Find the answer to your Linux question:
Results 1 to 6 of 6
I'm working on a transparent bridge to AV scan http traffic and not having to configure any proxies. Its not fully configured yet but it will be positioned between the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2012
    Posts
    4

    Question Keep IP connectivity on a bridge


    I'm working on a transparent bridge to AV scan http traffic and not having to configure any proxies.
    Its not fully configured yet but it will be positioned between the firewall and the actual internet line.
    The problem here will be connectivity .. under no circumstances do I want that machine to have a public IP so I thought up a few options that are or might be possible..
    - I can just add an extra nic as a 'management interface' (that'll obviously work :P)
    - Add an ip to the eth0 interface that is still in the bridge and a 2nd ip to the WAN interface of the firewall.
    - Add a vlan interface on the 'inside' interface so that tagged traffic goes there and everything else gets bridged ..
    - Something I have not thought of ...

    Anyone have any experience with bridging and knows more about whats possible and not when it comes to keeping connectivity to the machine ?

  2. #2
    Just Joined!
    Join Date
    Sep 2012
    Location
    Russia
    Posts
    5

    Smile

    Quote Originally Posted by Consequator View Post
    I'm working on a transparent bridge to AV scan http traffic and not having to configure any proxies.
    Its not fully configured yet but it will be positioned between the firewall and the actual internet line.
    The problem here will be connectivity .. under no circumstances do I want that machine to have a public IP so I thought up a few options that are or might be possible..
    - I can just add an extra nic as a 'management interface' (that'll obviously work :P)
    - Add an ip to the eth0 interface that is still in the bridge and a 2nd ip to the WAN interface of the firewall.
    - Add a vlan interface on the 'inside' interface so that tagged traffic goes there and everything else gets bridged ..
    - Something I have not thought of ...

    Anyone have any experience with bridging and knows more about whats possible and not when it comes to keeping connectivity to the machine ?
    Hello, Consequator.

    Bridge is basically a device which pass traffic in the same VLAN between the physical interfaces. So you can't assign IP address to the bridged interface (eth0), but you can assign IP address to the bridge VLAN interface br0 (this is oversimplified, but true). So the first solution for your problem is to do so (and add secondary address to the firewall's interface).

    On the other hand you can bridge traffic in untagged VLAN and manage your switch using tagged traffic. To do so you should add interface for the needed VLAN (like eth0.2) and assign IP address to this interface.

    Both options provides the same security for real-life attacks.
    PS. Of course you should assign private IP addresses.

  3. #3
    Just Joined!
    Join Date
    Sep 2012
    Posts
    4
    You mean that if eth0 and eth1 are linked to br0, I can still have an eth0.xx as a vlan interface ?
    Or do you mean a br0.xx as a vlan interface on the bridge interface.

    its sitting in my work place so I cant try till Monday.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Sep 2012
    Location
    Russia
    Posts
    5
    You should probably get familiar with OSI model which is a basics for every networking analysis.
    The first answer is yes you can.
    The second answer is no, the number of br interface doesn't depend from the number of eth subinterface. Basically it is just a logical interface and you can access that interface form bridged VLANs.

    You can check configuration on one of my servers. There is no bridged interfaces, but there are some interfaces with assigned IPs which works with tagged traffic.


    auto eth0
    iface eth0 inet dhcp
    up ip route add 0.0.0.0/0 via x.x.x.x metric 10

    auto eth0.100
    iface eth0.100 inet static
    address x.x.x.x
    netmask 255.255.255.0

    auto eth0.200
    iface eth0.200 inet static
    address x.x.x.x
    netmask 255.255.255.0
    up ip route add x.x.x.x/29 via x.x.x.x
    up ip route add x.x.x.x/32 via x.x.x.x

  6. #5
    Just Joined!
    Join Date
    Sep 2012
    Posts
    4
    I got distracted by other problems and forgot to check here and say thanks(which is important!)
    I'll tinker a bit, I've not had to work with 2 port bridges before so these are new grounds for me, I've always had a 3rd ethernet port that had IP connectivity but in this case thats not possible.

    -
    Conz

    Quote Originally Posted by astupnikov View Post
    You should probably get familiar with OSI model which is a basics for every networking analysis.
    The first answer is yes you can.
    The second answer is no, the number of br interface doesn't depend from the number of eth subinterface. Basically it is just a logical interface and you can access that interface form bridged VLANs.

    You can check configuration on one of my servers. There is no bridged interfaces, but there are some interfaces with assigned IPs which works with tagged traffic.


    auto eth0
    iface eth0 inet dhcp
    up ip route add 0.0.0.0/0 via x.x.x.x metric 10

    auto eth0.100
    iface eth0.100 inet static
    address x.x.x.x
    netmask 255.255.255.0

    auto eth0.200
    iface eth0.200 inet static
    address x.x.x.x
    netmask 255.255.255.0
    up ip route add x.x.x.x/29 via x.x.x.x
    up ip route add x.x.x.x/32 via x.x.x.x

  7. #6
    Just Joined!
    Join Date
    Sep 2012
    Location
    Russia
    Posts
    5
    You are welcome.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •