Multi Bridge Instances

August 25, 2010 at 08:30:44
Specs: Windows 7, E6420 @ 3.2GHz / 4GB RAM
First of all I may be barking up the wrong tree on this one so I'm open to alternative configurations or solutions folks.

I'm a bit green when it comes to the iso/osi model but here goes anyways.

At the moment I have a router in bridge mode and a linux UTM distro handling PPPoE for me and everything is going swell. My issue is I wish to use the same solution in a different environment.

I have a Thomson TG585 v7 router which seems to have some great functionality from it's CLI interface, one of these features is Multi Bridge Instances.

A new environment: Same set up, however, I have to provide wireless connections for people who are not part of the network behind the linux UTM box. This would be achieved by dangling a netgear wireless router off of one of the bridges and physically assigned ethports.

I created two bridges no problem by telnetting into the TG585 but when trying to allocate them the same ATM entry/address (0.38 here in the UK) it throws an error assigning this ATM to bridge two, rightly it says this ATM/addr is effectively already in use.

Is this a dead end I'm banging my head against? Does anybody know if I can configure VLANs to use the same external IP?

If I use the linux UTM distro to initiate my connection (PPPoE) could another bridged port use the broadband connection without authenticating - seeing as the Linux distro has already done this?

It's one of these problems that would probably take all year to solve just reading up.

There are some good examples of practice in Thomson's own case studies but these use different ATM addr's; one for data and one for multicast video... I want two data ones... if that's even a design possibility.

Many many questions but I hope at least there will be some nuggets of info to be had.

Thanks in advance.


See More: Multi Bridge Instances

Report •


#1
August 25, 2010 at 08:43:04
Why does the wireless have to be behind the UTM box? Normally, if just open access, it would be in front of it.

Why does your config require bridging? Nomally you just use NAT.


Report •

#2
August 25, 2010 at 09:18:58
Sorry, did I say my wireless was behind the UTM? No I would like the wireless in front of the UTM, completely separate from the wired network behind the UTM.

Report •

#3
August 27, 2010 at 04:52:50
Bump?
:-(

Report •

Related Solutions

#4
August 27, 2010 at 05:24:36
At the moment I have a router in bridge mode and a linux UTM distro handling PPPoE for me and everything is going swell. My issue is I wish to use the same solution in a different environment.

Why is your router in bridge mode? What make/model of router are we speaking about?

I created two bridges no problem by telnetting into the TG585 but when trying to allocate them the same ATM entry/address (0.38 here in the UK) it throws an error assigning this ATM to bridge two, rightly it says this ATM/addr is effectively already in use.

Bridges again................two of them...........why? Configured on what?

What is error 0.38? From what I see, I'd guess it's a duplicate IP error. You are aware that the same IP twice in the same subnet won't work aren't you?

Is this a dead end I'm banging my head against? Does anybody know if I can configure VLANs to use the same external IP?

If the providers in the UK are anything like they are in Canada/US you can't. I don't know about where you live, but here they don't support VLAN tagging on external links.......at least, not your private internal VLAN tagging. Why do you think VLAN tagging will help you......what led you to believe that might be a resolution?

Truth be told, I have no idea what it is you're even trying to do. I don't understand why you're trying to "bridge" everything.

From the sounds of, it almost seems to me like you're trying to make a point-to-point connection between two locations....but I'm not sure. How about you explain what it is you're trying to accomplish and then perhaps we may be able to actually help you.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#5
August 27, 2010 at 06:06:59
Why is your router in bridge mode? What make/model of router are we speaking about?

My router is a Thomson TG585v7. My router is in bridge mode as I want my Untangle (Linux UTM distro) box to handle Firewall and Threat Management activities.

Bridges again................two of them...........why? Configured on what?

Well, the Thomson router has to be bridged to project the external IP to the external NIC of the Untangle box. The untangle box is in 'Router Mode'. I could put the Untangle box in Transparent bridge mode and have the Thomson router doing it's router thing but I don't want to do this - This would also make the set-up a lot simpler for the netgear wireless router I would like to have existing in front of the Untange box as I outlined in my first post.

Two bridges... well, I have to have the Thomson router in bridge mode for the Untangle box hence why I was looking at a solution which included two bridges... The 'Multi Bridge Instances' the Thomson router provides seemed intreaguing. Are you familiar with 'Multi Bridge Instances' within the same router/modem?

What is error 0.38? From what I see, I'd guess it's a duplicate IP error. You are aware that the same IP twice in the same subnet won't work aren't you?

There is no 'error 0.38'. However, "when trying to allocate them the same ATM entry/address (0.38 here in the UK)" the router tells me it can't continue because that address is already in use. 0.38 is not an IP address it's an ATM address on the connection to my ISP... is it not?

If the providers in the UK are anything like they are in Canada/US you can't. I don't know about where you live, but here they don't support VLAN tagging on external links.......at least, not your private internal VLAN tagging. Why do you think VLAN tagging will help you......what led you to believe that might be a resolution?

Sorry if I wasn't clearer, I meant using VLANs on the LAN side of things.

Truth be told, I have no idea what it is you're even trying to do. I don't understand why you're trying to "bridge" everything.

Hopefully this exchange is clarifying things for everyone.

From the sounds of, it almost seems to me like you're trying to make a point-to-point connection between two locations....but I'm not sure. How about you explain what it is you're trying to accomplish and then perhaps we may be able to actually help you.

Once I get an insight into this issue I hope to create an openVPN connection between two Untangle boxes but that's not for the moment, maybe that's why you sensed my desire to create a point-to-point connection.

I suppose a better way of going about this would have been to ask the community something like...

"How do I set up an open access wireless network as well as a wired network using the same shared internet connection. The caveats being the router connected to the internet is acting like as modem."

I feel like you have the knowledge I seek Curt R.


Report •

#6
August 27, 2010 at 07:23:52
My router is a Thomson TG585v7. My router is in bridge mode as I want my Untangle (Linux UTM distro) box to handle Firewall and Threat Management activities.

Ok, to me this makes no sense. If the linux distro is your firewall, it should be between your router and the external connection. One interface on the linux distro would be configured with internal IP and connected to an interface on the router. The other, external and connected to your ISP. I don't see where bridge mode is required on the router since it's inside your LAN.

Perhaps it's because I'm not familiar with a linux "untangle" box or how they work but I dont' get it. Is this something that is required by the untangle software? Can you not connect everything without putting the router in bridge mode?

I bring this up because it seems to me it's the bridge mode that's messing you up.

The 'Multi Bridge Instances' the Thomson router provides seemed intreaguing. Are you familiar with 'Multi Bridge Instances' within the same router/modem?

Ahhh, now we get to it. The "Multi Bridge Instances" seemed intreaguing to you. Fine, but if it's not required, and you're not familiar with it, don't use it. It's that simple.

I have two golden rules I apply in everything computer related.
1) If it ain't broke, don't fix it
and
2) KISS (google that if you're not familiar with the acronym)

You're breaking both rules by overcomplicating what should be a simple setup.

As to my familiarity with multi bridge instances, no I'm not. I'd wager our equipment is all fully capable of that, or something like it that may have a different name in our equipment, but since it's not something we've needed to use (as compared to "looked intreaguing so I thought I'd play with it") I haven't found it necessary to research it. However, if it did become necessary (and from what I know of my environment I doubt it ever will) I would fully research it and then lab using it in a separate environment prior to ever trying to bring it into a production environment.

I suggest you first concentrate on getting your setup working without trying to use this multi bridge stuff and then, once you have everything up and running, learn it in-depth and lab it before ever trying to actually use it.

Sorry if I wasn't clearer, I meant using VLANs on the LAN side of things.

If your environment is large enough to warrant using VLAN's then I highly recommend you do so. Especially if your network appliances are all VLAN capable.

If you haven't started yet with VLAN'ing, can I offer a suggestion. Keep VLAN 1 as your management VLAN and assign your subnet/VLAN in a logical fashion. By this I mean:

VLAN 1 = 192.168.1.0/24
VLAN 2 = 192.168.2.0/24
and so on

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#7
August 27, 2010 at 08:43:06
Ok, to me this makes no sense. If the linux distro is your firewall, it should be between your router and the external connection. One interface on the linux distro would be configured with internal IP and connected to an interface on the router. The other, external and connected to your ISP. I don't see where bridge mode is required on the router since it's inside your LAN.

This would mean having the Linux distro in transparent bridge mode with my Thomson router being, well, a router.

Thomson router must be Modem.
Untangle Linux distro be wired LAN router and shiny protective shield of friendly people at same time... Yes?

'Untangle box has the con' as they say - in Starfleet.

If you take the wireless network out of the equation then everything is spiffy-squeak guvner.

The wireless can't go behind the Untangle box as this would involve it being in amongst my wired network and we don't like... we don't like that one bit.

So, where would you put the wireless network? If it's in front of the Untangle box then how would you go about that?

Also, on the point of VLANing... what has subnetting got to do with VLANing? I thought creating VLANs allowed you to logically order and group devices on the same network. Hmmmm...


Ahhh, now we get to it. The "Multi Bridge Instances" seemed intreaguing to you. Fine, but if it's not required, and you're not familiar with it, don't use it. It's that simple.

Some may be slightly offended by the above statement but not I , sir! I feel it's just your way and, well, we all have our ways... don't we?

What do you think Curt R?


Report •

#8
August 27, 2010 at 10:54:27
So, where would you put the wireless network? If it's in front of the Untangle box then how would you go about that?

Before I say anything else, I want to reiterate I'm unfamiliar with an "untangle" box. It sounds like a linux based firwall to me. So I don't know if your multi bridge is a requirement of untangle.

I not only would, I have, put our wireless behind our firewalls. We offer a "internet only" guest type wireless LAN presently in our network that resides inside our firewalls.

Thanks to VLAN's and routing we can segment it away from internal resources and only allow external (internet) access through that VLAN/Subnet.

Also, on the point of VLANing... what has subnetting got to do with VLANing? I thought creating VLANs allowed you to logically order and group devices on the same network. Hmmmm...

What you say is true, but it isn't all VLAN's are good for. We use them extensively to segment our network.

It would make no sense to create say, 10 VLAN's within your network, and have the same subnet on all 10 VLAN's. Unless you have so small a number of clients and servers that you don't need more than say 200 IP addressses. If you do have few clients, it would provide a simple way to segment.

However, if you have need for more than 254 IP addresses within your network, you have no choice but to subnet. Why not combine subnetting with VLAN tagging?

Multiple subnet's means routing. VLAN tagging is faster than routing and using VLAN tags in conjunction with your subnets also helps to relieve some of the routing load off your routers. Remember, when a router gets a packet, it has to open it, read the destination address, make changes, recombine the packet and then send it off. A router looks at the VLAN tag attached too= the outside of the packet and tosses the packet in the right direction. This is much faster So to me it makes sense to use VLAN's in conjunction with subnets considering VLAN tagging reduces load on routers and improves overall network performance.

Some may be slightly offended by the above statement but not I , sir! I feel it's just your way and, well, we all have our ways... don't we?

Well I'm glad you didn't get offended. That was not my intention. I tend to be rather direct and to the point and don't waste a lot of time fancying what I'm saying up. I've often been called rude and abrupt because of it. All I can tell you is, my point was, you saw something that was new to you, and struck you as intreaguing and you want to try and use it. I have no beef with that.....but, as per my two golden rules, I don't believe you need it. There is a world of difference between what we need and what we want.

I'm sure you'll agree it would make more sense to get your setup working and lab the "new" technology out before trying to deploy it. I realize you had it working fine at one location before trying to bring up the second and then deploy the "new" technology to interconnect the two sites. Me, I'd have left that alone, set up an encrypted VPN tunnel, got the two sites communicating and then I'd have hit the lab with a router or two and figured out if this was viable or not. And, if viable, then I would ask myself, "Is it necessary"

Personally, I hate trying to reinvent the wheel. If I have a setup that's reasonably simple (ie: not complex) that means it's easier to maintain and troubleshoot. The more bells and whistles you put on something, the more things you have that can go wrong and when something does (and something always does go wrong....right....lol) it's that much more to have to wade through to find the problem and resolve it.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#9
August 27, 2010 at 12:03:04
That was a great post and enlightening too, thanks.
I'm still finding my feet with a lot of this stuff but I'm enjoying getting practical experience instead of all the theory.

Yeah, I think your absolutely right about the simple/complex thing. It all stems from my 'wireless in the LAN' paranoia. I gather from your post that successfully management of wireless clients within the LAN is the way forward.

So, what to do? Allow my 2008r2 box to dish out IPs through a WAP? You'll understand this makes me a little queasy... probably because my kung-fu is not the best.

What would you say are the main considerations when allowing wireless on your LAN bearing in mind that clients using wireless devices over the internet connection are completely separate from the organization that operates the LAN.

Once again, thanks for that last post.

BTW, Untangle is essentially like a poor man's Forefront TMG. Firewall, antivirus, filter, etc. It's quite impressive though.


Report •

#10
August 27, 2010 at 14:27:48
I gather from your post that successfully management of wireless clients within the LAN is the way forward.

Well, we got it working certainly. I can't take all the credit as our security guy who takes care of our firewalls did most of the harder work. Just remember to take your time and lab and test thoroughly before going production.

So, what to do? Allow my 2008r2 box to dish out IPs through a WAP? You'll understand this makes me a little queasy... probably because my kung-fu is not the best.

Well, alternatively you could try something like a SOHO Router which is on a completely separate subnet. Your router sends all requests from that SOHO Router out to the internet without allowing any internal access. I think you could probably most easily achieve segmentation that way.

The route inside the SOHO router would point at your main router and from there, outside. You could then plug a couple of access points into the LAN ports on the router in order to ensure all wireless clients only got DHCP from the separate wireless network. Put it on it's own VLAN and the only port assigned that VLAN on the big switch would be the one the SOHO Router plugs into. You would of course have to have that VLAN configured on your main router and uplinks as well.

What would you say are the main considerations when allowing wireless on your LAN bearing in mind that clients using wireless devices over the internet connection are completely separate from the organization that operates the LAN.

To me personally, it's keeping them out of the internal network.

Our present wireless network here where I work is running on SOHO level equipment at present. It was a quick solution to a growing demand for a wireless network. It's not at all how I'd have preferred to do it at the outset but then I'm a grunt and get paid to do what I'm told.......lol.

As I said previously, we'll be implementing our "enterprise wireless" project in the next year or so. This will involve enterprise level equipment and the ability to run both a "guest" type internet access only WLAN and an internal (heavily) secured WLAN out of the same AP's. The equipment is costly (of course) and there's a learning curve on maintaining it. I've already begun researching some of the different equipment available just to get a head start on the project and (hopefully) have some worthwhile input when called upon for my opinion.

Once again, thanks for that last post.

My pleasure. I like to help (and I hope I have) and I feel knowledge is something to be shared, not hoarded.


BTW, Untangle is essentially like a poor man's Forefront TMG. Firewall, antivirus, filter, etc. It's quite impressive though.

I suspected as much. We actually use OpenBSD and it's "pf" filter for our firewalls/routers (on nice teamed, dual redundant servers). I suspect your Untangle is a whole lot more "user friendly" LOL

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

Ask Question