Bridge mode and tagged traffic

Srdjan_B — Fri, 27 Jan 2023 14:23:34 GMT

Hello all,

There is a regular L3 HA cluster (having internal, external and sync interfaces). It is not VSX.

There is a need to use this same cluster to do some L2 bridging. Firewall will not do any routing for L2 IP address scopes (that may change at some point, but it is not the issue here).

Lab topology for testing the scenario is displayed on drawing. When all switch ports are configured as access mode for vlan 100, two PCs can ping each other, bridging works OK. Policy allows any service from 10.10.100.0/24 to 10.10.100.0/24.

When I change switchports connecting firewalls to trunk (tagged vlans), firewall is not passing traffic anymore.

When PC 101 is trying to ping PC 102 traffic arrive on interface eth5, it is clear that traffic is tagged by vlan id 100, but nothing is seen on eth6:

[Expert@gw_dc1:0]# tcpdump -enni eth5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth5, link-type EN10MB (Ethernet), capture size 262144 bytes
14:35:17.171156 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46
14:35:18.195079 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46
14:35:19.219390 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46
14:35:20.243128 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46
14:35:21.267126 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
[Expert@gw_dc1:0]# tcpdump -enni eth6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth6, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[Expert@gw_dc1:0]#

Firewalls are configured to use "Check Point ClusterXL for Bridge Active/Standby" to avoid loop. The above test was also done with FW2 shut down, to make sure all traffic is passing only via FW1. Gaia configuration:

gw_dc1> show configuration bridging
add bridging group 1000
add bridging group 1000 interface eth5
add bridging group 1000 interface eth6

gw_dc1> show configuration interface
set interface br1000 state on
set interface eth0 state on
set interface eth0 auto-negotiation on
set interface eth0 ipv4-address 192.168.2.236 mask-length 24
set interface eth1 link-speed 1000M/full
set interface eth1 state on
set interface eth1 ipv4-address 10.200.200.2 mask-length 24
set interface eth2 link-speed 1000M/full
set interface eth2 state on
set interface eth2 ipv4-address 10.255.254.1 mask-length 30
set interface eth3 state off
set interface eth4 state off
set interface eth5 state on
set interface eth6 state on
set interface lo state on
set interface lo ipv4-address 127.0.0.1 mask-length 8

Bridge interface is not part of topology in Smart Console. Tested this with R80.40 and also R81 JHF take 65. Tried it with single firewall (not part of cluster) and ClusterXL described above.

I am out of ideas. According to documentation, this is supported scenario but it is not working for some reason 😞

If you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.

To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its subordinate interfaces

Thank you

Re: Bridge mode and tagged traffic

PhoneBoy — Mon, 30 Jan 2023 05:48:29 GMT

Is the gateway seeing the same traffic twice?
Double inspection is...not supported.

Re: Bridge mode and tagged traffic

Srdjan_B — Mon, 30 Jan 2023 06:47:20 GMT

No, not really. Also, when tagging on switches is off, everything works as expected.

Re: Bridge mode and tagged traffic

G_W_Albrecht — Mon, 30 Jan 2023 08:59:09 GMT

Did you contact TAC yet ?

Re: Bridge mode and tagged traffic

Srdjan_B — Mon, 30 Jan 2023 09:21:02 GMT

I did not contact TAC, this is lab environment with eval licenses and no support. When we do it on production boxes, it will have to work from day 1, so I am trying to verify the configuration and steps upfront.

Thank you.

Re: Bridge mode and tagged traffic

G_W_Albrecht — Mon, 30 Jan 2023 09:29:19 GMT

As long as this is for a customer with valid support you only need his UC Account# - this is a common scenario...

Re: Bridge mode and tagged traffic

Ruan_Kotze — Wed, 24 May 2023 08:36:56 GMT

Hi @Srdjan_B - did you manage to get this scenario working in the end. I'm building out a similiar solution now.

Re: Bridge mode and tagged traffic

Srdjan_B — Wed, 24 May 2023 08:55:58 GMT

Hello @Ruan_Kotze . Customer decided to accept alternative design, without firewall in bridge mode, so further testing was abandoned.

Re: Bridge mode and tagged traffic

AkosBakos — Wed, 24 May 2023 09:10:00 GMT

Hi Ruan_Kotze,

Try the followings:

When the traffic does not pass the bridge: have you tried to switch off the acceleration (#fwaccel off)?

According to this article: https://support.checkpoint.com/results/sk/sk105899

Set the relevant kernel parameters (all four)

Let's see what we get.

Akos

topic Re: Bridge mode and tagged traffic in Firewall and Security Management

Bridge mode and tagged traffic

Re: Bridge mode and tagged traffic

Re: Bridge mode and tagged traffic

Re: Bridge mode and tagged traffic

Re: Bridge mode and tagged traffic

Re: Bridge mode and tagged traffic

Re: Bridge mode and tagged traffic

Re: Bridge mode and tagged traffic

Re: Bridge mode and tagged traffic