Firewall Blocking Passing Over an Acept Rule...

[DiegoS]

I've a Zentyal Server with 2 networks:
   eth0-LAN - Internal - Range 192.168.x:x
   eth1-WAN - External connected to internet

I've 1 Internat Networks Rule in firewall:
   Descision: Accept
   Source: 192.168.2.201/32
   Destination: Any
   Service: Any

But if i look on firewall logs I found this:
  Input Inferface: eth1
  Output Inferface: eth1
  Source:  192.168.2.201
  Destination:  8.8.8.8
  Source Port: 57498
  Destination Port: 53
  Action: DENY

I can't connect to any external service from 192.168.2.201 object.

I see in logs that Input Inferface & Output Inferface are the same "eth1" but i've connect de object 192.168.2.201 to "eth0" network.

Any suggestion

Thanks

[christian]

Looking at what you describe, you intend to execute DNS request.
- What does happen when such request is done from Zentyal server itself ?
- where did you set this rule in Zentyal interface ?
- what's about other FW rules ? If you have another rule before this one denying access, access will be obviously denied. I mean to say that what you describe is not enough for (remote) investigation.

[DiegoS]

Hi Christian:
I answer your questions:

- I've no problem to connecto to 8.8.8.8:53 directly from Zentyal.
- I set the rule in Firewall > Packet Filter > Filtering rules for internal Networks.
- The rule is in the 1st position of the rules.

Thanks

[christian]

of course both eth0 and eth1 are on physically different networks isn't it? I mean not connected to same switch or something like this...
I wonder why Zentyal sees your access (incoming) at eth1 

[DiegoS]

Yes eth0 is connec to to our internal switch and eth1 is connected to an LDMS internet connection...

In which log do you think I must look for more information?
Maybe Firewall log?

[christian]

I don't know yet. I would suggest that:
- you look at arp table from you client
- ensure that you can reach eth0 (still from client). BTW, are you able to reach your client from Zentyal server
- rewrite first post tile to not use upper case    it doesn't solve your current problem but "loud speaking" doesn't help neither 

[DiegoS]

For testing I created 1 rule on firewall, internal networks on first position:
   Decision: LOG
   Source: 192.168.2.201/32
   Destination: ANY
   Service: FTP

When I look into the Firewall Logs:
  Input Interface: eth1
  Output Interface: eth1
  Source:  192.168.2.201
  Destination:  130.206.1.5
  Source Port: 59696
  Destination Port: 21
  Decision: DROP

As you can see, the Input Interface is eth1(external) but it must be eth0(internal)
I think this is the reason why is not giving access to internet because is not using Internal Networks Rules.

My question is why Input Interface is EHT1 if the PC is connected to ETH0?