5 Replies Latest reply on Nov 2, 2015 9:41 AM by twisted_pony

    eth0 and eth1 and DG question:-)

    twisted_pony

      Hi all,

       

      Am a little confused and any help greatly appreciated!

       

      I have a virtual MWG in Proxy mode with two NICS both on the same IP range and VLAN.

       

      eth 0: 192.168.1.10

      eth 1: 192.168.1.11

       

      with a DG of 192.168.1.1

       

      I want to have all inbound proxy traffic come into eth0 and if allowed exit  (to another next hop proxy). via eth1

       

      So..I have set the proxy listener to be bound to eth0 only on port 8080.

       

      When I connect via a browser (192.168.1.5)  to eth0 192.168.1.10:8080 I get passed to the next hop proxy as expected, BUT the traffic leaves the MWG from eth 0 (192.168.1.10), not eth 1 (192.168.1.11) as expected..to the next hop proxy..

       

      Is it possible to achieve what I want with this config or have I missed something?..i.e. force all traffic leaving to the next hop proxy to use eth1.

      Does eth0 have to be the interface used for a next hop proxy (internet facing)?

       

      Thanks.

        • 1. Re: eth0 and eth1 and DG question:-)

          I don't know if this will work on Next-Hop traffic, but you can try. It definately works on the routed traffic.

          Try using the Enable outbound Source IP Override event:

           

          Capture1.png

           

          You can also just switch the IP addresses on eth0 and eth1. It will go out the lowest numbered NIC (eth0) by default.

          • 2. Re: eth0 and eth1 and DG question:-)
            twisted_pony

            Thanks Eric...thought that was going to be the case, so have swapped IP's over on  the NIC's....works as expected.

             

            Thanks again:-)

            • 3. Re: eth0 and eth1 and DG question:-)
              Troja

              MWG is just a awesome product! :-)

              • 4. Re: eth0 and eth1 and DG question:-)
                trishoar

                I don't think this will work 100% the way you expect it to. By default the Linux kernel (MWG is based on a customised Linux distribution) can respond to ARP requests on any network interface. So, if you have IP 192.168.0.2 on eth0 and 192.168.0.2 on eth1 and the router ARP's for 192.168.0.2 eth0 can and likely will respond. This means that traffic for 192.168.0.2 will flow through eth0 and not eth1 as you might expect.

                You can change this behaviour, though I'm not sure if McAfee support this or not. (you can find a bit more info here: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt and search for arp_filter  on that page)

                An alternative way of doing it is to connect each network interface to a different network. In MWG, you would have eth0 on, for example, 192.168.0.1/24 and eth1 on 192.168.1.1/24 you then configure static routing for to cover your internal networks and have them route out eth0 and then set a default route for eth1 which will route all traffic to the internet.

                In your case, as you are chaining to an upstream proxy, you might want to have a static route for eth1 sending all traffic to the upstream proxy that way and a default on eth0.

                 

                Either way, if you need to ensure 1 interface is ingress and 1 is egress for traffic accountancy then you might want to look into this a bit more.

                 

                Tris

                • 5. Re: eth0 and eth1 and DG question:-)
                  twisted_pony

                  Thanks for the response, but as per Eric's suggestion and my response my configuration now works.

                  eth0 is now outbound for all traffic, and eth1 is inbound.

                  Thanks again.