Clear OS - Alcuni promemoria utili - Parte 4 - Network

Network - Network Bridging   



The following Howto describes how to bridge two or more network interfaces into a bridged interface group. This is known as IEEE MAC Bridges or under the working group title of 802.1d.

install the required software packages.


yum install bridge-utils


Example Configuration


Here is an example on how to create a bridged interface with eth0 and eth1. You can add many network cards to the same bridge. Be aware that all hitting the bridge is propagated over the bridge. This is akin to a hub. Please consider security when creating bridges.


Network Configuration


First, you need to manually create or edit the configuration files as follows.
You can leave the HWADDR line alone in the ifcfg-eth* files. The line HWADDR=“00:00:00:00:00:00” is left for convenience only. Use the MAC address detected by the system



/etc/sysconfig/network-scripts/ifcfg-eth0:


DEVICE=eth0
TYPE="Ethernet"
ONBOOT="yes"
USERCTL="no"
HWADDR="00:00:00:00:00:00"
BRIDGE=br0


/etc/sysconfig/network-scripts/ifcfg-eth1:


DEVICE=eth1
TYPE="Ethernet"
ONBOOT="yes"
USERCTL="no"
HWADDR="00:00:00:00:00:00"
BRIDGE=br0


/etc/sysconfig/network-scripts/ifcfg-br0:


DEVICE=br0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="dhcp"
PEERDNS="yes"
BRIDGE_STP="yes"


Alternately, you may assign a static address for this interface. This is required if you are using this server as your gateway and the br0 interface is you gateway address. Please note that this is a bridge and this address is NOT required for it to function as such. However, it is quite useful for management even if you use this as a transparent inline services platform.


DEVICE=br0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="static"
IPADDR="192.168.1.2"
NETMASK="255.255.255.0"
GATEWAY="192.168.1.1"


Firewall Configuration


Depending on how you use your bridged interfaces will determine how you will need to configure your /etc/firewall file. The UI in ClearOS 5.x does not allow for manipulation of these values and may replace the values with the 'automatic' functions if parts of the UI are edited or updated. Back up any manual configuration you make in case this occurs.


Psuedo-switch or hub


If you want to use the bridge interface as an equivalent to a switch or hub you can define br0 interface on a single role. This is useful if you happen to have multiple extra interfaces and don't want to buy a switch, or if you decide you want to bridge a VPN interface onto the same network as the physical network.
The firewall needs know about your new br0 network interface. In the /etc/firewall configuration file, update the LANIF parameter.

LANIF="br0"

-or-

EXTIF="eth2"
LANIF="br0"

Various software packages need to know about this network change. The easiest way to notify these packages about the change is to run:


service syswatch restart


service firewall restart


Inline transparent services platform


Some people may want to implement a ClearOS server as a transparent UTM or transparent proxy without gateway. By default all packets are propagated across the bridge but ClearOS can manipulate packets with the firewall to drop packets, or redirect packets to a local service like a proxy server or a local mail server for analysis through the anti-malware engine.
The firewall needs know about your new br0 network interface. In the /etc/firewall configuration file, update the LANIF and EXTIF parameters.

EXTIF="br0"
LANIF="br0"

Various software packages need to know about this network change. The easiest way to notify these packages about the change is to run:

service syswatch restart

service firewall restart

Avoid automagic

After you have these configurations set you should avoid using the IP Settings functions of the ClearOS 5.x server as it will be unaware of how to properly manipulate the br0 interface. This can cause the /etc/firewall to improperly enumerate your desires or it can put your MAC address into the br0 interface.

Booting

Don't be surprised when booting if the br0 interface fails to come up immediately. It may indicate that it needs to delay initialization. This can be normal and if properly configured, should just start working.

Network - Testare problemi di rete


Another good tool for troubleshooting problems in Windows is nbtstat. This tool will allow you to look and validate the name of your server and the domain as it appears to the network. If your server's address is 192.168.1.1 you could do the following:

nbtstat -A 192.168.1.1

Network - Gestire Static Route


Static routes on a ClearOS system are associated with a particular network interface. The route is then enabled/disabled when the particular network interface is enabled/disabled. Here is a simple scenario:

  • A ClearOS LAN interface - eth1 - is configured with a 192.168.1.x network.
  • A private building-to-building wireless connection is configured via a wireless router. One side of the wireless router is connected to the ClearOS LAN at 192.168.1.100. The other side of the wireless router is connected to a 192.168.99.x LAN.


In order for the ClearOS gateway to be aware of the remote 192.168.99.x LAN, a static route must be configured. In this example, /etc/sysconfig/network-scripts/route-eth1 is created with the following:

192.168.99.0/24 via 192.168.1.100

After adding this static route, the route can be activated by re-enabling the ClearOS LAN interface:

/sbin/ifup eth1

If you are adding routes to a routing table with existing routes present, you can use the above command to load the new routes. You will get a number of 'route already exists error messages' for those entries where routes exist.

If you are changing or deleting a route which has previously been defined, the above command will run, but the new route will not take effect.

In this scenario you need to re-load the routing table:

/sbin/ifdown eth1

/sbin/ifup eth1

This command will take the associated network down. - be aware of the network you are connected from (It might be a good idea to do this from the console if possible). If you have no access to the console and wish to do it remotely try:

/ifdown eth1 && ifup eth1

(must be entered on the same line, which will try to re-load after taking it down).
If you are using Multi-WAN, then you also need to restart the firewall:
/sbin/service firewall restart

Additional LAN Networks

If you have other LAN networks connected behind your ClearOS gateway, you need to configure these on the system. You can add extra networks in /etc/system/network file (create the file if it does not exist). The format is similar to:

EXTRALANS="LAN1 LAN2 ... LANx"

For example:

EXTRALANS="192.168.4.0/24 192.168.5.0/24"

You may need to restart services (for example, the web proxy) after making this change.

Network - Hot LAN


Hot LAN (or “Hotspot Mode”) allows you to create a separate LAN network for untrusted systems. Typically, a Hot LAN is used for:

  • Servers open to the Internet (web server, mail server)
  • Guest networks
  • Wireless networks

A Hot LAN is able to access the Internet, but is not able to access any systems on a LAN. As an example, a Hot LAN can be configured in an office meeting room used by non-employees. Users in the meeting room could access the Internet and each other, but not the LAN used by company employees.
The firewall port forwarding page in webconfig is used to forward ports to both LANs and Hot LANs.

Network - DMZ


In ClearOS, a DMZ interface is for managing a block of public Internet IP addresses. If you do not have a block of public IP addresses, then use the Hot LAN role of your IP Settings. A typical DMZ setup looks like:

  • WAN: An IP addresses for connecting to the Internet
  • LAN: A private network on 192.168.x.x
  • DMZ: A block of Internet IPs (e.g from 216.138.245.17 to 216.138.245.31)


Webconfig has a DMZ firewall configuration page to manage firewall policies on the DMZ network.

Overview

The DMZ solution is used to protect a separate network of public IP addresses. Typically, a third network card is used exclusively for the DMZ network.

  • If you are configuring a few extra public IPs (not a whole network), then go to the 1 to 1 NAT section of the User Guide.


  • If you are configuring a separate private network (192.168.x.x or 10.x.x.x), then investigate Hot LANs in the IP Settings section of the User Guide.


Configuration

Network Configuration

Before you can use the DMZ firewall configuration, you need to configure one of your network cards with the DMZ role. In our example, we used the network settings tool to configure a third network card (eth2) with the following:

  • Role: DMZ
  • IP Address: 216.138.245.17
  • Netmask: 255.255.255.240
  • Network: 216.138.245.16/28


All the systems connected to this third network card can then be configured with an IP address in the 216.138.245.18 to 216.138.245.30 range.

Incoming Connections
By default, all inbound connections from the Internet to systems on the DMZ are blocked (with the exception of the ping protocol). You can permit connections to systems on the DMZ by allowing:
  • all ports and protocols to a single public IP
  • all ports and protocols to the whole network of public IPs
  • a specific port and protocol to a single public IP


Pinhole Connections (DMZ-to-LAN)

In some situations, you may want to allow particular network traffic from your DMZ to your LAN – a pinhole rule. In our example, we have a document management system running on port 2401 on the LAN (at IP address 192.168.2.2). We want to allow a web server in our DMZ to access this document management system and we create a pinhole rule to do it.
  • mii-tool displays link status and speed
  • ethtool eth0 displays links status, speed, and many other stats - not all cards support this tool
  • ifconfig eth0 displays IP settings on eth0

