https issues in bridge mode

Home Page Forums Network Management ZeroShell https issues in bridge mode

This topic contains 5 replies, has 0 voices, and was last updated by  grhv 8 years, 10 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #42335

    grhv
    Member

    Hello all… i’ve been trying for quite a while to go through the forums and docs to find an answer to this – but nothing seems to fit the problem exactly. Rather than banging my head a few more times, I’m hoping someone can provide some guidance.

    No doubt it’s way too simple and I missed it, or I’m overlooking something obvious.

    It’s been a while, but I’m fairly sure I was ok with reaching https sites before I created/activated a bridge. Now it seems that only regular non-secure traffic is working outside. I tried to remove the bridge to test that theory, but I haven’t managed to successfully delete or disable the bridge, and get it back to where it was before. Adding/removing anything in QoS or the firewall didn’t do anything to help.

    So – long and short of it is… No access to internet https at all – internal is fine. Rather than blunder on and make it worse, I’d appreciate any help or pointers anyone can offer.

    Basic stuff…
    — ZS is connected to a router (no firewall blocks that I know of, below 1025 inbound – and none outbound, except for blocking P2P/Torrent stuff)
    — 2 nics – 192.168.0.x internal / 192.168.1.x external
    — eth0/eth1 are bridged and bridge00 is NATed
    — Captive portal is on and working fine
    — HAVP is on and 100% functional
    — DansGuardian is in and working great
    — QoS is enabled (with the Default rule only)
    — standard default route
    — DNS has entries for SOA, PTR, plus A records on any internal machines
    — No DHCP, NIS, VPN, WiFi, or accounting stuff – they’re all disabled/un-ticked

    ‘Show info” output for the bridge…

    VLAN: none
    7: BRIDGE00: mtu 1500 qdisc noqueue
    inet 192.168.0.250/24 brd 192.168.0.255
    inet 192.168.1.7/24 brd 192.168.1.255
    RX: bytes packets errors dropped overrun mcast
    19968319 84829 0 0 0 19813
    TX: bytes packets errors dropped carrier collsns
    23768031 73848 0 0 0 0
    Throughput: RX 2.92 Kbit/s TX 4.05 Kbit/s

    And iptables output… (includes a Forward rule for e0->e1 for 443, that’s now disabled)

    root@zeroshell root> iptables -L -v
    Chain INPUT (policy ACCEPT 10433 packets, 1455K bytes)
    pkts bytes target prot opt in out source destination
    42081 13M SYS_INPUT all -- any any anywhere anywhere
    0 0 SYS_HTTPS tcp -- any any anywhere anywhere tcp dpt:http
    3504 409K SYS_HTTPS tcp -- any any anywhere anywhere tcp dpt:https
    345 19952 SYS_SSH tcp -- any any anywhere anywhere tcp dpt:ssh

    Chain FORWARD (policy ACCEPT 8 packets, 1103 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT tcp -- any any anywhere 192.168.0.250 PHYSDEV match --physdev-in ETH00 --physdev-out ETH00 source IP range 192.168.0.1-192.168.0.254 state NEW,RELATED,ESTABLISHED,UNTRACKED tcp dpt:https
    126 6384 ACCEPT tcp -- BRIDGE00 BRIDGE00 anywhere anywhere state INVALID,NEW,RELATED,ESTABLISHED,UNTRACKED tcp dpt:https
    361 36993 CapPort all -- any any anywhere anywhere

    Chain OUTPUT (policy ACCEPT 17029 packets, 7026K bytes)
    pkts bytes target prot opt in out source destination
    43232 14M SYS_OUTPUT all -- any any anywhere anywhere

    Chain CapPort (1 references)
    pkts bytes target prot opt in out source destination
    361 36993 CapPortACL all -- any any anywhere anywhere PHYSDEV match --physdev-in ETH00

    Chain CapPortACL (1 references)
    pkts bytes target prot opt in out source destination
    361 36993 CapPortFS all -- any any anywhere anywhere
    361 36993 CapPortFC all -- any any anywhere anywhere
    361 36993 CapPortWL all -- any any anywhere anywhere
    329 35251 DROP all -- any any anywhere anywhere

    Chain CapPortFC (1 references)
    pkts bytes target prot opt in out source destination

    Chain CapPortFS (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
    0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootps
    0 0 ACCEPT tcp -- any any anywhere 192.168.0.250 tcp dpt:https
    0 0 ACCEPT tcp -- any any anywhere 192.168.0.3 tcp dpt:http
    0 0 ACCEPT tcp -- any any anywhere 192.168.0.4 tcp dpt:http
    0 0 ACCEPT tcp -- any any anywhere 192.168.0.5 tcp dpt:http
    0 0 ACCEPT tcp -- any any anywhere 192.168.0.252 tcp dpt:http
    0 0 ACCEPT tcp -- any any anywhere 192.168.0.6 tcp dpt:dnp
    0 0 ACCEPT tcp -- any any anywhere 192.168.0.6 tcp dpt:http

