The following Howto describes how to bridge two or more network interfaces into a bridged interface group. This is known as IEEE MAC Bridges or under the working group title of 802.1d.

Install the required software packages.

yum install bridge-utils

Here is an example on how to create a bridged interface with eth0 and eth1. You can add many network cards to the same bridge. Be aware that all hitting the bridge is propagated over the bridge. This is akin to a hub. Please consider security when creating bridges.

First, you need to manually create or edit the configuration files as follows.

/etc/sysconfig/network-scripts/ifcfg-eth0:

DEVICE=eth0
TYPE="Ethernet"
ONBOOT="yes"
USERCTL="no"
HWADDR="00:00:00:00:00:00"
BRIDGE=br0

/etc/sysconfig/network-scripts/ifcfg-eth1:

DEVICE=eth1
TYPE="Ethernet"
ONBOOT="yes"
USERCTL="no"
HWADDR="00:00:00:00:00:00"
BRIDGE=br0

/etc/sysconfig/network-scripts/ifcfg-br0:

DEVICE=br0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="dhcp"
PEERDNS="yes"
BRIDGE_STP="yes"

Alternately, you may assign a static address for this interface. This is required if you are using this server as your gateway and the br0 interface is you gateway address. Please note that this is a bridge and this address is NOT required for it to function as such. However, it is quite useful for management even if you use this as a transparent inline services platform.

DEVICE=br0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="static"
IPADDR="192.168.1.2"
NETMASK="255.255.255.0"
GATEWAY="192.168.1.1"

Depending on how you use your bridged interfaces will determine how you will need to configure your /etc/firewall file. The UI in ClearOS 5.x does not allow for manipulation of these values and may replace the values with the 'automagic' functions if parts of the UI are edited or updated. Back up any manual configuration you make in case this occurs.

If you want to use the bridge interface as an equivalent to a switch or hub you can define br0 interface on a single role. This is useful if you happen to have multiple extra interfaces and don't want to buy a switch, or if you decide you want to bridge a VPN interface onto the same network as the physical network.

The firewall needs know about your new br0 network interface. In the /etc/firewall configuration file, update the LANIF parameter.

LANIF="br0"

-or-

EXTIF="eth2"
LANIF="br0"

Various software packages need to know about this network change. The easiest way to notify these packages about the change is to run:

service syswatch restart
service firewall restart

Some people may want to implement a ClearOS server as a transparent UTM or transparent proxy without gateway. By default all packets are propagated across the bridge but ClearOS can manipulate packets with the firewall to drop packets, or redirect packets to a local service like a proxy server or a local mail server for analysis through the anti-malware engine.

The firewall needs know about your new br0 network interface. In the /etc/firewall configuration file, update the LANIF and EXTIF parameters.

MODE="trustedgateway"
EXTIF="br0"
LANIF="br0"

Various software packages need to know about this network change. The easiest way to notify these packages about the change is to run:

service syswatch restart
service firewall restart

After you have these configurations set you should avoid using the IP Settings functions of the ClearOS 5.x server as it will be unaware of how to properly manipulate the br0 interface. This can cause the /etc/firewall to improperly enumerate your desires or it can put your MAC address into the br0 interface.

Don't be surprised when booting if the br0 interface fails to come up immediately. It may indicate that it needs to delay initialization. This can be normal and if properly configured, should just start working.

ClearBOX is an ideal platform for bridging as it provides multiple interfaces that can be used in a small office instead of a switch. This would allow you to deploy a single device and reduce cords or complexity when only a few devices need to connect to the ClearOS server. Because you can add numerous network cards to the bridge, you can configure ClearBOX 300 with a internet connection on eth0 and have the remaining ports (eth1-eth5) available as a 5-port gigabit hub. In this scenario, you could use the eth0 as the External interface going to the interent and you would use the remaining ports in the bridge.

Bridging on ClearBOX can also be used to provide inline services in conjunction with the built-in network bypass. This means that you can configure the server to give inline services and server can keep the bypass engaged up until the point that the services are all online and then activate the network cards that are part of the bridge. The effect of this configuration is that you can have a transparent proxy server that fails to an open configuration if the services are not working.

If you have a ClearBOX and would like help configuring this feature, please contact ClearCARE support.

search?q=clearos%2C%20clearos%20content%2C%20kb%2C%20howtos%2C%20maintainer_dloper%2C%20categorynetwork%2C%20clearos5%2C%20clearos6%2C%20skunkworks&btnI=lucky