Network - Multi-Wan



The multi-WAN feature in ClearOS allows you to connect your system to multiple Internet connections. ClearOS multi-WAN not only provides load balancing, but also automatic failover.
The ClearOS multi-WAN has the following features:

  • auto-failover
  • load balanced
  • round-robin based on user-defined weights


To give you an example of how multi-WAN works, imagine two 1 Mbit/s DSL lines with two users on the local network. With every new connection to a server on the Internet, the multi-WAN system alternates WAN interfaces. User A could be downloading a large file through WAN #1, while User B is making a voice-over-IP (VoIP) telephone call on WAN #2.
With some applications, the download speed for the multi-WAN system can use the full 2 Mbit/s available. For example, downloading a large file from a peer-to-peer network will use the bandwidth from both WAN connections simultaneously. This is possible since the peer-to-peer technology uses many different Internet “peers” for downloading. At the other end of the spectrum, consider the case of downloading a large file from a web site. In this case, only a single WAN connection is used – 1 Mbit/s maximum.
Bandwidth aggregation (combining multiple WAN interfaces to look like a single WAN interface) is not possible without help for your ISP since both ends of an Internet connection must be configured.

Weights

Multi-WAN weights are used to load balance outbound Internet traffic. By default, all WAN interfaces are given a weight of one. This default configuration means the network traffic will be roughly evenly split amongst the different WAN connections.

In one of the typical multi-WAN configurations, a second broadband connection is used for backup. This second connection is often a low-cost and low-bandwidth connection. In this case, you would want to set the weight on your high-bandwidth connection to 3 or 4, while leaving your low-cost/low-end connection with a weight of 1.

Dynamic DNS

While on the road, you may need to connect back to your ClearOS system. If you have a dynamic IP, you can use the dynamic DNS hostname to make the connection. For this reason, the built-in dynamic DNS system will always report an IP address that has a working connection to the Internet.

If your ClearOS system uses real public IP addresses, you can select the preferred WAN interface to use when all your WAN connections are functioning.

Source Based Routes

In some situations, you may want a system on your local area network (LAN) to always use a particular WAN interface. A source-based route definition makes this possible.

Destination Port Rules

In some situations, you may want to send network traffic for a specific port out a particular WAN interface. For example, you may want to send all DNS traffic out a particular WAN network.

Routing Policies

Some Internet service providers (ISPs) will not allow traffic from source addresses they do not recognize as their own. The following scenarios will give you a good idea of common issues faced in a multi-WAN environment. In the examples, we assume two connections, but the same issues crop up with three or more connections.

DNS Servers

The DNS servers configured on the ClearOS system will be provided by one or both ISPs. In our example, we are going to assume that ISP #1 provides the DNS servers. If a DNS request from your network goes out the ISP #2 connection, it might get blocked by ISP #1. Result: DNS requests will only succeed on ISP #1.

Solution – Use DNS servers that are accessible from any network. If your ISPs do not provide such DNS servers, then we recommend using OpenDNS.

Note: your DHCP/DSL network configuration settings should have the Automatic DNS Servers checkbox unchecked.

DMZ Networks

If you have a range of extra IP addresses provided by ISP #1, you may need to explicitly send traffic from these extra IPs out the ISP #1 connection. ISP #2 may drop the packets.

Solution – Use a Source Based Route for your DMZ network.

Network - 1 To 1 Nat


1-to-1 NAT maps a public Internet IP to an IP on your local area network (LAN).

You can map 1-to-1 NAT IPs in one of two ways:

  • With no firewall at all
  • With selective ports open


1-to-1 NAT - No Firewall

Some protocols can be finicky behind firewalls. In this case you want to configure 1-to-1 NAT with no firewall (make sure you secure the target LAN system some other way!).

1-to-1 NAT - Selective Ports Open

If you only want to map selective ports, for example the TCP 80 web server port, you can configure particular ports in your 1-to-1 NAT mapping.

1-to-1 NAT - With MultiWAN

If you have Multi-WAN enabled, please review the topic on source-based routes. Each 1-to-1 NAT rule must typically be assigned to an external MultiWAN interface as shown by example below: