Need help on network design/VPN

[bbking]

Hi there,

I am currently trying to deploy a zentyal solution on a small office with 9 users.
We have an xDSL connection with a 4 port router and behind it the zentyal server is supposed to provide VPN, SMB+domain controller services.

We want to keep the router as the gateway to the internet, because even if the zentyal server has a physical failure, working over the internet should be possible (there is a backup router with the same config available on the shelf as well).

Right now I have to interfaces (WAN,LAN) pointing to the same network (see picture below). According to the documentation this is neccesary, to be able to run VPN.
I created a VPN server and after port-forwarding port 1194 I can successfully connect to the internal network.
My problems:
1) Right now I can't open the zentyal-admin interface on https://192.168.10.1/ebox/ but this used to work the last time I checked (2 weeks ago). Right now it loads forever, I only get a white screen (Edit: http://192.168.10.1 gives me the standard Apache page "It works!").
2) I also have a problem, when trying to connect from the internal PCs to Zentyal, I always get a timeout (even ping does not work). But I can ping the PCs from Zentyal. In the firewall logs I see only "DENY" logs for the PC requests.
I enabled all services over WAN, but I still cannot connect in any way to Zentyal.
3) Does anybody have a better setup approach or can someone give me a hint regarding the firewall?

Thanks a lot in advance!

Best regards
BBKing

[brian_mosher]

I am a complete Noob to this, so take my response for what it's worth, but I had the same problem where I couldn't reach the Zentyal server from my internal PCs. You have to have the internal and external interfaces on 2 different subnets. For instance my internal is 10.0.0.254 and external is 10.0.1.254. Your Gateway would need to be the LAN IP of your DSL and tied to your External interface.

The reason I ran across this post is because I'm trying to figure out for VPN if I need to forward UDP 1194 to the internal interface IP or the External interface IP. Unfortunately I have to go through my ISP to make changes on the firewall, so I can't just trial and error myself. If anyone has the answer to that, I'd appreciate it.

[bbking]

Thanks for your answer and it's quite what I've expected. The problem is, the xDSL router is doing the DHCP job, because, as mentioned above, even if the Zentyal box fails internet access must be present for the employees.
But I guess I have to figure out something else, because this setup might not work.

To your question: you have to port-forward 1194 to your WAN, that's what I did in this case and it's working.

[Sam Graf]

I don't understand the value of having two interfaces on the same subnet. If VPN can work via port forwarding, I would think it would work through a single interface. So I suggest trying to use a single interface.

I'm assuming the documentation is referring to a "normal" setup, with Zentyal doing the routing between the WAN and the LAN. In this case, Zentyal isn't doing the routing for anything but the VPN connection, if I'm not mistaken.

[bbking]

okay, thanks, I will try disabling the LAN interface.

Do you know if there is the possibility to unblock all connections from the internal network on the WAN interface? I thought I did it, but the firewall log is full with DENY logs....

Thanks

[J. A. Calvo]

What rules do you have in the "Internal networks" section of your firewall?

[nicolasdiogo]

you will need an external NIC in subnet 192.168.10.0/24 (eg:  192.168.10.1 as you suggested)
then for the intranet - create another subnet which is managed by Zentyal - like 10.8.98.0/24 or any subnet under "24-bit block", see:
http://en.wikipedia.org/wiki/Private_network

but you will need Zentyal to run DHCP, VPN modules to setup your VPN correctly.
check the docs on howto setup - you might want to create network objects:
http://doc.zentyal.org/en/dhcp.html

[bbking]

Thanks for your hints - in the meantime I realized 2 things:
1) I DO need a LAN interface, as the connection over VPN should be routed to the internal network. Otherwise I could probably access the Zentyal machine but not the other PCs in the network.
2) There is no other way than doing DHCP and VPN on the same device. Be it a VPN-capable router or moving the Zentyal-box to the position of the router.

I think I'll get a dual power supply for the machine, so I'll be on the safe side - we already have a UPS supplying the box.

Speaking of this - are there any plans to have a UPS-module in Zentyal? It would be awesome if I could quickly configure ups support and maybe do a SNMP broadcast on power fail.

[bbking]

What rules do you have in the "Internal networks" section of your firewall?

I just don't manage to get through to the login window of the web interface. I think it has something to do with the certificate, because https://192.168.10.1/ebox/ loads forever, while http://192.168.10.1/ebox/ gives me a "Can't find page" site, and http://192.168.10.1/ delivers the standard apache site "It works!"

Any hints on this?

Thanks

[J. A. Calvo]

You should always use https to access the administration interface.

To discard a firewall problem, try again executing the following first:

iptables -I INPUT -j ACCEPT

After the test, for security reasons, you can restore your firewall configuration with "/etc/init.d/ebox firewall restart".