[CentOS] A bridge problem

Mon Jun 13 22:30:02 UTC 2011
Ljubomir Ljubojevic <office at plnet.rs>

m.roth at 5-cent.us wrote:
> Les Mikesell wrote:
>> On 6/13/2011 1:02 PM, m.roth at 5-cent.us wrote:
>>> We just went to replace the bridge/firewall services one one server with
>>> the same on another. It's pretty simple, and I literally cloned (w/
>>> rsync) a third server that does this onto the one that will be the new
>>> one.Then
>>> copied the /etc/sysconfig/iptables from the one being replaced, and
>>> brought it up this morning.
>>>
>>> Nope. We had to put everything back the way it was.
>>>
>>> The new one sees the two or three servers behind the firewall, and we
>>> can ping them, from the new box. On one, we see IPP broadcasts; in fact,
>>> we
>>> see lots of broadcast packets using tcpdump. From outside, though, you
>>> can't see the servers. Trying to ping them, they see nothing. It seems
>>> to be the case that tcp and icmp packets are blocked, and we can't figure
>>> out why.
> <snip>
>> Are the HWADDR= entries fixed up to match the actual hardware after the
>> copy?  And does ifconfig show that your config actually set up what you
>> expected?  CentOS isn't very predictable in terms of which NIC gets
>> which interface name.
> 
> Yes. And I made sure of that, before we started this excersize. (And my
> manager asked the same question - he's one of us, you see, *not* a PHB)
> 
>         mark

Without knowing more about your current server there is not much we can 
help you. I am fluent in networking, I am 7 years WISP and 4-5 years 
network/wireless consultant.

Are you using that new unit (router/gateway is what they are called, not 
servers, you will just confuse things) as a pass through bridge with 
added IP firewalling (only 2 interfaces)? Or are you supposed to route 
(one outgoing interface eth2 and br3 as local LAN)?

Why do you have bootproto=dhcp on eth0?
Is NETMASK=255.255.254.0 supposed to be .254.0 or is it an typo?

Have you removed ARP entries from ARP cache of neighboring units 
(servers, upstream routers) etc?

Have you enabled ip_forwarding ?

If you have pass through bridge with only two interfaces, have you 
considered that maybe you should reverse/switch LAN cables plugged in 
eth0 and eth1 since firewall script is probably setup as one direction 
only, and if you reverse the flow firewall might block all. Test with 
firewall disabled/stopped.

Using combination of bridge and firewall is not wise at all, I would say 
it's quite a mess. It is always best to use routing.

Ljubomir