Bridging network cards
Bridging network cards effectively turns the NetManager into a (rather expensive!) network switch. Multiple network cards can join a bridge and, in general, no more than one of them will have an IP address associated with it.
Traffic received on one network card will get forwarded onto the other network cards in the bridge, though the bridge will learn where individual machines are located and not forward on unnecessary traffic, e.g. if a bridge is made up of 4 interfaces, with machine A connected to interface 1 and machine B connected to interface 2, then traffic between A and B will not be forwarded onto interfaces 3 and 4.
The advantage of using the Netmanager to bridge rather than just connecting machines into a switch is that it can provide Firewalling on the bridge (as well as do traffic monitoring). So you could have two physical networks separated by the NetManager with the same IP address range, but block some traffic from one to the other. This is most frequently used when a private network range has been assigned by an ISP and this has been configured on all internal machines (which you are unwilling to change). Firewalling bridging would allow you to:
- Protect your internal machines from external access. Examples from the real world include:
- A rather daft LEA in which all schools were on the same IP address range, thus computers at one school could print to printers at another school and it would barely traceable.
- Virus infection at an LEA spreading to all attached schools except those with NetManager installed
- Control outbound access from internal machines. Examples include:
- Force all users to go via the NetManager web-proxy so that you can make your filtering mandatory.
- Block outbound POP3 or sending spam from infected machines.
If you are free to choose your own internal network range, then using NAT is usually preferable.
Bridging can be set up from the Console Menu by going to option N (Network Configuration) and then option B (Configure bridged networking). Generally, you will configure your network without any bridging to begin with. You can then create a bridge between your internal network card and another one. The connection to the router can then be moved from being connected into the main internal network to the second network card in the NetManager (this is usually a 1-wire change).
When firewalling is enabled on a bridge, it is important not to mix up the interfaces. The interface with an IP address configured is your usual internal network. When the firewall is in its default security mode, external traffic will not be allowed into the network from other members of the bridge.
Configuration detailsIn the simplest case, you may connect interface1 to another (say, interface0) by setting
interface0in the NetManager configuration file. You may have multiple interfaces set up like this. For example, the following example will have 3 members in a bridge with an IP address as usual on xennet0:
iface_xennet0_ip="192.168.1.1" iface_xennet0_sm="255.255.255.0" iface_xennet1_type="bridge" iface_xennet1_bridge="xennet0" iface_xennet2_type="bridge" iface_xennet2_bridge="xennet0"
You may also set up a bridge containing just a single interface by leaving the
_bridge setting empty. This is useful for virtualisation traffic or layer 2 VPNs if you don't want to share your main interface with their traffic (to get more throughput). For example, the following will create a bridge containing only xennet1:
If you don't have an unused interface, but still want to create a bridge connected to an existing interface, then the above method cannot be used (as you have no spare interfaces to set to type
bridge). In this situation, set
true. For example, the following will set an IP address of 192.168.1.1/255.255.255.0 on xennet0 and also create a bridge linked to this interface ready for VPN traffic to connect to:
iface_xennet0_ip="192.168.1.1" iface_xennet0_sm="255.255.255.0" iface_xennet0_bridge="true"
iface_xennet0_type should be left empty or set to
After changing these settings, you may run the server build script to make them live.