Re: [gentoo-user] Re: Internet bridge
On Tue, 14 Aug 2007 14:56:13 +0200 Etaoin Shrdlu [EMAIL PROTECTED] wrote: What interfaces was the win2003 server using previously for bridging and connecting to the Internet? I'm not entirely sure windows 'bridging' is equivalent to linux Ethernet bridging. Specifically, wouldn't linux Ethernet bridging require external IP addresses for all the computers behind the bridge? The ISP's router isn't going to know how to route packets back to you on a private address, is it? Furthermore, don't you want a firewall between your LAN and the internet? Even if your ISP will hand out DHCP leases to your internal hosts (I _think_ those will pass through an Ethernet bridge), it would mean that all those hosts are gonna be sitting on the Internet. Probably not an especially good idea. Of course, you could run a firewall on the bridge (transparent bridging firewall) but I don't think that's wise. For one thing, all the problems you suffer from currently are probably going to surface again. For another, transparent firewalls are allegedly difficult to configure and very tricky to troubleshoot. At any rate, I bet the iptables module does something. My guess is that if you can figure out how to properly configure it, it will work for you. Although there's no guarantee, this is certainly something to work on. Another option is adding another network device to the server. Plug one into the ISP and two into the internal switch. Bridge the external and one internal. Firewall the other internal. Route phone traffic to the bridge, rest through the firewall. I don't know if that's just a hairbrained scheme or would actually work, but am interested in your responses. Best of luck, and thanks for replacing windows ; ) it makes me happy. -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: Internet bridge
Mateus Interciso p.zarnick at gmail.com writes: But for the SIP stuff, I have just one client, built the firewall using fwbuilder (sometimes is more easier), and for instance here's the SIP part on the nat table: 0 0 DNAT udp -- anyany anywhere 200.*.*.* udp dpt:5060 to:10.0.0.112 Is your VoIP service vonage? If so, there are nuances with their VoIP devices. James -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: Internet bridge
On Tue, 14 Aug 2007 08:11:13 +0200, Abraham Marín Pérez wrote: Mateus Interciso escribió: Hi, basically, I want to share the internet using a Bridge on a pc with two NICS, one for internet, the other for Internal Network. Now, I know a easiest approuch would be to use NAT, which is how I'm doing now, but since I really need Level 2 Routing, I can't afford doing this with nat. What do you exactly mean with Level 2 Routing? And why do you think you need it? If you just want to share an Internet connection NAT is just enough (proved on my box), if you need/want something else you'll have to explain it better if you'd like us to be able to help you. Abraham. I need a level 2 routing, beacause of the damn IP Phone we have at the office. Here's the deal, first we had a win2003 server, doing the bridge, all worked, then we decided to put a linux box as a firewall and dhcp server, for this I've made a NAT, and some port forwarding, all worked except the ip phone, so I tryed the ip_conntrack_sip kernel module, same thing, then I tryed siproxd, same old problem. Then I tought: Heck, first we had a bridge and it worked, so if I switch from NAT to bridging again, it must work right?. Then all hell broke loose, because I really can't get the internet to work on any client machine. They can ping the local machines, but no internet. So, basically, this is my problem. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: Internet bridge
On Tuesday 14 August 2007, Mateus Interciso wrote: I need a level 2 routing, beacause of the damn IP Phone we have at the office. Here's the deal, first we had a win2003 server, doing the bridge, all worked, then we decided to put a linux box as a firewall and dhcp server, for this I've made a NAT, and some port forwarding, all worked except the ip phone, so I tryed the ip_conntrack_sip kernel module, same thing, then I tryed siproxd, same old problem. Then I tought: Heck, first we had a bridge and it worked, so if I switch from NAT to bridging again, it must work right?. Then all hell broke loose, because I really can't get the internet to work on any client machine. They can ping the local machines, but no internet. So, basically, this is my problem. From what you wrote previously, it seems that you're not using the right commands to configure the bridge. After adding interfaces eth0 and eth1 to the bridge, you must stop referencing them. All the operations must be done on the br0 interface, including the request for a DHCP address (eg: dhclient/dhcpcd/whatever br0). Moreover, now the linux box can not act as Internet gateway anymore (unless it has some other connection to the Internet that you did not mention). You must use your ISP's upstream router as default gateway (on all the internal LAN boxes too). What interfaces was the win2003 server using previously for bridging and connecting to the Internet? -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: Internet bridge
