Author Topic: I need to allow EXTERNAL traffic to INTERNAL subnet... but where is this?  (Read 2213 times)

Abby

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Hello people

I've installed Zentyal Community Edition 3.2 as a transparent proxy, inline with a bridged interface between my Firewall and my core switch, like this:

Internet -> FW (192.168.1.10) -> Zentyal (192.168.1.5 on br1) -> Core Switch (192.168.1.1) -> internal VLANS 192.168.x.x

and so far, so good!  It is all working and I can monitor http traffic :)

My Zentyal box has TWO NICs, that are bridged together.
Also, we have a DMZ and a site-to-site tunnel to a remote location coming off our firewall.

Now, I need to add application control to block peer-to-peer traffic, but to do that, Zentyal tells me I must enable one interface as EXTERNAL.

When I do this, Zentyal blocks ALL inbound traffic on whichever interface I select as external, meaning either (1) we cannot access our DMZ or the remote site or (2) they cannot access us!

I've looked in the firewall settings, and there is NO option to allow EXTERNAL traffic to INTERNAL subnets, despite some forums posts referring to this option. Where has it gone?

I'm thinking that if I can open up external access from our DMZ and site-to-site tunnel ONLY, then I can still enable the EXTERNAL interface and have my application control :)

Please advise :)

Thank you

christian

  • Guest
Where is your DMZ (from Zentyal's standpoint) ?

Abby

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Our DMZ is on a 172.20.x.x subnet coming off the firewall.

Zentyal can see the DMZ, and can pass traffic between the DMZ and the internal VLAN in its role as a bridge.

christian

  • Guest
Clearer.
What I understand now, reading your last post and again the first one, is that your Zentyal server has one single interface (even if made of 2 NICs for some reasons, if bridged, there is only "one" interface.

This means that:
- from core switch, you can reach directly your firewall
- no one is obliged to use Zentyal as proxy unless you have rules at FW level preventing access except from proxy  ::)
- you can't set rule at Zentyal level that are based on the fact that communication is going "through" Zentyal. Only proxy based control is available because client session will stop at proxy level and new session will start from proxy (Zentyal) to server.
- On platform like Zentyal, DMZ concept is more internal dedicated network to which you apply specific FW rules but this can't be on the unique external (or even internal) subnet.


Abby

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Clearer.
What I understand now, reading your last post and again the first one, is that your Zentyal server has one single interface (even if made of 2 NICs for some reasons, if bridged, there is only "one" interface.

Yes, this is correct.

This means that:
- from core switch, you can reach directly your firewall

We can reach the Firewall from the Core Switch through the proxy. Zentyal sits physically (and logically) between the core switch and firewall, with one NIC connected to each device.

- no one is obliged to use Zentyal as proxy unless you have rules at FW level preventing access except from proxy  ::)

Really? Even though http traffic HAS to pass through Zentyal to get to the Firewall?
If so, then I can always add a Firewall rule that blocks the internal VLANs from accessing the internet directly.

- you can't set rule at Zentyal level that are based on the fact that communication is going "through" Zentyal. Only proxy based control is available because client session will stop at proxy level and new session will start from proxy (Zentyal) to server.

Yes, I noticed this yesterday, when I put Zentyal between the core switch and Firewall.  Some of our DMZ websites have allow/deny IP entries in the config files, and we had to update these to allow traffic from the Zentyal VLAN (192.168.1.x) as well as the internal 192.18.x.x VLANs!

- On platform like Zentyal, DMZ concept is more internal dedicated network to which you apply specific FW rules but this can't be on the unique external (or even internal) subnet.

Does that mean I CAN NOT allow rules from EXTERNAL to INTERNAL interface? The information that Zentyal published must have confused me. I would still like to have a look at the EXTERNAL to INTERNAL rules to see what is available.  Where can I find this setting? I have installed a test Zentyal server will ALL available options but still can not find it

Thank you very much for your help Christian :)

christian

  • Guest
What I don't understand is how you can have 2 interfaces on Zentyal connected on each side but sharing same unique IP and acting as "go through" device.
If you could please elaborate on this, I'm going to improve my understanding and knowledge.

Abby

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
It was not difficult to bridge two NICS into one interface using the same IP.
Follow these steps in order, and save the changes after each step:

1) I deleted the default gateway first, and save changes (otherwise Zentyal will not let you make the necessary network interface changes)
2) I changed eth0 to bridged, and create a new bridge called br1, and save changes
3) Set bridge br1 to Static IP, with the same IP address you previously assigned to eth0, and save changes again
4) Change eth1 to bridged, using bridge br1, and save changes again.
5) Add the default gateway back in, and save changes

Now Firewall internal IP -> Zentyal br1 -> Core switch are all on the same VLAN  8)

christian

  • Guest
So far so good...  :) still I don't understand how it works.

1 - 2 NICs bridged will give you one single IP that can' be on 2 different physical networks in term of routing unless you have split you 192.168.1.0 into smaller subnets with specific routes.
2 - From Zentyal, if you have 2 gateways, unless you maintain specific routes, how will you decide which one to use depending on target address

I would understand 2 NICs bridged either "inside" or "outside" but not both at same same, this is what makes me confused.

Abby

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
I have set both NICs to INTERNAL.

I do not need to set a NIC as EXTERNAL, because my third-party Firewall protects us, not Zentyal firewall.

My problem is that I need Application Control to view and block protocol usage, and to do this I need to assign one NIC as external.

But when I do this, all inbound traffic to the EXTERNAL NIC is blocked, even from my DMZ!

christian

  • Guest
OK, and thus we are back to my initial point:
- if both interfaces are set as internal on 2 different physical subnets, you will potentially face issues because of this split (as far as I understand but I might be wrong)
- some services do require to have one external interface. Setting interface as external populates specific FW rules. You can still modify it later but in your case, because of the bridge, I don't understand what may happen.