    Chain CapPortWL (1 references)
    pkts bytes target prot opt in out source destination
    32 1742 ACCEPT all -- any any 192.168.0.15 anywhere MAC 00:21:70:48:8D:86

    Chain NetBalancer (0 references)
    pkts bytes target prot opt in out source destination

    Chain SYS_HTTPS (2 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    1632 188K ACCEPT all -- any any anywhere anywhere

    Chain SYS_INPUT (1 references)
    pkts bytes target prot opt in out source destination
    965 369K ACCEPT all -- lo any anywhere anywhere
    9 1155 ACCEPT tcp -- any any anywhere anywhere tcp dpts:12080:12083 PHYSDEV match --physdev-in ETH00
    0 0 DROP tcp -- any any anywhere anywhere tcp dpts:12080:12083
    9 1885 ACCEPT udp -- any any anywhere anywhere udp spt:domain state ESTABLISHED
    490 285K ACCEPT tcp -- any any anywhere anywhere tcp spt:http state ESTABLISHED
    0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:8245 state ESTABLISHED
    12 912 ACCEPT udp -- any any anywhere anywhere udp spt:ntp state ESTABLISHED
    669 99816 RETURN all -- any any anywhere anywhere

    Chain SYS_OUTPUT (1 references)
    pkts bytes target prot opt in out source destination
    965 369K ACCEPT all -- any lo anywhere anywhere
    9 694 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
    484 76420 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
    0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8245
    12 912 ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
    597 307K RETURN all -- any any anywhere anywhere

    Chain SYS_SSH (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    345 19952 ACCEPT all -- any any 192.168.0.0/24 anywhere
    0 0 DROP all -- any any anywhere anywhere
    =============================================================================================================================

    root@zeroshell root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 3989 packets, 512K bytes)
    pkts bytes target prot opt in out source destination
    901 120K CapPort all -- any any anywhere anywhere
    0 0 DROP tcp -- any any anywhere anywhere tcp dpt:8081
    0 0 DROP tcp -- any any anywhere anywhere tcp dpt:http-alt
    0 0 Proxy tcp -- any any anywhere anywhere tcp dpt:http

    Chain POSTROUTING (policy ACCEPT 4486 packets, 283K bytes)
    pkts bytes target prot opt in out source destination
    4892 308K SNATVS all -- any any anywhere anywhere
    406 25023 MASQUERADE all -- any BRIDGE00 anywhere anywhere

    Chain OUTPUT (policy ACCEPT 3776 packets, 248K bytes)
    pkts bytes target prot opt in out source destination

    Chain CapPort (1 references)
    pkts bytes target prot opt in out source destination
    71 3688 CapPortHTTP tcp -- any any anywhere anywhere PHYSDEV match --physdev-in ETH00 tcp dpt:http
    54 2808 CapPortHTTPS tcp -- any any anywhere anywhere PHYSDEV match --physdev-in ETH00 tcp dpt:https
    0 0 CapPortGW tcp -- any any anywhere anywhere PHYSDEV match --physdev-in ETH00 tcp dpt:12080
    1 52 CapPortGW tcp -- any any anywhere anywhere PHYSDEV match --physdev-in ETH00 tcp dpt:12081

    Chain CapPortGW (2 references)
    pkts bytes target prot opt in out source destination
    1 52 REDIRECT tcp -- any any anywhere anywhere

    Chain CapPortHTTP (1 references)
    pkts bytes target prot opt in out source destination
    69 3588 CapPortProxy all -- any any 192.168.0.15 anywhere MAC 00:21:70:48:8D:86
    0 0 CapPortProxy tcp -- any any anywhere 192.168.0.6 tcp dpt:http
    0 0 CapPortProxy tcp -- any any anywhere 192.168.0.252 tcp dpt:http
    0 0 CapPortProxy tcp -- any any anywhere 192.168.0.5 tcp dpt:http
    0 0 CapPortProxy tcp -- any any anywhere 192.168.0.4 tcp dpt:http
    0 0 CapPortProxy tcp -- any any anywhere 192.168.0.3 tcp dpt:http
    2 100 REDIRECT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 10/min burst 15 mode srcip-dstport redir ports 12080
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
    0 0 REDIRECT tcp -- any any anywhere anywhere redir ports 12080

    Chain CapPortHTTPS (1 references)
    pkts bytes target prot opt in out source destination
    54 2808 ACCEPT all -- any any 192.168.0.15 anywhere MAC 00:21:70:48:8D:86
    0 0 ACCEPT tcp -- any any anywhere 192.168.0.250 tcp dpt:https
    0 0 REDIRECT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 10/min burst 15 mode srcip-dstport redir ports 12081
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
    0 0 REDIRECT tcp -- any any anywhere anywhere redir ports 12081

    Chain CapPortProxy (6 references)
    pkts bytes target prot opt in out source destination
    69 3588 Proxy tcp -- any any anywhere anywhere tcp dpt:http
    0 0 ACCEPT all -- any any anywhere anywhere

    Chain Proxy (2 references)
    pkts bytes target prot opt in out source destination
    1013 52676 REDIRECT tcp -- any any anywhere anywhere PHYSDEV match --physdev-in ETH00 redir ports 8080
    0 0 REDIRECT tcp -- any any anywhere anywhere PHYSDEV match --physdev-in ETH01 redir ports 8080

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination
    #50068

    ppalias
    Member

    I would like to notice here that both bridging and NATing are kind of non-applicable. If you bridge 2 interfaces it means that you put them in the same broadcasting domain. But it seems here that one domain is 192.168.1.0/24 and the other is 192.168.0.0/24, plus you want to NAT traffic egress to the internet, not just everything out of the BRIDGE00. My suggestion is to break the BRIDGE and work with both ETH interfaces instead.

    #50069

    grhv
    Member

    Thanks for the response, ppalias…

    That’s what I thought too, and the reason I tried to undue the bridge – but – reversing it to get a working connection wasn’t getting me anywhere fast. There wasn’t any way I found to remove it unless I used the web interface, but I lost connectivity after trying it.

    As I was going through it, I noticed the logs were showing it as having 1 last link to something, and never let go of it to fully delete it. I went through every screen that referenced the bridge (NAT, QoS, etc.), and unset anything that showed the bridge being used, but it still showed in the network list no matter what. I figured I’d try a reboot, in case it was a background process that wasn’t stopping. That just left me with a brick, and nothing but fail-safe (and a profile restore) would give me anything to connect to again.

    Obviously it’s not as easy – for me, anyway – to delete a bridge, as it was to create one. Is there a certain procedure to follow in removing it without having to start from scratch? Even a set of CLI commands – if the interface won’t be helpful.

    #50070

    ppalias
    Member

    I suppose that you can login on the ZS with a monitor and a keyboard. Using the command brctl you can do manipulations on the bridge interface.

    root@zeroshell root> brctl --help
    Usage: brctl [commands]
    commands:
    addbr add bridge
    delbr delete bridge
    addif add interface to bridge
    delif delete interface from bridge
    setageing set ageing time
    setbridgeprio set bridge priority
    setfd set bridge forward delay
    sethello set hello time
    setmaxage set max message age
    setpathcost set path cost
    setportprio set port priority
    show show a list of bridges
    showmacs show a list of mac addrs
    showstp show bridge stp info
    stp {on|off} turn stp on/off
    root@zeroshell root> brctl show
    bridge name bridge id STP enabled interfaces
    BRIDGE00 8000.0015e9da3849 no ETH00
    ETH02
    DEFAULTBR 8000.000000000000 no

    First use show to see which interfaces are attached to it, then “delif” to remove them and finally remove bridge itself. When you finish it add an IP address on the ETH interface to be able to access it with web gui.

    #50071

    grhv
    Member

    That seems more straight forward, ppalias… Thanks for your expertise.

    I have a local VM copy on another machine, so I’ll clone a new one for testing and give it another try… I’ll post back with the results.

    #50072

    grhv
    Member

    Well, there’s good and bad news… I used the cloned copy of ZS I made, and using the brctl commands… I did get the 2 nics deleted from the bridge, and then got the bridge to successfully delete itself too – but – both the nics still showed up as members of the bridge in the web interface. After that there’s nothing I could do with either nic to modify them or reassign them to anything else with either CLI or web. I’d get an error saying they were members of the bridge (which didn’t exist), and the command would exit.

    I cloned another one and went back to the web interface to take another run at it that way, and this time I did get the 2 nics removed from the bridge – along with them not being members any more – and also got the bridge removed entirely without error. I went back to all the areas that needed to be ‘un-bridged’, and set things back to their ‘routed’ settings… then rebooted.

    Even though it looked like the setup was in the same state as it was before the bridge was created, there was no internet connection at all. None of the logs showed any errors, and everything showed as being ‘UP’ and running – but there wasn’t any traffic on eth00 either. I couldn’t ping the gateway, or ping back to ZS from the rest of the network that’s on the same 192.169.1.x (etho1) segment. The 192.168.0.x (eth00) segment behind ZS was pingable and working fine. DNS was resolving internally for the eth00 side, HAVP displayed ‘No connection’ screens, Captive portal logins worked, etc.

    I tried going through and disabling everything that might affect the connection in case there was any other issues somewhere else, but no luck.

    So I think my only choice might be to start with a fresh profile and rebuild from scratch – making sure to not create a bridge this time… unless someone sees something I’m missing, or has a quicker fix.

    #50073

    ppalias
    Member

    If you cannot remove the BRIDGE, I would suggest removing the 2 network cards and install 2 other network cards. Thus the 2 new cards will get their new ETH0X name and you can do whatever you want on them, since they won’t be bridge members.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.