On Tue, 14 Aug 2007 15:44:37 +0200, Hans-Werner Hilse wrote: Hi, On Mon, 13 Aug 2007 19:38:18 + (UTC) Mateus Interciso [EMAIL PROTECTED] wrote: Hi, basically, I want to share the internet using a Bridge on a pc with two NICS, one for internet, the other for Internal Network. Uhm, yeah, I'd like a bridge to the internet, too. To bad the internet is a routed infrastructure and that's technically impossible. But you mixed up a lot of concepts and terms, so I'd suggest reading a book about how it all fits together some day. Now, I know a easiest approuch would be to use NAT, which is how I'm doing now, but since I really need Level 2 Routing, I can't afford doing this with nat. [...] Now comes the tricky part, since the internet I recieve is via DHCP, and on eth1, if I make: dhcpcd eth1, it timesout, but if I use dhclient eth1, it works, almost, I can get an IP at least, so I've sticked with this Hm. And what's the bridge supposed to do then? I would agree that using the bridge, other computers should be able to get IPs assigned using DHCP (as long as your ISP is issuing IPs for those computers). But that has nothing to do with the bridge and whether the bridging computer is able to get an IP assigned. Somehow I have the feeling that your ISP wouldn't ever issue more than one IP, but since you're that sure... 11)dhclient eth1 is unnecessary, except if the bridging PC should have connectivity, too. 12)ifconfig eth0 10.0.0.1 netmask 255.255.255.0 is unnecessary, except for internal LAN connectivity. Now, you would have to excuse me, because I really don't remember if that worked, but I think it didn't, what I made (that at least didn't put the whole network down), was all of this, but on step 10 forward: 10)ifconfig br0 10.0.0.1 netmask 255.255.255.0 up Hm, that would for sure collide with the step 12 mentioned above. And by this, I can actually browse the internal network, but not the internet, in none of the machines, neither the bridge, with/without a iptables firewall enabled. You have to use DHCP on all the machines that should have Internet connectivity. Remember that you have just bridged your ISP link to your LAN, and so now have level-2 access up to your ISP on all the LANs computers. Can anyone please help me? In fact, I don't think answering your questions help a lot since I really doubt your approach makes sense. In order to find that out, please just tell a bit about your Internet Connection. What you are trying to archieve only makes sense under the following circumstances: - your ISP only provides one physical link, - but the possibility to get more than one IP issued (either fixed, or DHCP, from what you told, the latter) - what basically means that there is _no_ point-to-point link involved. - for whatever reason you don't want to use a switch (which I would understand for firewalling issues to keep the ISP from getting your internal traffic running through their machines). All of that is perfectly fine, I use such a setup for my virtual servers, for example (although there that internal LAN is just a software emulation). So please describe your internet connection and we can tell if your plan is flawed from the beginning. I'd somehow bet a beer on that. -hwh Ok, so my ISP gives my just one IP, as it you have already guessed, and yes, probably I did mixed up a lot of stuff, and I'm terrible sorry for this. I really don't need a bridge, as long as I can find a way to fix the VoIP, I tought of the bridge because the win2k3 had it enabled for routing the packages, it picked up on one side the internet connection with a valid ip 200.*.*.* and on another NIC it had the internal network (in that time 192.168.0.1/28), and it built a bridge (if I remember right, using the 192.168.0.1 IP) and we connected to the bridge, and the bridge was routing the packages from internal, to external. Of course I could be wrong, since I wasn't the guy who made this, and since we needed a firewall, bether then the w2k3, we putted the gentoo box, and I NATed the connection. So, basically, this is it. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: Internet bridge
Hi, On Tue, 14 Aug 2007 13:53:51 + (UTC) Mateus Interciso [EMAIL PROTECTED] wrote: Ok, so my ISP gives my just one IP, as it you have already guessed, and yes, probably I did mixed up a lot of stuff, and I'm terrible sorry for this. Oh, that's just fine for me, it's probably yourself you've caused some troubles and headaches. I really don't need a bridge, as long as I can find a way to fix the VoIP, I tought of the bridge because the win2k3 had it enabled for routing the packages, it picked up on one side the internet connection with a valid ip 200.*.*.* and on another NIC it had the internal network (in that time 192.168.0.1/28), and it built a bridge (if I remember right, using the 192.168.0.1 IP) and we connected to the bridge, and the bridge was routing the packages from internal, to external. Hm, I'd really wonder if that's what's called a bridge in Windows. That sounds like simple routing, easy to set up in Windows using the Internet Sharing options (which basically adds forwarding to the Internet interface -- you could do that with a registry hack, too) and add a simple DHCP server on the LAN side. Windows also has regular bridges and under certain circumstances sets up those automatically. But that's enough OT talk, this is Gentoo :-) Of course I could be wrong, since I wasn't the guy who made this, and since we needed a firewall, bether then the w2k3, we putted the gentoo box, and I NATed the connection. So, basically, this is it. You'll have to continue using NAT. Drop all bridge-related configuration (i.e. keep away from brctl), configure the external interface to forward connections. Then you have to care for incoming connections. For a good SIP setup with more than one SIP client, I'd highly suggest looking at SIP proxies like siproxd. For one SIP client in the internal LAN you basically need to map a incoming connections on the relevant port (5060, I think) on the Router/Firewall PC to that internal client. If extensions or other protocols come into play, you should absolutely look for proxies for those protocols. Since there's only one IP, you have no bridging options and all your computers in the LAN have to look like one machine to the outside. You _have_ to use port forwarding or proxying. Feel free to ask further specific questions! -hwh -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: Internet bridge
On Tue, 14 Aug 2007 16:32:20 +0200, Hans-Werner Hilse wrote: Hi, On Tue, 14 Aug 2007 13:53:51 + (UTC) Mateus Interciso [EMAIL PROTECTED] wrote: Ok, so my ISP gives my just one IP, as it you have already guessed, and yes, probably I did mixed up a lot of stuff, and I'm terrible sorry for this. Oh, that's just fine for me, it's probably yourself you've caused some troubles and headaches. I really don't need a bridge, as long as I can find a way to fix the VoIP, I tought of the bridge because the win2k3 had it enabled for routing the packages, it picked up on one side the internet connection with a valid ip 200.*.*.* and on another NIC it had the internal network (in that time 192.168.0.1/28), and it built a bridge (if I remember right, using the 192.168.0.1 IP) and we connected to the bridge, and the bridge was routing the packages from internal, to external. Hm, I'd really wonder if that's what's called a bridge in Windows. That sounds like simple routing, easy to set up in Windows using the Internet Sharing options (which basically adds forwarding to the Internet interface -- you could do that with a registry hack, too) and add a simple DHCP server on the LAN side. Windows also has regular bridges and under certain circumstances sets up those automatically. But that's enough OT talk, this is Gentoo :-) Of course I could be wrong, since I wasn't the guy who made this, and since we needed a firewall, bether then the w2k3, we putted the gentoo box, and I NATed the connection. So, basically, this is it. You'll have to continue using NAT. Drop all bridge-related configuration (i.e. keep away from brctl), configure the external interface to forward connections. Then you have to care for incoming connections. For a good SIP setup with more than one SIP client, I'd highly suggest looking at SIP proxies like siproxd. For one SIP client in the internal LAN you basically need to map a incoming connections on the relevant port (5060, I think) on the Router/Firewall PC to that internal client. If extensions or other protocols come into play, you should absolutely look for proxies for those protocols. Since there's only one IP, you have no bridging options and all your computers in the LAN have to look like one machine to the outside. You _have_ to use port forwarding or proxying. Feel free to ask further specific questions! -hwh Ok, thanks a lot, this for sure cleared a lot of troubles I was having on my head. But for the SIP stuff, I have just one client, built the firewall using fwbuilder (sometimes is more easier), and for instance here's the SIP part on the nat table: 0 0 DNAT udp -- anyany anywhere 200.*.*.* udp dpt:5060 to:10.0.0.112 Is this wrong? Because the strange thing, is that it works for someplaces, but not for others, and we really didn't had this issues with w2k3 routing stuff. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: Internet bridge
Hi, On Tue, 14 Aug 2007 14:48:30 + (UTC) Mateus Interciso [EMAIL PROTECTED] wrote: Ok, thanks a lot, this for sure cleared a lot of troubles I was having on my head. :-) The thing is, the more deeper you look into things, the more you get aware that they are more simple than you thought. But for the SIP stuff, I have just one client, built the firewall using fwbuilder (sometimes is more easier), and for instance here's the SIP part on the nat table: 0 0 DNAT udp -- anyany anywhere 200.*.*.* udp dpt:5060 to:10.0.0.112 Is this wrong? Looks right... (actually, I'm unsure about that 200.*.*.*) but... see below... Because the strange thing, is that it works for someplaces, but not for others, and we really didn't had this issues with w2k3 routing stuff. Yeah, not having done a lot with SIP, I had another look into that matter. SIP seems to have the IP addresses of the clients that come into play inside the SIP messages. I.e., if your SIP phone or SIP client isn't aware of your _external_ IP, it will inform the other end about a private IP on your end, since that's all the SIP phone/client has. There is an information protocol that can make the SIP phone/client make aware of the real address (obviously, the gateway must support this, and the SIP phone/client too). I would start to try the netfilter modules, which claim (I didn't check) that they mangle SIP packages accordingly. A short introduction is here: http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html If that doesn't work and if your phone supports specifying a proxy, I would go that road instead. -hwh -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: Internet bridge
