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] A bridge problem

Robert Spangler
In reply to this post by m.roth
On Monday 13 June 2011 14:02, the following was written:

>  We just went to replace the bridge/firewall services one one server with
>  the same on another. It's pretty simple, and I literally cloned (w/ rsync)
>  a third server that does this onto the one that will be the new one. Then
>  copied the /etc/sysconfig/iptables from the one being replaced, and
>  brought it up this morning.
>
>  Nope. We had to put everything back the way it was.
>
>  The new one sees the two or three servers behind the firewall, and we can
>  ping them, from the new box. On one, we see IPP broadcasts; in fact, we
>  see lots of broadcast packets using tcpdump. From outside, though, you
>  can't see the servers. Trying to ping them, they see nothing. It seems to
>  be the case that tcp and icmp packets are blocked, and we can't figure out
>  why.

Is the firewall IP or port based or a combo of both?
Is the firewall setup on the bridge interface or on each individual server
interface i.e., eth0, eth1 etc..

What does ifconfig show you?  Are all the interfaces started? Do the DHCP
interfaces receive a DHCP address?


--

Regards
Robert

Linux
The adventure of a lifetime.

Linux User #296285
Get Counted
http://counter.li.org/
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] A bridge problem

m.roth
Robert Spangler wrote:

> On Monday 13 June 2011 14:02, the following was written:
>
>>  We just went to replace the bridge/firewall services one one server
>> with the same on another. It's pretty simple, and I literally cloned (w/
>> rsync) a third server that does this onto the one that will be the new
>> one.Then  copied the /etc/sysconfig/iptables from the one being
>> replaced, and  brought it up this morning.
>>
>>  Nope. We had to put everything back the way it was.
>>
>>  The new one sees the two or three servers behind the firewall, and we
>> can ping them, from the new box. On one, we see IPP broadcasts; in fact,
>> we  see lots of broadcast packets using tcpdump. From outside, though,
>> you  can't see the servers. Trying to ping them, they see nothing. It
>> seems to  be the case that tcp and icmp packets are blocked, and we
>> can't figure out  why.
>
> Is the firewall IP or port based or a combo of both?
> Is the firewall setup on the bridge interface or on each individual server
> interface i.e., eth0, eth1 etc..

Not sure how to answer that. I'd say it's on the external interface.
>
> What does ifconfig show you?  Are all the interfaces started? Do the DHCP
> interfaces receive a DHCP address?

Yep. And route shows *only* br3, and when I restart the network br3 brings
up eth0 and eth1.

        mark

_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] A bridge problem

Les Mikesell
In reply to this post by m.roth
On 6/13/2011 1:02 PM, [hidden email] wrote:

> We just went to replace the bridge/firewall services one one server with
> the same on another. It's pretty simple, and I literally cloned (w/ rsync)
> a third server that does this onto the one that will be the new one. Then
> copied the /etc/sysconfig/iptables from the one being replaced, and
> brought it up this morning.
>
> Nope. We had to put everything back the way it was.
>
> The new one sees the two or three servers behind the firewall, and we can
> ping them, from the new box. On one, we see IPP broadcasts; in fact, we
> see lots of broadcast packets using tcpdump. From outside, though, you
> can't see the servers. Trying to ping them, they see nothing. It seems to
> be the case that tcp and icmp packets are blocked, and we can't figure out
> why.
>
> CentOS 5.6.
>
> ifcfg-eth0
>
> DEVICE=eth0
> BRIDGE=br3
> BOOTPROTO=dhcp
> HWADDR=aa:bb:cc:dd:ee:ff
> ONBOOT=yes
>
> ifcfg-eth1
>
> DEVICE=eth1
> BRIDGE=br3
> HWADDR=aa:bb:cc:dd:ee:gg
> ONBOOT=yes
>
> ifcfg-br3
>
> DEVICE=br3
> ONBOOT=yes
> TYPE=Bridge
> BOOTPROTO=static
> IPADDR=<our ip>
> NETMASK=255.255.254.0
> NETWORK=<our nw>
> GATEWAY=<our gw>
>
> Any ideas?

