- This topic is empty.
November 10, 2010 at 6:25 pm #42720
I discovered ZeroShell about 2 weeks ago and loved it from the beginning 🙂
I managed to get all services running for our network, but one thing.
ZS is supposed to run as our Bridge, between our house and the university.
At the moment our old bridge is still installed, but I put ZS in front of it, so traffic from the house goes through ZS and after that through our old Bridge which I want to get rid of. Unfortunately I can’t get the bridge to work, so all the traffic is entering and leaving ZS on the same network card and you could just skip ZS by entering the old Bridge as gateway (which isn’t what I want)
Do you have any idea what I could have done wrong? The only thing I did was to add both network devices to a bridge and assign the bridge an IP address and the traffic somehow doesn’t get forwarded to the other network device 🙁
FYI: ZS, the old bridge and the destination after the old bridge (outside our house) is in the same subnetNovember 11, 2010 at 7:29 am #51314
Could you send us the output of the following commands?
brctl showmacs BRIDGE00
iptables -L -vNovember 11, 2010 at 8:32 am #51315
sure I can 😉
Here are the desired outputs, I shortened the FORWARD table, since we do access control with IP/MAC combination in the Firewall and the rules are pretty much the sameNovember 11, 2010 at 12:53 pm #51316
You have assigned 2 IP addresses in the BRIDGE00 that are in the same subnet. Either remove one or change one to be in another subnet.November 11, 2010 at 7:25 pm #51317
unfortunately didn’t solve the problem 🙁November 12, 2010 at 7:35 am #51318
It also looks like you are not learning anything in the ARP table from the ETH00 interface. Maybe your university is blocking the MAC address of the ZS, or they are applying some kind of security, such as 802.1x .
Apart from that your configuration looks fine to me. You can try it by connecting two workstations on the two interfaces (in the same subnet) and see if they can ping each other.November 12, 2010 at 9:25 am #51319
currently the ETH00 interface is connected to the network and the traffic is “bridged” over this network, I tried hooking up my laptop to ETH01… DHCP is giving me the right IP, I can ping ZS, but nothing else and nothing on the other side can ping me 🙁 (in the local network with the same subnet)
So there should be no problem with port security
On the other hand, if I connect a PC to one interface with the old bridge and put ZS as Gateway in the PC and in ZS I put the old Bridge in as Gateway everything works… the traffic is going through ZS to the old Bridge to the universityNovember 12, 2010 at 10:12 am #51320
That proves what I am saying about security. I suppose that the university requires you to acquire IP address via dhcp. Are you acquiring IP from their DHCP on your ZS? Maybe if you don’t get IP from their dhcp no traffic is allowed to your ZS.November 12, 2010 at 11:47 am #51321
The DHCP I was talking about is running on ZS, the university don’t have a DHCP ServersNovember 12, 2010 at 1:59 pm #51322
Then you had better not run DHCP server on ZS directly connected on the university network.
Are you sure the old bridge is just bridging the two network interfaces, rather than doing something else? The whole setup is pretty straight and the fact that it is not working makes me wonder if you are missing something. If you omit both the old bridge and the ZS and connect the laptop directly on the university network, does it work?November 19, 2010 at 5:35 pm #51323
I finally figured out what the problem was:
Somehow there were network filters activated on the bridge like mentioned in this FAQ
After disabling this, everything worked… but it seems like this also disabled QoS…
Currently I am happy that I found a way to make the Bridge work, I will continue to activate and deactivate some netfilters and watch what triggers the right thing 🙂November 19, 2010 at 9:56 pm #51324
It looks like I was wrong QoS seems to work and iptables was also untouched by the netfilters I disabled… Does anybody know what they are for? Why does it seems like I am the only one having problems with those netfilters?
- You must be logged in to reply to this topic.