subject:"\[Ntop\-misc\] ntopng bridge on nat gateway with vlans"

Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

2017-05-31 Thread Simone Mainardi

Dear Thomas,



On Tue, May 30, 2017 at 3:22 PM, <thomasmeier1...@gmx.de> wrote:

> Hi Marco,
>
> thank you for the answer.
>
> Let's try to make an easy testcase. How about this:
> eth0 wan (external ip)
> eth1 lan (192.168.x.x)
>
> lan gets NATed to wan.
>

We support bridging in routing mode. A tap will do the trick. Assuming you
want the box to NAT eth1 clients on eth0, you can do the following:

* tap setup:
tunctl -t tap0
ifconfig tap0  netmask 
ifconfig tap0 up

* nat setup:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface tap0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward


* ntopng startup (interfaces order matter here):
ntopng -i bridge:tap0,eth1

Also see the readme:
https://github.com/ntop/ntopng/blob/dev/doc/README.inline


> So i cannot build a bridge between eth0 and eth1.
> So where to attach the bridge?
>
> Maybe:
> eth0 remove external ip
> create br0 without attached interfaces
> br0 add external ip
> Start ntop to use bridge br0 and parameter to attach eth0
> ntopng -i bridge:br0,eth0
> Then rewrite the firewall to NAT out over br0 instead of eth0
>
> Can this work? Or do I need at least one attached interface at the
> existing bridge and then let ntopng attach a second interface?
>
> regards, Thomas
>
> *Gesendet:* Dienstag, 30. Mai 2017 um 10:24 Uhr
> *Von:* "Marco Teixeira" <ma...@scom.uminho.pt>
> *An:* ntop-misc@listgateway.unipi.it
> *Betreff:* Re: [Ntop-misc] ntopng bridge on nat gateway with vlans
> Hi Thomas,
> To the best of my knowledge, packets still have to pass on eth0, so attach
> it there.
> I don't use NTOP with a setup like yours, but you might have to account
> for the VLAN tagging in NTOP config... maybe.
>
> =Marco
>
> 2017-05-30 8:45 GMT+01:00 <thomasmeier1...@gmx.de>:
>>
>> Dear community,
>>
>> I have a NAT gateway with iptables that is acting as main gateway for all
>> workstations.
>> Ntopng is working fine, but now i like to use inline traffic policing.
>> Therefore I need a bridge.
>>
>> Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2
>> (phones), eth1.3 (servers).
>>
>> Now i would like to change the eth1 devices to br0 devices for each vlan.
>> This is working in another setup.
>> Then i would have br0.1 br0.2 br0.3
>>
>> But how to attach ntopng then for the bridge mode? Is is possible? Or do
>> I have to provide a separate machine?
>>
>> kind regards,
>> Thomas
>>
>>
>> ___
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> ___ Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/
> mailman/listinfo/ntop-misc
>
> ___
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

2017-05-30 Thread thomasmeier1976

Hi,

 

yes i like to do the NTOPNG inline policing. And don't know where to insert the bridge because LAN is NATed to WAN.

Vlans can come later. In my first Testcase I can simulate it without vlans because eth0 has no vlan. Would be nice to hear from someone who managed it on one machine. I like to avoid to attach a seconds physical machine into the line.

 

regards, Thomas
___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

2017-05-30 Thread Marco Teixeira

Thomas,
Sorry i miss understood your question. I thought you wanted to do policing
with linux, and just use NTOP as usual.
Reading better, i see you meant to use NTOPNG inline policing right? If so,
I will let our good friends from NTOP chime in, as this involves bridging
with PFRING in userspace... don't know how this will work with vlans...

=Marco


2017-05-30 14:22 GMT+01:00 <thomasmeier1...@gmx.de>:

> Hi Marco,
>
> thank you for the answer.
>
> Let's try to make an easy testcase. How about this:
> eth0 wan (external ip)
> eth1 lan (192.168.x.x)
>
> lan gets NATed to wan. So i cannot build a bridge between eth0 and eth1.
> So where to attach the bridge?
>
> Maybe:
> eth0 remove external ip
> create br0 without attached interfaces
> br0 add external ip
> Start ntop to use bridge br0 and parameter to attach eth0
> ntopng -i bridge:br0,eth0
> Then rewrite the firewall to NAT out over br0 instead of eth0
>
> Can this work? Or do I need at least one attached interface at the
> existing bridge and then let ntopng attach a second interface?
>
> regards, Thomas
>
> *Gesendet:* Dienstag, 30. Mai 2017 um 10:24 Uhr
> *Von:* "Marco Teixeira" <ma...@scom.uminho.pt>
> *An:* ntop-misc@listgateway.unipi.it
> *Betreff:* Re: [Ntop-misc] ntopng bridge on nat gateway with vlans
> Hi Thomas,
> To the best of my knowledge, packets still have to pass on eth0, so attach
> it there.
> I don't use NTOP with a setup like yours, but you might have to account
> for the VLAN tagging in NTOP config... maybe.
>
> =Marco
>
> 2017-05-30 8:45 GMT+01:00 <thomasmeier1...@gmx.de>:
>>
>> Dear community,
>>
>> I have a NAT gateway with iptables that is acting as main gateway for all
>> workstations.
>> Ntopng is working fine, but now i like to use inline traffic policing.
>> Therefore I need a bridge.
>>
>> Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2
>> (phones), eth1.3 (servers).
>>
>> Now i would like to change the eth1 devices to br0 devices for each vlan.
>> This is working in another setup.
>> Then i would have br0.1 br0.2 br0.3
>>
>> But how to attach ntopng then for the bridge mode? Is is possible? Or do
>> I have to provide a separate machine?
>>
>> kind regards,
>> Thomas
>>
>>
>> ___
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> ___ Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/
> mailman/listinfo/ntop-misc
>
> ___
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

2017-05-30 Thread thomasmeier1976

Hi Marco,

thank you for the answer.

Let's try to make an easy testcase. How about this:

eth0 wan (external ip)

eth1 lan (192.168.x.x)

lan gets NATed to wan. So i cannot build a bridge between eth0 and eth1.

So where to attach the bridge?

Maybe:

eth0 remove external ip

create br0 without attached interfaces

br0 add external ip

Start ntop to use bridge br0 and parameter to attach eth0

ntopng -i bridge:br0,eth0

Then rewrite the firewall to NAT out over br0 instead of eth0

Can this work? Or do I need at least one attached interface at the existing bridge and then let ntopng attach a second interface?

regards, Thomas

Gesendet: Dienstag, 30. Mai 2017 um 10:24 Uhr
Von: "Marco Teixeira" <ma...@scom.uminho.pt>
An: ntop-misc@listgateway.unipi.it
Betreff: Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

Hi Thomas,

To the best of my knowledge, packets still have to pass on eth0, so attach it there.

I don't use NTOP with a setup like yours, but you might have to account for the VLAN tagging in NTOP config... maybe.

=Marco

2017-05-30 8:45 GMT+01:00 <thomasmeier1...@gmx.de>:

Dear community,

I have a NAT gateway with iptables that is acting as main gateway for all workstations.

Ntopng is working fine, but now i like to use inline traffic policing. Therefore I need a bridge.

Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2 (phones), eth1.3 (servers).

Now i would like to change the eth1 devices to br0 devices for each vlan. This is working in another setup.

Then i would have br0.1 br0.2 br0.3

But how to attach ntopng then for the bridge mode? Is is possible? Or do I have to provide a separate machine?

kind regards,

Thomas

___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc

___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

2017-05-30 Thread Marco Teixeira

Hi Thomas,
To the best of my knowledge, packets still have to pass on eth0, so attach
it there.
I don't use NTOP with a setup like yours, but you might have to account for
the VLAN tagging in NTOP config... maybe.

=Marco

2017-05-30 8:45 GMT+01:00 :

> Dear community,
>
> I have a NAT gateway with iptables that is acting as main gateway for all
> workstations.
> Ntopng is working fine, but now i like to use inline traffic policing.
> Therefore I need a bridge.
>
> Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2
> (phones), eth1.3 (servers).
>
> Now i would like to change the eth1 devices to br0 devices for each vlan.
> This is working in another setup.
> Then i would have br0.1 br0.2 br0.3
>
> But how to attach ntopng then for the bridge mode? Is is possible? Or do I
> have to provide a separate machine?
>
> kind regards,
> Thomas
>
>
> ___
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

[Ntop-misc] ntopng bridge on nat gateway with vlans

2017-05-30 Thread thomasmeier1976

Dear community,

 

I have a NAT gateway with iptables that is acting as main gateway for all workstations.

Ntopng is working fine, but now i like to use inline traffic policing. Therefore I need a bridge.

 

Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2 (phones), eth1.3 (servers).

 

Now i would like to change the eth1 devices to br0 devices for each vlan. This is working in another setup.

Then i would have br0.1 br0.2 br0.3

 

But how to attach ntopng then for the bridge mode? Is is possible? Or do I have to provide a separate machine?

 

kind regards, 

Thomas

 
___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

Re: [Ntop-misc] ntopng bridge on nat gateway with vlans

[Ntop-misc] ntopng bridge on nat gateway with vlans

6 matches

Site Navigation

Mail list logo

Footer information