Are the HWADDR= entries fixed up to match the actual hardware after the
copy?  And does ifconfig show that your config actually set up what you
expected?  CentOS isn't very predictable in terms of which NIC gets
which interface name.

--
   Les Mikesell
    [hidden email]

_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] A bridge problem

m.roth
Les Mikesell wrote:

> On 6/13/2011 1:02 PM, [hidden email] wrote:
>> We just went to replace the bridge/firewall services one one server with
>> the same on another. It's pretty simple, and I literally cloned (w/
>> rsync) a third server that does this onto the one that will be the new
>> one.Then
>> copied the /etc/sysconfig/iptables from the one being replaced, and
>> brought it up this morning.
>>
>> Nope. We had to put everything back the way it was.
>>
>> The new one sees the two or three servers behind the firewall, and we
>> can ping them, from the new box. On one, we see IPP broadcasts; in fact,
>> we
>> see lots of broadcast packets using tcpdump. From outside, though, you
>> can't see the servers. Trying to ping them, they see nothing. It seems
>> to be the case that tcp and icmp packets are blocked, and we can't figure
>> out why.
<snip>
> Are the HWADDR= entries fixed up to match the actual hardware after the
> copy?  And does ifconfig show that your config actually set up what you
> expected?  CentOS isn't very predictable in terms of which NIC gets
> which interface name.

Yes. And I made sure of that, before we started this excersize. (And my
manager asked the same question - he's one of us, you see, *not* a PHB)

        mark

          mark

_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] A bridge problem

Ljubomir Ljubojevic
[hidden email] wrote:

> Les Mikesell wrote:
>> On 6/13/2011 1:02 PM, [hidden email] wrote:
>>> We just went to replace the bridge/firewall services one one server with
>>> the same on another. It's pretty simple, and I literally cloned (w/
>>> rsync) a third server that does this onto the one that will be the new
>>> one.Then
>>> copied the /etc/sysconfig/iptables from the one being replaced, and
>>> brought it up this morning.
>>>
>>> Nope. We had to put everything back the way it was.
>>>
>>> The new one sees the two or three servers behind the firewall, and we
>>> can ping them, from the new box. On one, we see IPP broadcasts; in fact,
>>> we
>>> see lots of broadcast packets using tcpdump. From outside, though, you
>>> can't see the servers. Trying to ping them, they see nothing. It seems
>>> to be the case that tcp and icmp packets are blocked, and we can't figure
>>> out why.
> <snip>
>> Are the HWADDR= entries fixed up to match the actual hardware after the
>> copy?  And does ifconfig show that your config actually set up what you
>> expected?  CentOS isn't very predictable in terms of which NIC gets
>> which interface name.
>
> Yes. And I made sure of that, before we started this excersize. (And my
> manager asked the same question - he's one of us, you see, *not* a PHB)
>
>         mark

Without knowing more about your current server there is not much we can
help you. I am fluent in networking, I am 7 years WISP and 4-5 years
network/wireless consultant.

Are you using that new unit (router/gateway is what they are called, not
servers, you will just confuse things) as a pass through bridge with
added IP firewalling (only 2 interfaces)? Or are you supposed to route
(one outgoing interface eth2 and br3 as local LAN)?

Why do you have bootproto=dhcp on eth0?
Is NETMASK=255.255.254.0 supposed to be .254.0 or is it an typo?

Have you removed ARP entries from ARP cache of neighboring units
(servers, upstream routers) etc?

Have you enabled ip_forwarding ?

If you have pass through bridge with only two interfaces, have you
considered that maybe you should reverse/switch LAN cables plugged in
eth0 and eth1 since firewall script is probably setup as one direction
only, and if you reverse the flow firewall might block all. Test with
firewall disabled/stopped.

Using combination of bridge and firewall is not wise at all, I would say
it's quite a mess. It is always best to use routing.

