cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Re: configure transparent router mode

Hello Andre,

Tank to help in case.

I'm very confused.

I figured exactly you what you commented.

MWG eth0/eth1 not forwarding.

Default gateway perfectly configured "172.29.0.1", and response ping the interface eth0 normally, do not respond ping the interface eth1.

Actually, this is what happens, by ssh logged in MWG execute ping between interfaces and not responses.

Ping 172.30.8.4 ----> 172.29.0.117 or ping 172.29.0.117 not responding


"- the default GW of MWG

- the value of "cat /proc/sys/net/ipv4/ip_forward" (execute via SSH on appliance)"


172.29.0.1

This is the file value 0 (zero)


I imagined it could be even a bug in version, or to be a problem WMG about VMware, however in my tests in another version or on fisic appliances the problem persists, what appears is that the forwarding is not enabled. All in tests the file "/proc/sys/net/ipv4/ip_forward" = 0 (zero).


with manual intervention works.

"

# modprobe iptable_nat

# echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

"                          ""


asabban2
Level 17
Report Inappropriate Content
Message 12 of 16

Re: configure transparent router mode

Hello,

okay, having IP forward enabled of course is vital for a router. Since it is set to 0 on your MWG I assume there is probably a problem with your configuration.

Please note that IP forward is enabled when you make a cluster member a "director", by increasing the director priority to > 0.

Can you verify that this is done in your configuration? I am not really sure if you need to set up a virtual IP, but certainly you have to make one node a director in order to use Transparent Router mode. The ip_forward stays 0 if a node is not a director.

Note: In case you manually added some iptables rules I recommend to reboot to wipe out all the manual changes, as it should work without manual intervention.

Best,

Andre

Re: configure transparent router mode

Thank you for reply Andre,

What you said makes perfect sense.

In the specific case we have only one box, I imagined it was not necessary in this case we have only one appliance without redundancy.

I will do the tests now late in the environment and post here what happened.

asabban2
Level 17
Report Inappropriate Content
Message 14 of 16

Re: configure transparent router mode

Hello,

please note that this is most likely not the final solution... it is just the first step on moving forward 🙂 If it doesn't work, please capture some more packet captures as you did earlier and attach them.

Best,

Andre

Highlighted

Re: configure transparent router mode

Hello,

Thank God, this was the final step to solving the problem:-)

Are here is a tip for anyone who wants to use the Transparent Router mode, even if no more than one in MWG structure should enable priority director to> 0 so it makes the forwarding.

I emphasize also that the ping between interfaces does not work, but customers are browsing and applying the rules normally.

Andre, thank very much for your help me!!!

Case closed, thanks to your help.

asabban2
Level 17
Report Inappropriate Content
Message 16 of 16

Re: configure transparent router mode

Hello,

cool, thank you for letting us know.Unfortunately the setup is not always trivial or obvious... and on top sometimes it is not even documented, but we continue improving product and documentation. I will review the documentation and see if there is such a note, if not I will ask to have this node added.

A KB article also may make sense but whatever we document someone else will definitely run into this or a similar trap - that's why we try to help here 🙂

Best,

Andre

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community