[Solved] Zentyal as a Firewall with Wireless Router

[kmax9981]

I have been reading through the posts and the Zentyal Documentation but I have not found a solution to the setup I hope to use. 

Cable Modem (ISP) > eth0:::Zentyal:::eth1 > Cisco E4200 Wiress Router > Switch > Lan

Basically I want to use the Zentyal server as a Firewall and VPN Server.  I use a wireless Router and wish to continue to use it rather than buy a second AP. 

I think what I need to do is set eth0 as External WAN with DHCP from the modem

eth1 should be static, let's say 192.168.1.1

The router's default address is 192.168.1.1, to me this would be a conflict, should I change the router ip or change eth1 and set up a default route pointing to eth1.  Since the Cisco Router has DHCP I would not need to configure that in the Zentyal Server.

I have Zentyal 2.2 installed on a stand alone box

If anyone else has set up something similar or can help with this I would be so very tremendously grateful.

Kevin

[christian]

Kevin,

Keeping DHCP on your wireless access point is not mandatory.
You have 2 choices (plus some other solutions that are slightly more complex and not useful)
1 - set up one segment (192.168.1.0) between Zentyal internal interface and Cisco wireless access point and configure another segment (e.g. 192.168.2.0) for devices attaches to Cisco access point. DHCP on Zentyal for one single device (Cisco here) is not very useful.
2 - use on Zentyal as DHCP server: activate "DHCP relay" feature on Cisco (btw are you using Cisco's or Linksys standard firmaware?)

I would vote for the second solution because all devices will get Zentyal as default gateway 

[kmax9981]

christian,

Thanks for the suggestion.  I am running the default cisco firmware on the Wireless Router.  I am a little confused in regards to the 1st option, you said 2 segments, 1 to the internal interface and the cisco wireless router and the 2nd segment for devices connecting to the router??  Not sure what you mean there, I have 2 NIC's in the Zentyal Box.  Is the topology I shown correct?  I am worried that if I put the Zentyal box after the Router then the wireless clients would bypass the firewall.

[christian]

Sorry if I was not clear. what I meant is this:

Internet - ISP <--->  cable modem <---> Zentyal ext. NIC <--> Zentyal <--> Zentyal internal NIC <-- 192.168.1.0 --> Cisco access point <-- 192.168.2.0 --> your devices here

There is no way Zentyal can be bypassed   

[kmax9981]

Yes, that is much clearer now thank you!!  so would I leave the DHCP service turned on on the Cisco Router?  and how would I tell the router to point to the Zentyal Box as the Default Gateway?

[christian]

Yes, that is much clearer now thank you!!  so would I leave the DHCP service turned on on the Cisco Router?  and how would I tell the router to point to the Zentyal Box as the Default Gateway?

Yes if you go for solution 1 with 2 networks segments.
At Cisco level, connect "WAN" interface to Zentyal,,, that's almost it. If defined as "external", Zentyal will be the default gateway. I don't use Cisco firmware but for what I remember, with Cisco firmware, you can even manually defined your gateway.

[kmax9981]

There seems to be a problem.

I have  the following

ISP <-> eth0 (DHCP, External WAN Checked) <-> Zentyal <-> eth1 (Static 192.168.0.1, Ext WAN Unchecked) <-> WAN Port Cisco Wireless Router

Zentyal Settings

Network
             Gateway automatically added eth0 192.168.1.1 as default and will not let me change it

             DNS I have 2 8.8.8.8 and 8.8.4.4


However I loose internet connectivity this way, when I goto a webpage I get a dns failure

I'm, sure I am missing something here

I am not sure what to set my router as, I have the option of a static ip for internet configuration it asks for

Internet IP
Subnet mask
Default Gateway
DNS
DNS2 (optional)
DNS3(optional)

Would I put my external ip address from my ISP
I am assuming the Default Gateway would be the 192.168.0.1 of my eth1 NIC?

[Escorpiom]

OK let's see...
Zentyal's external interface gets the IP by DHCP. So the default gateway is set automatically, that's ok.
But if the default gateway is 192.168.1.1, that means that your cablemodem is NOT only a modem but also router.
Lets call it the first router.

Zentyal has an external interface and an internal interface. That is the second router.

Your wireless Cisco is the third router. I do not recommend this setup, it will be problematic but possible if you insist.
Please explore other setups, my opinion:

- Set the cablemodem as bridge to eliminate the router
- Zentyal's external interface gets a public IP. It can be a firewall and VPN server as you requested 
- Think about what you want the Cisco to do. If it is merely used for the wireless capability, use DD-WRT firmware and set it up as an AP.
- If you want it to be a router, no problem. 
 
Cheers.

[christian]

+1 with Escorpiom 

If I may add some explanations:
- you can (most likely) set up your cable-modem as a bridge and get public IP on external Zentyal NIC. If you don't do this, outgoing services (like web browsing) will work but incoming services (mail, web server, VPN server) will not unless you set up manually redirection at modem (router) level. A bit more difficult but much more secure. This is what I use 
- I fully share the DD-WRT advice (I'm running it too) but if you're not confident with this firmware change, Cisco/Linksys permits to set up you access point as an access point without routing. This is much simpler for everything, trust Escorpiom 

[kmax9981]

Thanks Guys for your help, I will give this a try and let you know.  I greatly appreciate the quick and information responses!!

[kmax9981]

I anm trying to access my modem

It is a Scientific Atlanta Webstar DPC 2100 series

I did some searching and found that the access for the modem is 192.168.100.1

When I go there in Firefox I get the following message

The image at "http://Http://192.168.100.1/" can not be displayed because it contains errors

If I use IE I get

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
<HTML><HEAD><TITLE>Scientific-Altanta WebStar Cable Modem</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
    <FRAMESET border=0 frameSpacing=0 rows=150,* frameBorder=0>
        <FRAME name=banner src="webstar.html" noResize scrolling=no target="contents">
        <FRAME name=main src="system.asp">
        <NOFRAMES>
            <body>

            <p>This page uses frames, but your browser doesn't support them.</p>

            </body>
        </NOFRAMES>
    </FRAMESET>
</HTML>


Is this Cable modem also a router??

[christian]

multiple points here:
- what you write about IP for administration being 192.168.100.1 seems not aligned with what you wrote earlier about Zentyal default gateway (using DHCP). Assuming DHCP server here is your Webstar DPC cable modem, then admin IP is most likely your default gateway...
- what is even stranger is that you get an answer while access 192.168.100.1... is default gateway on Zentyal wrong ?

I suggest you connect you cable/modem/router to internet (ISP) and connect your PC directly to it, configured as DHCP client and look at what you get as IP address and default gateway. once connected, try to access to http://defaultgatewayIP/
You may face problem with frame support but this depends on your browser (are you running very old Firefox or IE version?)

For what I read so far, I'm not sure you can deactivate router feature on this cable modem. You may have better time configuring port forwarding... but documentation I found so far focuses on how to configure workstations to be connected directly to this modem 
I case nothing works, think about resetting to default (factory) settings.

[kmax9981]

Sorry, I guess I should elaborate,  I disconnected the Zentyal box from the network since I needed to be able to access the internet to post, at this time.  In fact I have just started a reinstall of Zentyal to start fresh.  I will let you know what I come across after I give it another try, but this is the general idea I am getting.

ISP (Static IP address x.x.x.60) <-> eth0 (DHCP, External WAN checked) <-> Zentyal (Firewall, VPN, Gateway, DHCP) <-> eth1 (static 192.168.1.1, External WAN unchecked) <-> Non WAN Port Cisco E4200 Wireless Router (DHCP Turned Off)

Does this sound right?

[christian]

I'm sorry but I understand nothing about what you describe compared to what you told us already.
There is no more cable modem in your description    vanished ?
It also looks like you defined internal Zentyal interface as external while external (ISP side) is not defined as external 
Well, I'm totally lost...

Therefore I'll make some assumptions:
- you do not mention your cable modem because you successfully disabled "router" feature
- you decided not to operate E2400 as a router, meaning you want devices attached to E2400 to access directly Zentyal internal interface (meaning on same network)

If above is correct, then you should have something like this:
ISP <-> cable modem <-> eth0 (DHCP 69.14.151.60), External WAN checked) <-> Zentyal <-> eth1 (static 192.168.1.1, External WAN UNchecked, DHCP service configured for this interface) <-> Cisco E4200 Wireless Router (DHCP Turned Off) connected to Zentyal via LAN port.

If my assumptions were not correct, then you could set ip up like this:
ISP <->  (static 69.14.151.60) cable modem (static 192.168.100.1)<-> eth0 (DHCP 192.168.100.x), External WAN checked) <-> Zentyal <-> eth1 (static 192.168.1.1, External WAN UNchecked, DHCP service configured for this interface) <-> Cisco E4200 Wireless Router (DHCP Turned Off) connected to Zentyal via LAN port.

then other designs exist for E2400: either connecting to LAN ports (DHCP turned off) or connected to WAN port, in such case, you can enable DHCP...

[kmax9981]

Sorry I think I am overthinking this.  I have not been able to access the cable modem to make any changes.  When the cable modem is connected to the Router without the Zentyal box, My external IP address is x.x.x.60 this is static, it is what I get all the time

If I disconnect the modem from the router and plug the ethernet cable from the modem directly to the nic card of my netbook my interal and external ip address are the same but now it is x.x.x.10

Not really sure why the difference there.  I have no idea whether my modem is a router or not, I do not think it is, but what do I know.

I have tried to interpret the suggestions here and that is why I can up with what I thought was suggested and would work in my diagram which I will append below.

ISP <-> Cable Modem <-> eth0 (DHCP, External WAN checked) <-> Zentyal (Firewall, VPN, Gateway, DHCP) <-> eth1 (static 192.168.1.1, External WAN unchecked) <-> Non WAN Port Cisco E4200 Wireless Router (DHCP Turned Off)