Problems with network bridge br0 after kernel change

Mic2024 · Feb 23rd 2025

Hello community,

since I had a problem with the last official kernel update in connection with ZFS, I recently swapped my OMV7 standard kernel for the Proxmox kernel 6.11.11-1-pve using the kernel plugin. This solved these problems (c.f. link).

Unfortunately, I now have the problem that the network bridge br0 configured in the network interfaces in OMV no longer works. It is still there, but no more data is routed from enp5s0 to enp6s0.

My internet router with DNS is connected to enp5s0. A Windows PC is connected to enp6s0, which is supposed to access the internet via the OMV PC. This can send data to the OMV NAS via this LAN connection, but it can no longer access the internet. It worked well before. Now, unfortunately, it no longer works. What could be the reason for this?

Thank you very much for your support!

Best regards

Mic.

raulfg3 · Feb 24th 2025

do you try to delete & recreate your br0?, some times this works.

Krisbee · Feb 24th 2025

Mic2024 You could check:

There has been no shift in the predictable NIC names, i.e. each MAC address still points the same NIC in the output of ip a

Mic2024 · Feb 24th 2025

Quote from raulfg3

do you try to delete & recreate your br0?, some times this works.

I tried to make changes in the WebGUI and save it in OMV. A complete delete I did not try becuase this can resault that OMV in not reachable (e.g. by SSH) anymore.

Mic2024 · Feb 24th 2025

Quote from Krisbee

Mic2024 You could check:

There has been no shift in the predictable NIC names, i.e. each MAC address still points the same NIC in the output of ip a

I did not note down all information from ip a. I hope there was nothing changed.

Code

root@cwwkmini-pc:~# cat /proc/sys/net/ipv4/ip_forward
1

root@cwwkmini-pc:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether a8:b8:e0:01:bf:85 brd ff:ff:ff:ff:ff:ff
3: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether a8:b8:e0:01:bf:86 brd ff:ff:ff:ff:ff:ff
4: enp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br0 state DOWN group default qlen 1000
    link/ether a8:b8:e0:01:bf:87 brd ff:ff:ff:ff:ff:ff
5: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br0 state DOWN group default qlen 1000
    link/ether a8:b8:e0:01:bf:88 brd ff:ff:ff:ff:ff:ff
6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ba:c6:96:a3:d1:7d brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.110/24 metric 100 brd 192.168.178.255 scope global dynamic br0
       valid_lft 824138sec preferred_lft 824138sec
    inet6 fd00::b8c6:96ff:fea3:d17d/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 6983sec preferred_lft 3383sec
    inet6 2001:9e8:89d0:8700:b8c6:96ff:fea3:d17d/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 6983sec preferred_lft 3383sec
    inet6 fe80::b8c6:96ff:fea3:d17d/64 scope link
       valid_lft forever preferred_lft forever
9: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 52:63:d4:e2:18:75 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::5063:d4ff:fee2:1875/64 scope link
       valid_lft forever preferred_lft forever
10: br-92b15258c20d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 0a:9d:2a:06:65:44 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-92b15258c20d
       valid_lft forever preferred_lft forever
    inet6 fe80::89d:2aff:fe06:6544/64 scope link
       valid_lft forever preferred_lft forever
11: br-9a3c7a00d515: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 4e:4d:7e:45:25:b1 brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-9a3c7a00d515
       valid_lft forever preferred_lft forever
    inet6 fe80::4c4d:7eff:fe45:25b1/64 scope link
       valid_lft forever preferred_lft forever
13: veth8727e1f@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-9a3c7a00d515 state UP group default
    link/ether 3a:6c:d0:ae:03:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::386c:d0ff:feae:3a3/64 scope link
       valid_lft forever preferred_lft forever
15: vetha9579d1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-92b15258c20d state UP group default
    link/ether 9e:53:e8:84:eb:2c brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::9c53:e8ff:fe84:eb2c/64 scope link
       valid_lft forever preferred_lft forever
24: br-57e331bb78d2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 62:e5:34:1b:a9:a9 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.1/16 brd 172.20.255.255 scope global br-57e331bb78d2
       valid_lft forever preferred_lft forever
    inet6 fe80::60e5:34ff:fe1b:a9a9/64 scope link
       valid_lft forever preferred_lft forever
25: veth74ec136@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-57e331bb78d2 state UP group default
    link/ether e6:32:87:ef:cc:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::e432:87ff:feef:ccfe/64 scope link
       valid_lft forever preferred_lft forever
26: br-eb953641874c: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether fe:3e:51:57:60:07 brd ff:ff:ff:ff:ff:ff
    inet 172.21.0.1/16 brd 172.21.255.255 scope global br-eb953641874c
       valid_lft forever preferred_lft forever
    inet6 fe80::fc3e:51ff:fe57:6007/64 scope link
       valid_lft forever preferred_lft forever
27: veth0870b4f@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-eb953641874c state UP group default
    link/ether 7a:77:4d:ee:0a:80 brd ff:ff:ff:ff:ff:ff link-netnsid 4
    inet6 fe80::7877:4dff:feee:a80/64 scope link
       valid_lft forever preferred_lft forever
28: br-cdc6738963c1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 86:18:3f:b5:96:ec brd ff:ff:ff:ff:ff:ff
    inet 172.22.0.1/16 brd 172.22.255.255 scope global br-cdc6738963c1
       valid_lft forever preferred_lft forever
    inet6 fe80::8418:3fff:feb5:96ec/64 scope link
       valid_lft forever preferred_lft forever
29: veth1e401d5@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-cdc6738963c1 state UP group default
    link/ether ce:e6:15:43:f9:e2 brd ff:ff:ff:ff:ff:ff link-netnsid 5
    inet6 fe80::cce6:15ff:fe43:f9e2/64 scope link
       valid_lft forever preferred_lft forever

Display More

The PC on enp6s0 just tells that no DNS is available what is true if the bridge does not work anymore.

Krisbee · Feb 24th 2025

Well I can see nothing has changed in the predictable NIC assignments, and your main bridge br0 is up. If you can ping an external ip or domain from OMV, your bridge is working. ( If you want to check the physical port that is enp6s0 you can of course swap the cable between your router and OMV to a port you want to test. )

Mic2024 · Feb 25th 2025

Thank you for your hint but this test would not help. The PC on enp6s0 does not get an IP address so I cannot ping it. The OMV PC still does not forward IP requests from the PC at enp6s0 to the router at enp5s0. This is the same behavior as I would not create an bridge br0. Anything else must sill be wrong.

raulfg3 · Feb 26th 2025

Quote from Mic2024

I tried to make changes in the WebGUI and save it in OMV. A complete delete I did not try becuase this can resault that OMV in not reachable (e.g. by SSH) anymore.

use a monitor & keyboard attached, I still think that is the sollution.

Krisbee · Feb 26th 2025

Quote from Mic2024

Thank you for your hint but this test would not help. The PC on enp6s0 does not get an IP address so I cannot ping it. The OMV PC still does not forward IP requests from the PC at enp6s0 to the router at enp5s0. This is the same behavior as I would not create an bridge br0. Anything else must sill be wrong.

Your first post said the "bridge br0 no longer works" so I suggested that if OMV itself ( not your PC ) you ping an externaI IP or domain that in fact your bridge is still working at least on enp5s0 which connects your OMV server to your router. Did you test this?

Mic2024 · Feb 26th 2025

Quote from raulfg3

use a monitor & keyboard attached, I still think that is the sollution.

Hello everyone,

I took the trouble today to delete the LAN bridge using the keyboard and screen and then set it up again. Unfortunately, that didn't help either. The PC that is connected to the OMV PC has no access to the rest of the network and doesn't get an IP address.

I tried it with two different PCs (1x Windows, 1x Linux) and I also tried one of the other ports on the OMV PC. None of that had any effect. What else could be wrong?

If that's helpful, here's the NetPlan that OMV created:

Code

/etc/netplan# cat 10-openmediavault-default.yaml
network:
  version: 2
  renderer: networkd
/etc/netplan# cat 60-openmediavault-br0.yaml
network:
  ethernets:
    enp5s0:
      addresses: []
      dhcp4: false
      dhcp6: false
    enp6s0:
      addresses: []
      dhcp4: false
      dhcp6: false
    enp7s0:
      addresses: []
      dhcp4: false
      dhcp6: false
    enp8s0:
      addresses: []
      dhcp4: false
      dhcp6: false
  bridges:
    br0:
      accept-ra: true
      dhcp4: yes
      dhcp4-overrides:
        use-dns: true
        use-domains: true
      dhcp6: yes
      dhcp6-overrides:
        use-dns: true
        use-domains: true
      interfaces:
      - enp5s0
      - enp6s0
      - enp7s0
      - enp8s0

Display More

Thank you for your support!

Greetings

Mic.

Krisbee · Feb 27th 2025

I explained how with a couple of quick tests you'd satisfy yourself that your bridge was working, or not. But instead you deleted and re-configured it and are no further forward.

Assuming all ports on your OMV br0 are working, the fact you were/are no longer getting an IP etc when connecting a PC to enp6s0 points to a problem with your router such a stale DHCP lease or a ip config problem on the PC. So check your router and the check your PC's network config.

If you find nothing wrong on the router, then may be requesting a new DHCP lease on your PC will bring things to life. In Linux that's done with: dhclient <interface> (Sub PC interface name taken from ip a )

Mic2024 · Mar 3rd 2025

Dear all,

after one week of debugging and testing with a lot of sleepless nights, my network bridge is working properly again. I made so many tests and changes in the configuration I cannot clearly say, what really happened and what finally was the solution.

In between I have seen that the bridge is not completely not working – only network traffic managed by IPv4 / DNSv4 was not working. Web pages using IPv6 were reachable but I do not know if this was the situation since the beginning of my problems. I was not aware that some web pages are reachable by IPv4 and some by IPv6. Here are two examples:

Code

C:\>ping www.amazon.com
Ping wird ausgeführt für d3ag4hukkh62yn.cloudfront.net [2600:9000:2057:9800:7:49a5:5fd4:b121] mit 32 Bytes Daten:
Antwort von 2600:9000:2057:9800:7:49a5:5fd4:b121: Zeit=13ms
Antwort von 2600:9000:2057:9800:7:49a5:5fd4:b121: Zeit=13ms
Antwort von 2600:9000:2057:9800:7:49a5:5fd4:b121: Zeit=13ms
Antwort von 2600:9000:2057:9800:7:49a5:5fd4:b121: Zeit=13ms


Ping-Statistik für 2600:9000:2057:9800:7:49a5:5fd4:b121:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 13ms, Maximum = 13ms, Mittelwert = 13ms
C:\>ping www.paypal.com
Ping wird ausgeführt für paypal-dynamic.map.fastly.net [151.101.1.21] mit 32 Bytes Daten:
Antwort von 151.101.1.21: Bytes=32 Zeit=11ms TTL=60
Antwort von 151.101.1.21: Bytes=32 Zeit=10ms TTL=60
Antwort von 151.101.1.21: Bytes=32 Zeit=10ms TTL=60
Antwort von 151.101.1.21: Bytes=32 Zeit=10ms TTL=60


Ping-Statistik für 151.101.1.21:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 10ms, Maximum = 11ms, Mittelwert = 10ms

Display More

I tried to document all my changes but cannot promise that it is complete. You should know I tried to fix the problem with the background that I have installed Pi-hole as Docker Container with a MacVLAN at 182.158.168.222 on my OMV-PC.

I adapted the file /etc/resolv.conf to have the correct name servers available on the OMV-PC:

Code

domain home.router
search home.router
nameserver 182.158.168.222
nameserver fd00:0:0:0:4e6f:53ff:ef2e:222
nameserver 182.158.168.1
options edns0 trust-ad

I added the correct DNS resolvers in the file /etc/systemd/resolved.conf. The IP 182.158.168.1 is my internet router which shall be the main target for DNSv4 and DNSv6 requests. This router will forward it to pi-hole (otherwise the DHCP does not work properly).

Code

[Resolve]
DNS=182.158.168.1 182.158.168.222 fd00:0:0:0:4e6f:53ff:ef2e:222

To avoid that Linux will overwrite my changes I deactivated the automatic resolving by doing the following commands:

Code

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved.service
sudo systemctl restart networking

I have activated IP forwarding by using these commands:

Code

echo 1 > /proc/sys/net/ipv4/ip_forward
sudo sysctl -w net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
sudo sysctl -w net.ipv6.conf.all.forwarding=1

To check, if these changes have been successful you can use these commands:

Code

sudo sysctl net.ipv4.conf.all.forwarding
sudo sysctl net.ipv6.conf.all.forwarding

To make the changes permanent I added the following two lines to /etc/sysctl.conf:

Code

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

To activate these changes, you need to enter:

Code

sudo sysctl -p

I made some changes to the firewall rules. I make my live easier I created a bash script where I can change the rules easily for testing. Feel free to use it if you need i (name: firewall_rules.sh:

Code

+++ I try to upload the script in a 2nd posting. It is too large. +++

In a final status I recommend you the rules for --save and --ipv6active.

I increased the MTU value to 1500:

Code

sudo ip link set dev br0 mtu 1500

I restared everything on the OMV-PC:

Code

sudo systemctl restart systemd-networkd
sudo systemctl restart networking

And after this I also needed to reset the network configuration in my Windows PC connected to the network bridge on the OMV-PC:

Code

ipconfig /renew
ipconfig /release

If you want to use network logging for security reasons as prepared in my above bash script you need to prepare it by doing these steps:

Create an empty log file:

Code

tail -f /var/log/iptables.log

Activate the additional firewall rules for logging my using my above script file:

Code

./firewall_rules.sh --loggingactive

Add the following two lines in the two files /etc/rsyslog.conf and /etc/rsyslog.d/iptables.conf. If a file does not exist, just create it.

Code

:msg, contains, "IPTables-" /var/log/iptables.log
& ~

Restart the networking services:

Code

sudo systemctl restart rsyslog
sudo systemctl restart networking

Check the log from time to time for issues:

Code

nano /var/log/iptables.log

I also adapted the netplan file /etc/netplan/60-openmediavault-br0.yaml created by OMV:

Code

network:
  version: 2  # --> New, added by me.
  renderer: networkd # --> New, added by me.
  ethernets:
    enp5s0:
      addresses: []
      dhcp4: false
      dhcp6: false
      ipv6-privacy: true # --> New, added by me for security reasons.
    enp6s0:
      addresses: []
      dhcp4: false
      dhcp6: false
      ipv6-privacy: true # --> New, added by me for security reasons.
    enp7s0:
      addresses: []
      dhcp4: false
      dhcp6: false
      ipv6-privacy: true # --> New, added by me for security reasons.
    enp8s0:
      addresses: []
      dhcp4: false
      dhcp6: false
      ipv6-privacy: true # --> New, added by me for security reasons.
  bridges:
    br0:
      accept-ra: true # --> New, added by me.
      dhcp4: yes # --> New, added by me.
      dhcp4-overrides: # --> New, added by me.
        use-dns: true # --> New, added by me.
        use-domains: true # --> New, added by me.
      dhcp6: yes
      dhcp6-overrides: # --> New, added by me.
        use-dns: true # --> New, added by me.
        use-domains: true # --> New, added by me.
      interfaces:
      - enp5s0
      - enp6s0
      - enp7s0
      - enp8s0

Display More

These are a lot of things to be considered. Not it is working as expected. Maybe anyone else facing these issues this may help. But be careful with changes. The network settings can be very individual to your system.

Regards

Mic.

Mic2024 · Mar 3rd 2025

Bash

#!/bin/bash

# Überprüfe den übergebenen Parameter
if [ "$1" == "--save" ]; then
    echo "Aktiviere die sicheren iptables- und ip6tables-Regeln..."

    # Lösche alle aktuellen iptables-Regeln
    echo "Lösche alle aktuellen iptables-Regeln..."
    iptables -F
    iptables -t nat -F
    ip6tables -F
    ip6tables -t nat -F

    # IPv4: Erlaube bereits etablierte Verbindungen
    echo "Erlaube bereits etablierte Verbindungen (IPv4)..."
    iptables -A FORWARD -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # IPv4: Erlaube DNS-Verkehr (UDP und TCP auf Port 53)
    echo "Erlaube DNS-Verkehr (IPv4)..."
    iptables -A FORWARD -p udp --dport 53 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 53 -j ACCEPT

    # IPv4: Erlaube DHCP-Verkehr (UDP auf Port 67 und 68)
    echo "Erlaube DHCP-Verkehr (IPv4)..."
    iptables -A FORWARD -p udp --dport 67 -j ACCEPT
    iptables -A FORWARD -p udp --dport 68 -j ACCEPT

    # IPv4: Erlaube Verkehr zwischen enp5s0 und br0
    echo "Erlaube Verkehr zwischen enp5s0 und br0 (IPv4)..."
    iptables -A FORWARD -i enp5s0 -o br0 -j ACCEPT
    iptables -A FORWARD -i br0 -o enp5s0 -j ACCEPT

    # IPv4: Erlaube Verkehr zwischen enp6s0 und br0
    echo "Erlaube Verkehr zwischen enp6s0 und br0 (IPv4)..."
    iptables -A FORWARD -i enp6s0 -o br0 -j ACCEPT
    iptables -A FORWARD -i br0 -o enp6s0 -j ACCEPT

    # IPv4: Erlaube Verkehr zwischen enp7s0 und br0
    echo "Erlaube Verkehr zwischen enp7s0 und br0 (IPv4)..."
    iptables -A FORWARD -i enp7s0 -o br0 -j ACCEPT
    iptables -A FORWARD -i br0 -o enp7s0 -j ACCEPT

    # IPv4: Erlaube Verkehr zwischen enp8s0 und br0
    echo "Erlaube Verkehr zwischen enp8s0 und br0 (IPv4)..."
    iptables -A FORWARD -i enp8s0 -o br0 -j ACCEPT
    iptables -A FORWARD -i br0 -o enp8s0 -j ACCEPT

    # IPv6: Erlaube bereits etablierte Verbindungen
    echo "Erlaube bereits etablierte Verbindungen (IPv6)..."
    ip6tables -A FORWARD -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # IPv6: Erlaube DNS-Verkehr (UDP und TCP auf Port 53)
    echo "Erlaube DNS-Verkehr (IPv6)..."
    ip6tables -A FORWARD -p udp --dport 53 -j ACCEPT
    ip6tables -A FORWARD -p tcp --dport 53 -j ACCEPT

    # IPv6: Erlaube DHCP-Verkehr (UDP auf Port 546 und 547)
    echo "Erlaube DHCP-Verkehr (IPv6)..."
    ip6tables -A FORWARD -p udp --dport 546 -j ACCEPT
    ip6tables -A FORWARD -p udp --dport 547 -j ACCEPT

    # IPv6: Erlaube Verkehr zwischen enp5s0 und br0
    echo "Erlaube Verkehr zwischen enp5s0 und br0 (IPv6)..."
    ip6tables -A FORWARD -i enp5s0 -o br0 -j ACCEPT
    ip6tables -A FORWARD -i br0 -o enp5s0 -j ACCEPT

    # IPv6: Erlaube Verkehr zwischen enp6s0 und br0
    echo "Erlaube Verkehr zwischen enp6s0 und br0 (IPv6)..."
    ip6tables -A FORWARD -i enp6s0 -o br0 -j ACCEPT
    ip6tables -A FORWARD -i br0 -o enp6s0 -j ACCEPT

    # IPv6: Erlaube Verkehr zwischen enp7s0 und br0
    echo "Erlaube Verkehr zwischen enp7s0 und br0 (IPv6)..."
    ip6tables -A FORWARD -i enp7s0 -o br0 -j ACCEPT
    ip6tables -A FORWARD -i br0 -o enp7s0 -j ACCEPT

    # IPv6: Erlaube Verkehr zwischen enp8s0 und br0
    echo "Erlaube Verkehr zwischen enp8s0 und br0 (IPv6)..."
    ip6tables -A FORWARD -i enp8s0 -o br0 -j ACCEPT
    ip6tables -A FORWARD -i br0 -o enp8s0 -j ACCEPT

    echo "Es wurden sichere iptables- und ip6tables-Regeln aktiviert."

elif [ "$1" == "--open" ]; then
    echo "Aktiviere unsicheren, aber funktionalen iptables- und ip6tables-Regeln..."

    # Lösche alle aktuellen iptables-Regeln
    echo "Lösche alle aktuellen iptables-Regeln..."
    iptables -F
    iptables -t nat -F
    ip6tables -F
    ip6tables -t nat -F

    # Setze die ursprünglichen iptables-Regeln wieder ein
    echo "Setze Masquerading für NAT (IPv4)..."
    iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
    echo "Erlaube bereits etablierte Verbindungen (IPv4)..."
    iptables -A FORWARD -i br0 -o enp5s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo "Erlaube Verkehr zwischen br0 und enp5s0 (IPv4)..."
    iptables -A FORWARD -i enp5s0 -o br0 -j ACCEPT
    echo "Erlaube bereits etablierte Verbindungen (IPv4)..."
    iptables -A FORWARD -i br0 -o enp6s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo "Erlaube Verkehr zwischen br0 und enp6s0 (IPv4)..."
    iptables -A FORWARD -i enp6s0 -o br0 -j ACCEPT
    echo "Erlaube bereits etablierte Verbindungen (IPv4)..."
    iptables -A FORWARD -i br0 -o enp7s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo "Erlaube Verkehr zwischen br0 und enp7s0 (IPv4)..."
    iptables -A FORWARD -i enp7s0 -o br0 -j ACCEPT
    echo "Erlaube bereits etablierte Verbindungen (IPv4)..."
    iptables -A FORWARD -i br0 -o enp8s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo "Erlaube Verkehr zwischen br0 und enp8s0 (IPv4)..."
    iptables -A FORWARD -i enp8s0 -o br0 -j ACCEPT

    echo "Setze Masquerading für NAT (IPv6)..."
    ip6tables -t nat -A POSTROUTING -o br0 -j MASQUERADE
    echo "Erlaube bereits etablierte Verbindungen (IPv6)..."
    ip6tables -A FORWARD -i br0 -o enp5s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo "Erlaube Verkehr zwischen br0 und enp5s0 (IPv6)..."
    ip6tables -A FORWARD -i enp5s0 -o br0 -j ACCEPT
    echo "Erlaube bereits etablierte Verbindungen (IPv6)..."
    ip6tables -A FORWARD -i br0 -o enp6s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo "Erlaube Verkehr zwischen br0 und enp6s0 (IPv6)..."
    ip6tables -A FORWARD -i enp6s0 -o br0 -j ACCEPT
    echo "Erlaube bereits etablierte Verbindungen (IPv6)..."
    ip6tables -A FORWARD -i br0 -o enp7s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo "Erlaube Verkehr zwischen br0 und enp7s0 (IPv6)..."
    ip6tables -A FORWARD -i enp7s0 -o br0 -j ACCEPT
    echo "Erlaube bereits etablierte Verbindungen (IPv6)..."
    ip6tables -A FORWARD -i br0 -o enp8s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo "Erlaube Verkehr zwischen br0 und enp8s0 (IPv6)..."
    ip6tables -A FORWARD -i enp8s0 -o br0 -j ACCEPT

    echo "Die unsicheren, aber funktionalen iptables- und ip6tables-Regeln wurden aktiviert."

+++ to be continued +++

Display More

Mic2024 · Mar 3rd 2025

Code

+++ continue +++

elif [ "$1" == "--ipv6active" ]; then
    echo "Aktiviere erweiterte IPv6-Sicherheitsregeln..."

    # IPv6: Erlaube notwendige ICMPv6-Nachrichten
    echo "Erlaube notwendige ICMPv6-Nachrichten..."
    ip6tables -A INPUT -p ipv6-icmp --icmpv6-type destination-unreachable -j ACCEPT
    ip6tables -A INPUT -p ipv6-icmp --icmpv6-type packet-too-big -j ACCEPT
    ip6tables -A INPUT -p ipv6-icmp --icmpv6-type time-exceeded -j ACCEPT
    ip6tables -A INPUT -p ipv6-icmp --icmpv6-type parameter-problem -j ACCEPT
    ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
    ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-reply -j ACCEPT

    # IPv6: Erlaube Router Advertisements und Router Solicitations
    echo "Erlaube Router Advertisements und Router Solicitations..."
    ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT
    ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
    ip6tables -A INPUT -p ipv6-icmp --icmpv6-type neighbour-advertisement -j ACCEPT
    ip6tables -A INPUT -p ipv6-icmp --icmpv6-type neighbour-solicitation -j ACCEPT

    # IPv6: Logging von blockiertem Verkehr
    echo "Logge blockierten IPv6-Verkehr..."
    ip6tables -A INPUT -j LOG --log-prefix "IP6Tables-Blocked: "
    ip6tables -A FORWARD -j LOG --log-prefix "IP6Tables-Blocked: "

    echo "Erweiterte IPv6-Sicherheitsregeln wurden aktiviert."

elif [ "$1" == "--ipv6inactive" ]; then
    echo "Setze alle ip6tables-Regeln zurück..."