Ljubomir
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] A bridge problem

Marcelo Roccasalva
On Mon, Jun 13, 2011 at 19:30, Ljubomir Ljubojevic <[hidden email]> wrote:

>
> [hidden email] wrote:
> > Les Mikesell wrote:
> >> On 6/13/2011 1:02 PM, [hidden email] wrote:
> >>> We just went to replace the bridge/firewall services one one server with
> >>> the same on another. It's pretty simple, and I literally cloned (w/
> >>> rsync) a third server that does this onto the one that will be the new
> >>> one.Then
> >>> copied the /etc/sysconfig/iptables from the one being replaced, and
> >>> brought it up this morning.
> >>>
> >>> Nope. We had to put everything back the way it was.
> >>>
> >>> The new one sees the two or three servers behind the firewall, and we
> >>> can ping them, from the new box. On one, we see IPP broadcasts; in fact,
> >>> we
> >>> see lots of broadcast packets using tcpdump. From outside, though, you
> >>> can't see the servers. Trying to ping them, they see nothing. It seems
> >>> to be the case that tcp and icmp packets are blocked, and we can't figure
> >>> out why.

Maybe some router or switch has your old mac address forced (or kind
of static). Can you reboot them? (or contact your ISP to know for
sure?)

--
Marcelo

"¿No será acaso que ésta vida moderna está teniendo más de moderna que
de vida?" (Mafalda)
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] A bridge problem

Les Mikesell
In reply to this post by m.roth
On 6/13/2011 3:01 PM, [hidden email] wrote:

> Les Mikesell wrote:
>> On 6/13/2011 1:02 PM, [hidden email] wrote:
>>> We just went to replace the bridge/firewall services one one server with
>>> the same on another. It's pretty simple, and I literally cloned (w/
>>> rsync) a third server that does this onto the one that will be the new
>>> one.Then
>>> copied the /etc/sysconfig/iptables from the one being replaced, and
>>> brought it up this morning.
>>>
>>> Nope. We had to put everything back the way it was.
>>>
>>> The new one sees the two or three servers behind the firewall, and we
>>> can ping them, from the new box. On one, we see IPP broadcasts; in fact,
>>> we
>>> see lots of broadcast packets using tcpdump. From outside, though, you
>>> can't see the servers. Trying to ping them, they see nothing. It seems
>>> to be the case that tcp and icmp packets are blocked, and we can't figure
>>> out why.
> <snip>
>> Are the HWADDR= entries fixed up to match the actual hardware after the
>> copy?  And does ifconfig show that your config actually set up what you
>> expected?  CentOS isn't very predictable in terms of which NIC gets
>> which interface name.
>
> Yes. And I made sure of that, before we started this excersize. (And my
> manager asked the same question - he's one of us, you see, *not* a PHB)


I missed that 'from outside' part before.  If that means on the other
side of a router, note that routers generally have a 20 minute arp cache
so when you move the IP to a different MAC address you either have to
wait a long time or log into the router and 'clear arp' before things
will work again.  There's probably a way to make the interface send a
gratuitous arp that the router will catch, but I don't know it off the
top of my head.

--
   Les Mikesell
    [hidden email]
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] A bridge problem

Gordon Messmer
In reply to this post by m.roth
On 06/13/2011 11:02 AM, [hidden email] wrote:
> We just went to replace the bridge/firewall services one one server with
> the same on another. It's pretty simple, and I literally cloned (w/ rsync)
> a third server that does this onto the one that will be the new one. Then
> copied the /etc/sysconfig/iptables from the one being replaced, and
> brought it up this morning.

Specifically what did you rsync?  If you copied the ifcfg files, you
probably need to adjust the HWADDR in each.  If you didn't get all of
/etc, you might need sysctl.conf.  I'm guessing that's the case, given
the symptoms and the fact that you had to also copy the iptables file.

> ifcfg-eth0
>
> DEVICE=eth0
> BRIDGE=br3
> BOOTPROTO=dhcp
> HWADDR=aa:bb:cc:dd:ee:ff
> ONBOOT=yes

There should not be a BOOTPROTO in this file.

> ifcfg-br3
>
> DEVICE=br3
> ONBOOT=yes
> TYPE=Bridge
> BOOTPROTO=static
> IPADDR=<our ip>
> NETMASK=255.255.254.0
> NETWORK=<our nw>
> GATEWAY=<our gw>

You don't need NETWORK here.

It would also be helpful to see the contents of /etc/sysctl.conf or the
output of:

# cat /proc/sys/net/ipv4/ip_forward
# cat /proc/sys/net/bridge/bridge-nf-call-*
# brctl show
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos