Mailing List Archive

Hi Thomas,
To the best of my knowledge, packets still have to pass on eth0, so attach
it there.
I don't use NTOP with a setup like yours, but you might have to account for
the VLAN tagging in NTOP config... maybe.

=Marco

2017-05-30 8:45 GMT+01:00 <thomasmeier1976@gmx.de>:

> Dear community,
>
> I have a NAT gateway with iptables that is acting as main gateway for all
> workstations.
> Ntopng is working fine, but now i like to use inline traffic policing.
> Therefore I need a bridge.
>
> Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2
> (phones), eth1.3 (servers).
>
> Now i would like to change the eth1 devices to br0 devices for each vlan.
> This is working in another setup.
> Then i would have br0.1 br0.2 br0.3
>
> But how to attach ntopng then for the bridge mode? Is is possible? Or do I
> have to provide a separate machine?
>
> kind regards,
> Thomas
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>

Hi Marco, thank you for the answer. Let&#39;s try to make an easy testcase. How about this: eth0 wan (external ip) eth1 lan (192.168.x.x) lan gets NATed to wan. So i cannot build a bridge between eth0 and eth1. So where to attach the bridge? Maybe: eth0 remove external ip create br0 without attached interfaces br0 add external ip Start ntop to use bridge br0 and parameter to attach eth0 ntopng -i bridge:br0,eth0 Then rewrite the firewall to NAT out over br0 instead of eth0 Can this work? Or do I need at least one attached interface at the existing bridge and then let ntopng attach a second interface? regards, Thomas Gesendet: Dienstag, 30. Mai 2017 um 10:24 Uhr
Von: "Marco Teixeira" <marco@scom.uminho.pt>
An: ntop-misc@listgateway.unipi.it
Betreff: Re: [Ntop-misc] ntopng bridge on nat gateway with vlans Hi Thomas, To the best of my knowledge, packets still have to pass on eth0, so attach it there. I don&#39;t use NTOP with a setup like yours, but you might have to account for the VLAN tagging in NTOP config... maybe. =Marco 2017-05-30 8:45 GMT+01:00 <thomasmeier1976@gmx.de>:

Dear community, I have a NAT gateway with iptables that is acting as main gateway for all workstations. Ntopng is working fine, but now i like to use inline traffic policing. Therefore I need a bridge. Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2 (phones), eth1.3 (servers). Now i would like to change the eth1 devices to br0 devices for each vlan. This is working in another setup. Then i would have br0.1 br0.2 br0.3 But how to attach ntopng then for the bridge mode? Is is possible? Or do I have to provide a separate machine? kind regards, Thomas
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc"]http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc"]http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Thomas,
Sorry i miss understood your question. I thought you wanted to do policing
with linux, and just use NTOP as usual.
Reading better, i see you meant to use NTOPNG inline policing right? If so,
I will let our good friends from NTOP chime in, as this involves bridging
with PFRING in userspace... don't know how this will work with vlans...

=Marco


2017-05-30 14:22 GMT+01:00 <thomasmeier1976@gmx.de>:

> Hi Marco,
>
> thank you for the answer.
>
> Let's try to make an easy testcase. How about this:
> eth0 wan (external ip)
> eth1 lan (192.168.x.x)
>
> lan gets NATed to wan. So i cannot build a bridge between eth0 and eth1.
> So where to attach the bridge?
>
> Maybe:
> eth0 remove external ip
> create br0 without attached interfaces
> br0 add external ip
> Start ntop to use bridge br0 and parameter to attach eth0
> ntopng -i bridge:br0,eth0
> Then rewrite the firewall to NAT out over br0 instead of eth0
>
> Can this work? Or do I need at least one attached interface at the
> existing bridge and then let ntopng attach a second interface?
>
> regards, Thomas
>
> *Gesendet:* Dienstag, 30. Mai 2017 um 10:24 Uhr
> *Von:* "Marco Teixeira" <marco@scom.uminho.pt>
> *An:* ntop-misc@listgateway.unipi.it
> *Betreff:* Re: [Ntop-misc] ntopng bridge on nat gateway with vlans
> Hi Thomas,
> To the best of my knowledge, packets still have to pass on eth0, so attach
> it there.
> I don't use NTOP with a setup like yours, but you might have to account
> for the VLAN tagging in NTOP config... maybe.
>
> =Marco
>
> 2017-05-30 8:45 GMT+01:00 <thomasmeier1976@gmx.de>:
>>
>> Dear community,
>>
>> I have a NAT gateway with iptables that is acting as main gateway for all
>> workstations.
>> Ntopng is working fine, but now i like to use inline traffic policing.
>> Therefore I need a bridge.
>>
>> Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2
>> (phones), eth1.3 (servers).
>>
>> Now i would like to change the eth1 devices to br0 devices for each vlan.
>> This is working in another setup.
>> Then i would have br0.1 br0.2 br0.3
>>
>> But how to attach ntopng then for the bridge mode? Is is possible? Or do
>> I have to provide a separate machine?
>>
>> kind regards,
>> Thomas
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________ Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/
> mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>

Hi, yes i like to do the NTOPNG inline policing. And don&#39;t know where to insert the bridge because LAN is NATed to WAN. Vlans can come later. In my first Testcase I can simulate it without vlans because eth0 has no vlan. Would be nice to hear from someone who managed it on one machine. I like to avoid to attach a seconds physical machine into the line. regards, Thomas

Dear Thomas,



On Tue, May 30, 2017 at 3:22 PM, <thomasmeier1976@gmx.de> wrote:

> Hi Marco,
>
> thank you for the answer.
>
> Let's try to make an easy testcase. How about this:
> eth0 wan (external ip)
> eth1 lan (192.168.x.x)
>
> lan gets NATed to wan.
>

We support bridging in routing mode. A tap will do the trick. Assuming you
want the box to NAT eth1 clients on eth0, you can do the following:

* tap setup:
tunctl -t tap0
ifconfig tap0 <TAP ip address in the same subnet of clients > netmask <the
ifconfig tap0 up

* nat setup:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface tap0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward


* ntopng startup (interfaces order matter here):
ntopng -i bridge:tap0,eth1

Also see the readme:
https://github.com/ntop/ntopng/blob/dev/doc/README.inline


> So i cannot build a bridge between eth0 and eth1.
> So where to attach the bridge?
>
> Maybe:
> eth0 remove external ip
> create br0 without attached interfaces
> br0 add external ip
> Start ntop to use bridge br0 and parameter to attach eth0
> ntopng -i bridge:br0,eth0
> Then rewrite the firewall to NAT out over br0 instead of eth0
>
> Can this work? Or do I need at least one attached interface at the
> existing bridge and then let ntopng attach a second interface?
>
> regards, Thomas
>
> *Gesendet:* Dienstag, 30. Mai 2017 um 10:24 Uhr
> *Von:* "Marco Teixeira" <marco@scom.uminho.pt>
> *An:* ntop-misc@listgateway.unipi.it
> *Betreff:* Re: [Ntop-misc] ntopng bridge on nat gateway with vlans
> Hi Thomas,
> To the best of my knowledge, packets still have to pass on eth0, so attach
> it there.
> I don't use NTOP with a setup like yours, but you might have to account
> for the VLAN tagging in NTOP config... maybe.
>
> =Marco
>
> 2017-05-30 8:45 GMT+01:00 <thomasmeier1976@gmx.de>:
>>
>> Dear community,
>>
>> I have a NAT gateway with iptables that is acting as main gateway for all
>> workstations.
>> Ntopng is working fine, but now i like to use inline traffic policing.
>> Therefore I need a bridge.
>>
>> Currently i have a eth0(WAN untagged), eth1.1 (workstations), eth1.2
>> (phones), eth1.3 (servers).
>>
>> Now i would like to change the eth1 devices to br0 devices for each vlan.
>> This is working in another setup.
>> Then i would have br0.1 br0.2 br0.3
>>
>> But how to attach ntopng then for the bridge mode? Is is possible? Or do
>> I have to provide a separate machine?
>>
>> kind regards,
>> Thomas
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________ Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/
> mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>