On Mon, 13 Aug 2007 20:55:29 +0100, Neil Walker wrote: Mateus Interciso wrote: Can anyone please help me? Thanks a lot. Errm . why don't you just buy a router? They are so cheap these days it doesn't make any sense not to. Be lucky, Neil -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Can't, sorry, low on budget. :( -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: Internet bridge
On Mon, 13 Aug 2007 20:58:40 +0100, Uwe Thiem wrote: On 13 August 2007, Mateus Interciso wrote: Hi, basically, I want to share the internet using a Bridge on a pc with two NICS, one for internet, the other for Internal Network. Now, I know a easiest approuch would be to use NAT, which is how I'm doing now, Actually, masquerading would be the easiest way, but that's besides the point. but since I really need Level 2 Routing, I can't afford doing this with nat. I beg your pardon? NATting and masquerading takes place on layer 2 (IP). Oh, do you mean you need *incoming* routing? Won't work. A simple network layout would be like this: Internet[eth1]Gentoo[eth0]LAN So, what I've done was this: 1)Installed the net-misc/bridge-utils 2)Enable the bridge module on the kernel 3)Load it 4)ifconfig eth0 0.0.0.0 5)ifconfig eth1 0.0.0.0 6)brctl addbr br0 7)brctl setfd br0 0 8)brctl addif br0 eth0 9)brctl addif br0 eth1 10)ifconfig br0 up Now comes the tricky part, since the internet I recieve is via DHCP, and on eth1, if I make: dhcpcd eth1, it timesout, but if I use dhclient eth1, it works, almost, I can get an IP at least, so I've sticked with this 11)dhclient eth1 12)ifconfig eth0 10.0.0.1 netmask 255.255.255.0 Now, you would have to excuse me, because I really don't remember if that worked, but I think it didn't, what I made (that at least didn't put the whole network down), was all of this, but on step 10 forward: 10)ifconfig br0 10.0.0.1 netmask 255.255.255.0 up 11)dhclient eth1 And by this, I can actually browse the internal network, but not the internet, in none of the machines, neither the bridge, with/without a iptables firewall enabled. AFAIK, this will never work. If you really need incoming connections on certain ports you can use port forwarding with NAT on your firewall. Bridging is not for this kind of thing. Uwe -- Jack Nicholson: My mother never saw the irony in calling me a son of a bitch. Actually, I need a fully transparent bridge, for for instance, correcly using a SIP phone, which even with siproxd, it doesn't work, so, NAT and Masquerade, won't help me. I'm pretty sure I can transform the gentoo box in a transparent bridge router, I just don't know how. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: Internet bridge
On Monday 13 August 2007 21:41:31 Mateus Interciso wrote: Actually, I need a fully transparent bridge, for for instance, correcly using a SIP phone, which even with siproxd, it doesn't work, so, NAT and Masquerade, won't help me. I'm pretty sure I can transform the gentoo box in a transparent bridge router, I just don't know how. ip_conntrack_sip SIP can be NATted. Simply NAT the packets as normal with the module loaded. If you still want to go the bridge route, I believe you need to give the IP addresses to the bridge, not the underlying ethernet interfaces. -- Mike Williams -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: Internet bridge
On Mon, 13 Aug 2007 22:17:03 +0100, Mike Williams wrote: On Monday 13 August 2007 21:41:31 Mateus Interciso wrote: Actually, I need a fully transparent bridge, for for instance, correcly using a SIP phone, which even with siproxd, it doesn't work, so, NAT and Masquerade, won't help me. I'm pretty sure I can transform the gentoo box in a transparent bridge router, I just don't know how. ip_conntrack_sip SIP can be NATted. Simply NAT the packets as normal with the module loaded. If you still want to go the bridge route, I believe you need to give the IP addresses to the bridge, not the underlying ethernet interfaces. -- Mike Williams I did used the ip_conntrack_sip module, and it didn't worked. Do you know how to give the ip addresses to the bridge, instead of the iface? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: Internet bridge
Mateus Interciso wrote: I did used the ip_conntrack_sip module, and it didn't worked. Do you know how to give the ip addresses to the bridge, instead of the iface? Take a look at /etc/conf.d/net.example. It's in there. ;) Be lucky, Neil -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- [EMAIL PROTECTED] mailing list
