I'm trying to enable my virtual mwg to transparent router mode but it's not work as well.
I've used the MWG ip 172.30.x.x as the wireless computer default gateway and the other MWG interface to communicate with the iinternet. I see the packets coming to MWG but nothing happens.
I can't access the internet. I have the route to traffic coming back but still doesn't work. Anyone has idea what is wrong ?
Solved! Go to Solution.
I think this is hard to answer as there is not too much information you have provided.
The major question is if the routing is setup correctly and/or if it is a problem with MWG (the filtering part) itself. Do you have already the port redirections configured? They are responsible for telling MWG which ports to "intercept" and "inspect". All other traffic will simply be routed.
If you try browsing without port redirects enabled, is that working? You may want to make a packet capture on MWG and verify that the client is able to do a DNS lookup properly, send a request to MWG, MWG passes the data to the next hop and returned data is played back to the client. The issue might be related to routing or firewall issues or maybe there is a NAT taking place somewhere and MWG does not know how to return the packets.
I think more information is required in order to troubleshoot the problem.
Hi Andre, thanks for your reply.
The MWG virtual is configured with Transparente Router using port redirects to intercept port 80 and 443.
When I try to access a website it I see the DNS resolution query come to MWG virtual but it can't resolve the name. I try to perform a ping to external website and it doesn't work. I tried to access a website using his IP address and it doesn't work through the MWG virtual.
If I use the same MWG virtual configured the IP address in my browser, I can access the website perfectly.
The customer topology is similary: <user network>---<mwg virtual as transparent router>----<switch core>----<firewall>
The own MWG machine can access the internet but not an user that try access the internet through the MWGvirtual.
that sounds like a routing issue. You should check at the next layer 3 device after MWG (most likely the firewall) what happens here.
Assuming we have an environment like this:
Client (192.168.0.100) --> MWG eth0 (192.168.0.1, Default GW for clients) - MWG eth1 (172.16.100.100) --> Firewall (172.16.100.1, Default GW for MWG) --> Internet
If you explicitly configure MWG as your proxy on the client the clients won't have any trouble talking to MWG. MWG will talk from 172.16.100.100 (the interface connected to its Default GW (the Firewall)) to get out to the Internet. The firewall sees packets from a direct neighbour and will reply data back to MWG - All good.
In transparent mode MWG receives a packet from the client 192.168.0.100. It is routed to eth0 and leaves on eth1. Now on the firewall there is a packet from source IP 192.168.0.100. MWG does not perform Address Translation or anything but will simply route the packets. In such an environment you will need to manually teach the firewall that all packets from 192.168.0.x/24 need to be routed back to MWGs leg that the firewall is connected to (172.16.100.100). Once the firewall forwards the packet back to MWG the subnet (192.168.0.x) is known to MWG and the data can get back to the client.
So start a packet capture on the firewall and see what the source IP address is, for example when you ping from the client you should see ICMP requests coming in to the firewall. Make sure the firewall knows the source IP address and knows where to route those packets.
As mentioned this is only one option, there might be another issue but I have seen this scenario a couple of times in the past.
However i tried this commands below with the MWG:
# modprobe iptable_nat
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
After that I have access. I think I have an topology problem and I'll try to make the connection direct with MWG and Firewall and try to abstrate the CORE in the topology. I think the problem is the switch CORE.
I expect to update this thread soon. Thanks for your support.
IP forwarding should be activated when you turn on "Transparent Router" mode. There should not be any need to manually enable IP forwarding, however it is - of course - required. Maybe a reboot was missing which should ensure IP forwarding is turned on. Apart from that you enabled MWG to NAT outgoing packets which should eliminate the problem I indicated in my previous post.
I am happy to see that - in theory - the transparent mode seems to work as expected. Now you just need to see where the gap is.
In case you need any further assistance please let me know.