Re: [Ntop-misc] ntopng bridge on nat gateway with vlans
Dear Thomas, On Tue, May 30, 2017 at 3:22 PM, wrote: > Hi Marco, > > thank you for the answer. > > Let's try to make an easy testcase. How about this: > eth0 wan (external ip) > eth1 lan (192.168.x.x) > > lan gets NATed to wan. > We support bridging in routing mode. A tap will do the trick. Assuming you want the box to NAT eth1 clients on eth0, you can do the following: * tap setup: tunctl -t tap0 ifconfig tap0 netmask ifconfig tap0 up * nat setup: iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface tap0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward * ntopng startup (interfaces order matter here): ntopng -i bridge:tap0,eth1 Also see the readme: https://github.com/ntop/ntopng/blob/dev/doc/README.inline > So i cannot build a bridge between eth0 and eth1. > So where to attach the bridge? > > Maybe: > eth0 remove external ip > create br0 without attached interfaces > br0 add external ip > Start ntop to use bridge br0 and parameter to attach eth0 > ntopng -i bridge:br0,eth0 > Then rewrite the firewall to NAT out over br0 instead of eth0 > > Can this work? Or do I need at least one attached interface at the > existing bridge and then let ntopng attach a second interface? > > regards, Thomas > > *Gesendet:* Dienstag, 30. Mai 2017 um 10:24 Uhr > *Von:* "Marco Teixeira" > *An:* ntop-misc@listgateway.unipi.it > *Betreff:* Re: [Ntop-misc] ntopng bridge on nat gateway with vlans > Hi Thomas, > To the best of my knowledge, packets still have to pass on eth0, so attach > it there. > I don't use NTOP with a setup like yours, but you might have to account > for the VLAN tagging in NTOP config... maybe. > > =Marco > > 2017-05-30 8:45 GMT+01:00 : >> >> Dear community, >> >> I have a NAT gateway with iptables that is acting as main gateway for all >> workstations. >> Ntopng is working fine, but now i like to use inline traffic policing. >> Therefore I need a bridge. >> >> Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2 >> (phones), eth1.3 (servers). >> >> Now i would like to change the eth1 devices to br0 devices for each vlan. >> This is working in another setup. >> Then i would have br0.1 br0.2 br0.3 >> >> But how to attach ntopng then for the bridge mode? Is is possible? Or do >> I have to provide a separate machine? >> >> kind regards, >> Thomas >> >> >> ___ >> Ntop-misc mailing list >> Ntop-misc@listgateway.unipi.it >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > ___ Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/ > mailman/listinfo/ntop-misc > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] ntopng bridge on nat gateway with vlans
Hi, yes i like to do the NTOPNG inline policing. And don't know where to insert the bridge because LAN is NATed to WAN. Vlans can come later. In my first Testcase I can simulate it without vlans because eth0 has no vlan. Would be nice to hear from someone who managed it on one machine. I like to avoid to attach a seconds physical machine into the line. regards, Thomas ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] ntopng bridge on nat gateway with vlans
Thomas, Sorry i miss understood your question. I thought you wanted to do policing with linux, and just use NTOP as usual. Reading better, i see you meant to use NTOPNG inline policing right? If so, I will let our good friends from NTOP chime in, as this involves bridging with PFRING in userspace... don't know how this will work with vlans... =Marco 2017-05-30 14:22 GMT+01:00 : > Hi Marco, > > thank you for the answer. > > Let's try to make an easy testcase. How about this: > eth0 wan (external ip) > eth1 lan (192.168.x.x) > > lan gets NATed to wan. So i cannot build a bridge between eth0 and eth1. > So where to attach the bridge? > > Maybe: > eth0 remove external ip > create br0 without attached interfaces > br0 add external ip > Start ntop to use bridge br0 and parameter to attach eth0 > ntopng -i bridge:br0,eth0 > Then rewrite the firewall to NAT out over br0 instead of eth0 > > Can this work? Or do I need at least one attached interface at the > existing bridge and then let ntopng attach a second interface? > > regards, Thomas > > *Gesendet:* Dienstag, 30. Mai 2017 um 10:24 Uhr > *Von:* "Marco Teixeira" > *An:* ntop-misc@listgateway.unipi.it > *Betreff:* Re: [Ntop-misc] ntopng bridge on nat gateway with vlans > Hi Thomas, > To the best of my knowledge, packets still