Author Topic: [SOLVED]Using Zentyal server as Gateway (and allow internet traffic)  (Read 15149 times)

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Hello everyone! :) We have purchased a new more powerful server to our office and would like to get rid of router which routes all internet traffic. We want server to act as router.
I will try to describe the main current network structure here, hope you will understand:

[INTERNET MODEM] -- [ROUTER] -- [SWITCH] -- [ZENTYAL SERVER]
                                                                      |
                                                  [ALL OTHER WORKSTATIONS]

We would like to get rid of the router and directy put the cable coming from internet modem into eth0. So that would be the external network interface. eth1 would create internal network 10.0.1.0/24 and it would look like this (sorry for the interesting diagrams ;D ):

[INTERNET MODEM] -- eth0 [ZENTYAL SERVER] eth1 -- [SWITCH]
                                                                                                    |
                                                                               [ALL OTHER WORKSTATIONS]

I tried installing zentyal by selecting all gateway components and configuring eth0 as external with static ip's (provided by ISP) and configuring eth1 as static internal and assigning 10.0.1.3 and 255.255.255.0 netmask to it. After doing that I was able to access all  allowed Zentyal services from internal network (by connecting my laptop and manually assigning 10.0.1.4/24 and zentyal DNS to it - just to test the internal network), BUT had no internet connection! I was able to ping www.hostname.com and ping 10.0.1.3, the Windows network status also said that there is internet connectivity, but no pages could be opened except Zentyal administration page (https://10.0.1.3).
I also tried enabling transparent proxy, then very very slow traffic started to come trough (and then I broke something, so I'll try to reinstall it and try again), but I would like just to reroute the internet traffic to eth0 to eth1 with no proxy (I use non-transparent proxy for other reasons). What am I doing wrong? Also didn't get why the traffic was so slow with transparent proxy enabled (opening web page in 5-10 seconds)

The main point is get internet connection to work in internal networks by just rerouting it. The server has 2 network adapters, eth0 and eth1. If I cant do this then I'll have to stick with a router which tends to hang 1-2 times a month. I would also like the monitoring options I can get if I use Zentyal as router.

Thanks!
« Last Edit: August 01, 2013, 06:10:56 pm by ap1821 »

christian

  • Guest
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #1 on: July 14, 2013, 09:19:09 pm »
when removing router, did you change some settings like default gateway ?
If you want to access internet without proxy, you have to ensure that clients have Zentyal defined as their default gateway and also ensure that Zentyal FW allow outgoing HTTP traffic.

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #2 on: July 15, 2013, 12:13:27 am »
Well I configured eth0 with ISP given parameters, same that were entered in the router previously. And the internet connection worked just fine on the server.

SERVER eth0 (external):
-ISP given network configuration, static

SERVER eth1 (internal):
-IP: 10.0.1.3, static
-Subnet mask: 255.255.255.0

CLIENT connected to eth1 (my laptop)
-IP: 10.0.1.5
-Subnet mask :255.255.255.0
-Default gateway: 10.0.1.3 (so client has Zentyal server as default gateway)
-DNS: 10.0.1.3

And I can access Zentyal with no problems on the client, I can ping internet DNS and IP adresses, but cant open any with browser, Windows says that I have internet access, but actually I don't.
I had no switch for the moment to connect to eth1, so I connected my laptop directly to test it (I think his can't affect anything).
About that
Quote
ensure that Zentyal FW allow outgoing HTTP traffic
do I have to set some rules manually, stock configuration doesn't allow that? I also tried email client on my laptop and it didn't worked either.
« Last Edit: July 15, 2013, 12:17:07 am by ap1821 »

christian

  • Guest
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #3 on: July 15, 2013, 06:21:19 am »
Frankly I don't remember what stock configuration does but even if some users here think that starting with "allow all" then add more restrictive rules is realistic, it is commonly and widely accepted that when implementing firewall, one start with "deny all" then add specific rules to allow what can be allowed.

Because of this, not remembering what stock configuration is, I strongly believe that, by default, except for mandatory protocols, nothing is allowed. Then, when you deploy services, Zentyal handles (most of the time  ;D) firewall rules required to make this service operational.

Is the opposite true when service is removed ? I'm not so sure and this is not that obvious to achieve.

As a matter of conclusion: debating about this can take ages while it will take you few seconds to check whether such FW rule exist or not  ;)

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #4 on: July 15, 2013, 12:10:45 pm »
Quote
Because of this, not remembering what stock configuration is, I strongly believe that, by default, except for mandatory protocols, nothing is allowed. Then, when you deploy services, Zentyal handles (most of the time  ;D) firewall rules required to make this service operational.
All the time I've used Zentyal server connected to my office network as I described in the first post. Then I was able to configure all allowed services available to office computers in firewall section Packet Filter -> Internal networks to Zentyal. And the other things in the router by opening ports.
Frankly I'm not familiar with any other sections in Zentyal firewall :D
If this has to be in Packet Filter -> Filtering rules from internal networks to external networks then there is nothing added there in my testing vbox environment.
If Packet Filter -> Internal Netowks then there is one rule:
ALLOW TRAFFIC, Source Any, Destination Any, Service Any.
I'll check the server installation, then post. :)
« Last Edit: July 15, 2013, 12:20:24 pm by ap1821 »

christian

  • Guest
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #5 on: July 15, 2013, 12:17:21 pm »
if there is no rule allowing internal network to access external network through Zentyal in you firewall settings, then don't be surprised if you can't access internet  ;)

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #6 on: July 15, 2013, 12:22:52 pm »
I edtited the post a bit also. So the filtering rules from external networks to internal networks is the right section?
What does the "Filtering rules for internal networks" does in my case, and that one rule there? (sorry to ask so stupid :D )

Thanks!

christian

  • Guest
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #7 on: July 15, 2013, 12:30:39 pm »
take care about what each section handles  8) but drawing is pretty clear and should help.

Quote
Filtering rules for internal networks

this is where you have to set rules to access from inside to internet without using Zentyal hosted service like proxy

Quote
Filtering rules from external networks to internal networks

Has to be used only if you want to provide access to internal network when initiated from internet.

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #8 on: July 15, 2013, 12:55:06 pm »
Quote
Filtering rules from external networks to internal networks

Has to be used only if you want to provide access to internal network when initiated from internet.
OK. So the internet connection should work without needing to add any rules to this section?

I'm pretty sure that my server had this one rule by default just as vbox test install:
Quote
If Packet Filter -> Internal Netowks  then there is one rule:
ALLOW TRAFFIC, Source Any, Destination Any, Service Any. 
AND Filtering rules from external networks to internal networks section contained no rules on the actual server.
Sorry, I can't test adding rules to Filtering rules from external networks to internal networks section right now, can't get to the server right now. But is this really really the problem cause here?

christian

  • Guest
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #9 on: July 15, 2013, 01:14:50 pm »
you will need rules here (from external to internal) only if you want to permit connections initiated from internet.
I what you describe, I don't see such need.

As it seems you already have rule allowing from internal to external, FW is most likely not the blocking point here.

In order to investigate further, check DNS client side.
Are you able to resolve, client side, internet names ? If no, as you don't use HTTP proxy, browsing will not work.

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #10 on: July 15, 2013, 01:42:35 pm »
Maybe the problem was connecting eth1 directly to my laptop with ethernet cable? I already mentioned, I WAS able to resolve DNS names and even ping them, Windows 8 laptop I connected to the server said that there is internet connectivity, but no web pages could be opened.

I just installed fresh Zentyal on Virtualbox with eth0 as bridged to my home router (192.168.1.160) so it has access to internet and my whole local home network. I set eth1 as Internal network in Virtualbox virtual machine settings. After configuring everything just as before (eth0 static external, eth1 static internal) I tried Windows XP machine and connected it to Virtualbox internal network. After finally setting everything up just the way I did with the actual server, I now have internet access and everything else working JUST FINE on that XP virtual machine (Zentyal set as gateway and DNS).

So firewall is definately not an issue anymore, if it works with virtualbox. I wonder what's wrong there with the actual server installation... I didn't had to change any firewall settings by the way, it worked with stock FW settings. Maybe I should connect it to a switch and then connect all workstations, dunno....
« Last Edit: July 15, 2013, 01:47:46 pm by ap1821 »

christian

  • Guest
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #11 on: July 15, 2013, 02:37:36 pm »
unless you're using very very old network interface, it will handle cross or straight cable in a transparent manner meaning switch or not doesn't matter

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #12 on: July 16, 2013, 05:35:42 pm »
Well I reinstalled the actual server and still get same problems with no internet. The firewall seems to be fine. Sometimes some skype traffic comes trough, still I can ping IP's and DNS adresses in local network and in the internet.
I'm currently trying in my home network with the server. Connected directly to internet modem and let DHCP take the adress when installing (acually I used DHCP when installing it the first time, maybe this messes something up). And I tried to use switch too, still same.
Now gonna try connecting server to my home router and not to use DHCP when installing.

EDIT: changed eth0 to static and typed currently leased DHCP adress and gateway manually, restarted server and it works. What the hell.... This really might be because I used DHCP in the cli installation....

EDIT: restarted server once again, it now works (directly connected to my home internet modem)! Seems that restarting server is the trick here. I didn't do that when tried the first time.
« Last Edit: July 16, 2013, 05:50:28 pm by ap1821 »

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #13 on: July 22, 2013, 07:00:02 pm »
OK! The gateway thing works fine from now on, seems like I had to reboot zentyal for at least one time for it to got working.
Now I have problems with VPN. All other things work perfectly, but when the VPN service is started and running, then I have no traffic on internal interface (eth1). I went deeper and found out that when I change Interface to listen on field to eth1 instead of eth0 or all interfaces, than the internal interface works fine (internet connectivity is fine and local networks can be accessed) otherwise there is suddenly no access to anything on computers connected to eth1.
eth0 is external and eth1 is internal to remember, and the internet connection remains fine on the server itself, no matter what the VPN settings are for the moment...
Here are my settings for the created VPN server:

I have created certificated for VPN clients and for VPN server itself, with this configuration the eth1 is fine.

On the other hand I tried the connection to VPN, of course it doesn't work from the internet. When I change eth1 to eth0 there (interface to listen on), I can access and connect to VPN server from internet, but can't ping anything on the server's internal network when connected.
Hope you understood and hope for help!  :)
« Last Edit: July 22, 2013, 07:04:55 pm by ap1821 »

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Re: Using Zentyal server as Gateway (and allow internet traffic)
« Reply #14 on: July 22, 2013, 07:37:00 pm »
Just tried changing the port. From 1194/udp to 1195/udp, also in the firewall I changed the port too. VPN now works, all traffic goes fine trough eth1. What the hell? Why doesn't it like 1194 port anymore?
edit:
about that problem http://forum.zentyal.org/index.php/topic,17039.0.html
« Last Edit: August 06, 2013, 02:07:55 pm by ap1821 »