    # Lösche alle aktuellen ip6tables-Regeln
    ip6tables -F
    ip6tables -t nat -F
    ip6tables -t mangle -F
    ip6tables -t raw -F

    # Setze Standardrichtlinien auf ACCEPT
    echo "Setze Standardrichtlinien auf ACCEPT..."
    ip6tables -P INPUT ACCEPT
    ip6tables -P FORWARD ACCEPT
    ip6tables -P OUTPUT ACCEPT

    echo "Alle ip6tables-Regeln wurden zurückgesetzt."

elif [ "$1" == "--loggingactive" ]; then
    echo "Aktiviere das Netzwerk-Logging..."

    # IPv4: Füge Logging-Regeln hinzu
    echo "Füge IPv4-Logging-Regeln hinzu..."
    iptables -A INPUT -j LOG --log-prefix "IPTables-Input: " --log-level 4
    iptables -A FORWARD -j LOG --log-prefix "IPTables-Forward: " --log-level 4
    iptables -A OUTPUT -j LOG --log-prefix "IPTables-Output: " --log-level 4

    # IPv6: Füge Logging-Regeln hinzu
    echo "Füge IPv6-Logging-Regeln hinzu..."
    ip6tables -A INPUT -j LOG --log-prefix "IP6Tables-Input: " --log-level 4
    ip6tables -A FORWARD -j LOG --log-prefix "IP6Tables-Forward: " --log-level 4
    ip6tables -A OUTPUT -j LOG --log-prefix "IP6Tables-Output: " --log-level 4

    echo "Netzwerk-Logging wurde aktiviert."

elif [ "$1" == "--logginginactive" ]; then
    echo "Deaktiviere das Netzwerk-Logging..."

    # IPv4: Entferne Logging-Regeln
    echo "Entferne IPv4-Logging-Regeln..."
    iptables -D INPUT -j LOG --log-prefix "IPTables-Input: " --log-level 4
    iptables -D FORWARD -j LOG --log-prefix "IPTables-Forward: " --log-level 4
    iptables -D OUTPUT -j LOG --log-prefix "IPTables-Output: " --log-level 4

    # IPv6: Entferne Logging-Regeln
    echo "Entferne IPv6-Logging-Regeln..."
    ip6tables -D INPUT -j LOG --log-prefix "IP6Tables-Input: " --log-level 4
    ip6tables -D FORWARD -j LOG --log-prefix "IP6Tables-Forward: " --log-level 4
    ip6tables -D OUTPUT -j LOG --log-prefix "IP6Tables-Output: " --log-level 4

    echo "Netzwerk-Logging wurde deaktiviert."

else
    echo "Ungültiger Parameter. Bitte starte das Skript mit einem der folgenden Parameter:"
    echo ""
    echo "firewall_rules.sh --save              Aktiviert sichere Firewallregeln."
    echo "firewall_rules.sh --open              Aktiviert unsichere, funktionale Firewallregeln."
    echo "firewall_rules.sh --ipv6active        Aktiviert erweiterte IPv6-Sicherheitsregeln."
    echo "firewall_rules.sh --ipv6inactive      Setzt alle IPv6-Regeln zurück."
    echo "firewall_rules.sh --loggingactive     Aktiviert Netzwerklogging."
    echo "firewall_rules.sh --logginginactive   Deaktiviert Netzwerklogging."
fi

Display More

fumantsu · Mar 24th 2025

btw: I had exactly the same issue today with the same kernel (Intel NICs). Even if I break the bonding didn't work till (coincidence?) a live cd. What I notice is that the interface names changed (not to predicted).

Problems with network bridge br0 after kernel change

Mic2024 Mar 3rd 2025

Mic2024 Mar 3rd 2025

Participate now!

Tags