have to pass on eth0, so attach > it there. > I don't use NTOP with a setup like yours, but you might have to account > for the VLAN tagging in NTOP config... maybe. > > =Marco > > 2017-05-30 8:45 GMT+01:00 : >> >> Dear community, >> >> I have a NAT gateway with iptables that is acting as main gateway for all >> workstations. >> Ntopng is working fine, but now i like to use inline traffic policing. >> Therefore I need a bridge. >> >> Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2 >> (phones), eth1.3 (servers). >> >> Now i would like to change the eth1 devices to br0 devices for each vlan. >> This is working in another setup. >> Then i would have br0.1 br0.2 br0.3 >> >> But how to attach ntopng then for the bridge mode? Is is possible? Or do >> I have to provide a separate machine? >> >> kind regards, >> Thomas >> >> >> ___ >> Ntop-misc mailing list >> Ntop-misc@listgateway.unipi.it >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > ___ Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/ > mailman/listinfo/ntop-misc > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] ntopng bridge on nat gateway with vlans
Hi Marco, thank you for the answer. Let's try to make an easy testcase. How about this: eth0 wan (external ip) eth1 lan (192.168.x.x) lan gets NATed to wan. So i cannot build a bridge between eth0 and eth1. So where to attach the bridge? Maybe: eth0 remove external ip create br0 without attached interfaces br0 add external ip Start ntop to use bridge br0 and parameter to attach eth0 ntopng -i bridge:br0,eth0 Then rewrite the firewall to NAT out over br0 instead of eth0 Can this work? Or do I need at least one attached interface at the existing bridge and then let ntopng attach a second interface? regards, Thomas Gesendet: Dienstag, 30. Mai 2017 um 10:24 Uhr Von: "Marco Teixeira" An: ntop-misc@listgateway.unipi.it Betreff: Re: [Ntop-misc] ntopng bridge on nat gateway with vlans Hi Thomas, To the best of my knowledge, packets still have to pass on eth0, so attach it there. I don't use NTOP with a setup like yours, but you might have to account for the VLAN tagging in NTOP config... maybe. =Marco 2017-05-30 8:45 GMT+01:00 <thomasmeier1...@gmx.de>: Dear community, I have a NAT gateway with iptables that is acting as main gateway for all workstations. Ntopng is working fine, but now i like to use inline traffic policing. Therefore I need a bridge. Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2 (phones), eth1.3 (servers). Now i would like to change the eth1 devices to br0 devices for each vlan. This is working in another setup. Then i would have br0.1 br0.2 br0.3 But how to attach ntopng then for the bridge mode? Is is possible? Or do I have to provide a separate machine? kind regards, Thomas ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] ntopng bridge on nat gateway with vlans
Hi Thomas, To the best of my knowledge, packets still have to pass on eth0, so attach it there. I don't use NTOP with a setup like yours, but you might have to account for the VLAN tagging in NTOP config... maybe. =Marco 2017-05-30 8:45 GMT+01:00 : > Dear community, > > I have a NAT gateway with iptables that is acting as main gateway for all > workstations. > Ntopng is working fine, but now i like to use inline traffic policing. > Therefore I need a bridge. > > Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2 > (phones), eth1.3 (servers). > > Now i would like to change the eth1 devices to br0 devices for each vlan. > This is working in another setup. > Then i would have br0.1 br0.2 br0.3 > > But how to attach ntopng then for the bridge mode? Is is possible? Or do I > have to provide a separate machine? > > kind regards, > Thomas > > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] ntopng bridge on nat gateway with vlans
Dear community, I have a NAT gateway with iptables that is acting as main gateway for all workstations. Ntopng is working fine, but now i like to use inline traffic policing. Therefore I need a bridge. Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2 (phones), eth1.3 (servers). Now i would like to change the eth1 devices to br0 devices for each vlan. This is working in another setup. Then i would have br0.1 br0.2 br0.3 But how to attach ntopng then for the bridge mode? Is is possible? Or do I have to provide a separate machine? kind regards, Thomas ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc