Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
889 Views 1 Reply Latest reply: Feb 6, 2013 2:02 AM by asabban RSS
ericklans Apprentice 54 posts since
Nov 17, 2011
Currently Being Moderated

Feb 6, 2013 12:18 AM

How I can test Transparent Bridge or Router mode?

Hello all!

 

Please, write me can I deploy MWG in Bridge or Router mode in next network scheme?:

 

    Internet <--->D-Link router <-----> MWG <-----> Laptop

 

or I just can use MWG between 2 switches?

 

If I can use this scheme, please provide me example (with IP) how to deploy in 1) Bridge, 2) Router modes?

 

 

Thanx,

 

Erick Lans

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009

    Hello,

     

    in the mentioned network scheme I think transparent bridge would be a better choice. It is hard to provide examples with IP addresses because you are the person owning and knowing the network. I will try to provide some hints but I strongly recommend to read the product guide chapter 7. Chapter 7 shows all the proxy modes and step by step instructions on how to configure MWG to support the transparent modes. The transparent modes (especially transparent router) requires some knowledge about networking in general and knowing your network in order to find the exact place for MWG in the chain. This information cannot be provided by our documentation, since there are way too many potential scenarios.

     

    If finding the right setup and the right place for MWG within your network is a problem I strongly recommend to get some assistance from McAfee (Professional Services), since they can exactly examine your requirement and environment and exactly tell you what needs to be done step by step.

     

    Assuming we have a very simple network without MWG:

     

    Internet <--> Router <--> Laptop

     

    Now I assign some IP addresses:

     

    Internet <--> Router (192.168.0.1) <--> Laptop (192.168.0.100)

     

    The Laptop should have a network configuration as follows:

     

    IP 192.168.0.100

    Mask 255.255.255.0

    GW 192.168.0.1

    DNS 192.168.0.1

     

    Now for a very rudimentary transparent bridge environment I would remove the cable between Router and Laptop. On MWG we usually use eth0 and eth1 (two network interfaces) for the bridge. The bridge basically means that all packets which go in on eth0 fall out again on  eth1 and vice versa, so basically MWG acts like a cable when the bridge is configured.

     

    So I plug the Router into one NIC (eth1 for example) of MWG and my Laptop into the other NIC (eth0):

     

    Internet <--> Router (192.168.0.1) <--> eth1 - MWG - eth0 <--> Laptop (192.168.0.100)

     

    When the bridge is running there is nothing you need to change on MWG. From your laptop you should be able to talk to the Router, for example by pinging it. The laptop will send all data to MWG on eth0, the bridge will put the packets to eth1, the packets leave on eth1 and go straight to the router. No changes to IP addresses required at all.

     

    To setup the bridge you find exact instructions in the product guide chapter 7. In the above scheme MWG does not have an IP address to make the scheme not too confusing, but certainly MWG requires an IP address. When setting up the bridge you basically put two interfaces (eth0 and eth1) into a single "bridge" device called ibr0 (or br0, can'r remember - this is mentioned in the guide as well). This virtual interface can have an IP address. We assign an IP address from our network to this, such as 192.168.0.2.

     

    Internet <--> Router (192.168.0.1) <--> eth1 - MWG - eth0 <--> Laptop (192.168.0.100)

                                                                            |                         |

                                                                            |__ ibr 0 ____ |

                                                                               (192.168.0.2)

     

    After this has been done the Laptop should be able to access the internet. You will notice that MWG is not filtering. Without further configuration the bridge will simply forward everything. In the proxy section of the configuration you will find a "port redirect" area. Here you configure the ports MWG will intercept, most likely 80 and 443. When there is a packet going into the bridge which goes to one of the intercepted ports MWG will not forward it directly but pick it up and put it into the proxy process listening on port 9090.

     

    I hope this gives some understanding of how the transparend bridge mode is supposed to work.

     

    In transparent router mode you have to take care for the routing and probably make some changes to your network. A possible setup would be:

     

    Internet <--> Router (10.0.0.1) <--> eth1 (10.0.0.2, GW 10.0.0.1) - MWG - eth0 (192.168.0.1) <--> Laptop (192.168.0.100, GW 192.168.0.1)

     

    In this scenario MWG will become the default Gateway for your client Laptop. You have to ensure that packets are correctly routed and probably masqueraded. This can become a little tricky.

     

    An alternative scenario could be:

     

    Internet <--> eth1 - MWG - eth0 (10.0.0.1) <--> (10.0.0.2) Router (192.168.0.1) <--> Laptop (192.168.0.100)

     

    (assuming that "Internet" contains at least a firewall... do not put MWG to the internet unprotected!)

     

    The principle idea is the same. All packets sent from Laptop to Internet basically pass MWG. It will forward (route) all traffic without modification unless it sees a packet which has a port redirect configured (usually 80 and 443). In this case the traffic is intercepted and put into the proxy process.

     

    Best,

    Andre

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points