[SOLVED]Multiple NICS and rerouting inbound HTTP

[JMan]

Ebox looks fantastic, but the level of abstraction is making it hard for me to use (oddly enough). I'm replacing a venerable IPCop with EBox, and after reading the documentation, successfully installing Ebox, reading multiple Ebox how-tos, and skimming through this forum - - it's still a little confusing.

My layout:

3 NICS
- one connects directly to the Internet on a static IP through my DSL router
- a second NIC connects to the internal LAN (with wifi)
- a third NIC connects to the HTTP and SMTP server.

So, do I need to do the following?

(1) Create a service
(2) Create a rule to route the Internet NIC traffic (defined by the service) to the third NIC ?

[javi]

Hi,

A couple of questions to clarify what you are trying to do:

- ¿ Does your eBox have a wifi card? You must know that we don't support wireless stuff yet...
- ¿What do you really want to do ? Neither your scenario nor the kind of routing you want to set up is clear for me. Please elaborate on that

[JMan]

Javi, thanks for helping out !

- My EBOX does not have a wi/fi NIC, it only has three 10/100 NICs (which I will call A, B, C).

-  I'd like NIC A to be connected to a static IP on my DSL router.
-  I'd like NIC B to route to a subnet (192.168.2.x), which has my external e-mail server and http server.
-  I'd like NIC C to route to a subnet (192.168.1.x) to my internal LAN, which includes a wi/fi router.

With that set-up, here's what I'd hope the end functionality would include:

- SPAM and AV filter for inbound SMTP.
- Redirect the processed SMTP to the external e-mail server (192.168.2.2)
- Redirect the HTTP to the external web server (also on 192.168.2.2)
- Provide DHCP for the clients that connect on the 192.168.1.x segment
- OpenVPN, so that I can remotely connect to the 192.168.1.x segment

[javi]

Javi, thanks for helping out !

No problem

My EBOX does not have a wi/fi NIC, it only has three 10/100 NICs (which I will call A, B, C).

got it

-  I'd like NIC A to be connected to a static IP on my DSL router.
-  I'd like NIC B to route to a subnet (192.168.2.x), which has my external e-mail server and http server.
-  I'd like NIC C to route to a subnet (192.168.1.x) to my internal LAN, which includes a wi/fi router.

According to that, NIC A should be marked as external, B and C are internals. Remember that you will need to place your DSL router in  network different to 2.x and 1.x .

So far so good

SPAM and AV filter for inbound SMTP.
Redirect the processed SMTP to the external e-mail server (192.168.2.2)

I dunno if this is what you want to do: You can use the eBox as SMTP with the SPAM and AV filter enabled and using your mail server as a "smart host" to relay your mail.

- Redirect the HTTP to the external web server (also on 192.168.2.2)

This is just a redirection, what comes in through NIC A port 80 send it to 192.168.2.2 por 80

- Provide DHCP for the clients that connect on the 192.168.1.x segment
- OpenVPN, so that I can remotely connect to the 192.168.1.x segment

No problem with above things.


Please tell me if I understood you right.

Thanks

[JMan]

Alright, the best news is that everything sounds do-able. Your comments are very appreciated.

I've read through the eboxplatform forums, the wiki, and two years of the e-mail list.

My ebox is running (with the A, B, C NICS) and everything looks good (it's still not configured, but it's working).

The "smart host" option is what I was thinking would be a good choice.

The "A" NIC will be the gateway.

Now, I just have to configure the ebox to do these things. It's the creation of "objects" and "network services" that abstract out the details. I'm not sure what I'm doing. I'm not looking for a step-by-step, just "first configure an object, then create a network service."

Or, something.

When I'm done, I'll blog a more detailed overview on http://www.leadershipbynumbers.com so others can follow along.

Thanks !

[JMan]

I spent some more time on the ebox, today and I'm still fuzzy about the GUI. For instance, I have DHCP successfully bonded to one of the NICS and the ebox is connected to my DSL router. If I'm on the ebox, I can access the Internet. However, if I connect via DHCP (I use dhclient in prompt, so I can see the activity), that client is unable to access the Internet.

So, here are all the basic configuration details:

Active Module status:
   network
   firewall
   ntp
   dhcp server
   logs
   Domain Name Server

NETWORK
Network interfaces:
   Name: eth0
   Method: static
   External: YES
   IP: 66.92.167.36   
   Netmask: 255.255.255.0
   (No virtual interfaces)

ETH0 connects to the DSL router. It's working fine.

   Name: eth1
   Method: static
   External: no
   IP: 192.168.1.1   
   Netmask: 255.255.255.0
   (No virtual interfaces)

ETH1 is for the DHCP server and clients. It's the internal LAN

   Name: eth2
   Method: static
   External: no
   IP: 192.168.2.1
   Netmask: 255.255.255.0
   (No virtual interfaces)

ETH2 is for a web and mail server on a separate system.

DNS:   192.168.1.1
   216.231.41.2

Routes: I tried it with none (it seemed optional). But, when I couldn't access the Internet from the ETH1 segment, I added the following route from the Network to the Gateway:

   192.168.1.1/32 -> 66.92.167.36

Gateways: I have two Gateways, one for the Internet and one for the internal ETH1.

   Internet Gateway (ETH0), 66.92.167.36, ETH0 (set as default)
   ETH1 Gateway, 192.168.1.1, ETH1

OBJECTS
   The ebox has no objects defined.

SERVICES
   I haven't added any extra services.

FIREWALL
   Packet filtering has been set up in these categories:

   From Internal networks to ebox:
      The following protocols/services accept any source: ipp, samba, http, ntp, mail system, dns, dhcp, tftp, ssh

   For Internal networks, each of the NICS have been configured to access outside destinations:
   66.92.167.36/32- Any - Any - "Outbound ETH0"
   192.168.1.1/32 - Any - Any - "Outbound ETH1"      
   192.168.2.1/32 - Any - Any - "Outbound ETH2"

   For traffic coming out of ebox

   Any - Any - "Open up outbound for now"

   For traffic coming in to ebox

   No IPs are configured to accept connections

Redirects:

   One redirect is in place, but I haven't tested it.

   Interface: ETH0, External Port: 80, Protocol: TCP, IP: 192.168.2.2, PORT: 80

USERS   Not configured

GROUPS   Not configured

WEB SERVICE   Not configured

OPENVPN   Not configured

Japper Service:   Not configured

PRINTERS:   Not configured

DHCP:
   Interface: ETH1
   Default Gateway: Configured Ones, ETH1 Gateway
   Search domain: None
   Primary Nameserver: local eBox DNS
   Secondary nameserver: <blank>
   DHCP Ranges:
      IP: 192.168.1.1
      Subnet: 192.168.1.0/24
      Available ranges: 192.168.1.1 -254

   I created a range ("Range 1") from 192.168.1.50 to 192.168.1.100.

   No fixed addresses

FILE SHARING: Not configured

TRAFFIC SHAPING: Not configured

SOFTWARE MANAGEMENT: Not configured

   System is up to date

   Automatice updates: Not configured

LOGS: I did set them for one week

HTTP PROXY: Not configured

MAIL: Not configured

DNS: Not configured

CERTIFICATE MANAGER: Not configured

EVENTS: Not configured



   






   

[javi]

First of all,  this is a good example of how help should be asked in terms of giving us information

FIREWALL
   Packet filtering has been set up in these categories:

   From Internal networks to ebox:
      The following protocols/services accept any source: ipp, samba, http, ntp, mail system, dns, dhcp, tftp, ssh

   For Internal networks, each of the NICS have been configured to access outside destinations:
   66.92.167.36/32- Any - Any - "Outbound ETH0"
   192.168.1.1/32 - Any - Any - "Outbound ETH1"     
   192.168.2.1/32 - Any - Any - "Outbound ETH2"

I don't know if it's typo but you should use /24 mask. And also, you shouldn't add a rule for 66.92.167.36, that's your external network.
Rules in section "Internal networks" are meant to allow access from your internal machines to the Internet. So you should add the following rules and not the ones above:

   192.168.1.0/24 - Any - Any - "Outbound ETH1"     
   192.168.2.0/24 - Any - Any - "Outbound ETH2"

Note the /24.

Routes: I tried it with none (it seemed optional). But, when I couldn't access the Internet from the ETH1 segment, I added the following route from the Network to the Gateway:

   192.168.1.1/32 -> 66.92.167.36

Gateways: I have two Gateways, one for the Internet and one for the internal ETH1.

   Internet Gateway (ETH0), 66.92.167.36, ETH0 (set as default)
   ETH1 Gateway, 192.168.1.1, ETH1

I'm not following you here. I think this is wrong. Your internet gateway should be 66.92.167.x where x != 36 as that's the address of eBox in the 66.92.167.0/24 network.

I dont understand the 192.168.1.1 bit either. You don't need a gateway to access 192.168.1.0/24 as your machine is already connected to that  network.

[JMan]

Thanks, Javi !

I'll rework it tonight and let you know the results. The reason I thought there was a need for two gateways, was based on the comments in the wiki.

I appreciate your feedback !

[JMan]

Javi,

The /32 setting was the only setting that eBox would accept. It didn't make sense to me when I did the input, but eBox wouldn't accept /24. Weird.

I'm going to review the initial settings over this weekend, but I'm drawing a blank. I've doubled checked the NIC settings (ifconfig), and everything is set just as I recorded it for you.

[javi]

The /32 setting was the only setting that eBox would accept. It didn't make sense to me when I did the input, but eBox wouldn't accept /24. Weird.

If you set a /24 mask the last part of the IP address must be 0. Can you double check that?

[JMan]

Javi,

I didn't get a chance to read your note in time. I went ahead and de-configured the eBox and started from scratch. This time when I got to setting up the firewall rules for outbound access, it made sense that eBox was looking for a subnet range. Of course it had to be 192.168.1.0/24 !

I wasn't thinking in that way on my initial set-up, because I just assumed some sort of route was going to be configured for everything on eth1. Why ? Because that was my experience on IPCop and I've carried forward those perceptions.

So, the multiple NICS are humming, nicely. The port forwarding worked immediately for HTTP and SMTP on eth2. The DHCP is working great.

I'm looking forward to making the mail filters work and adding OpenVPN. Then, I'll be singing to everyone about eBox.

Thanks again, Javi.