Author Topic: Object Policy's  (Read 4878 times)

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
Re: Object Policy's
« Reply #15 on: September 06, 2011, 02:52:10 am »
If you choose to set a static IP, that means that Zentyal is not handing out IP's. The client is configured with an IP address in the same subnet, use Zentyal as default gateway and needs a DNS server.
If you currently have the iMac on a static IP, that is not going to change when you activate the proxy, if that is your question.   

Cheers.
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

Sam Graf

  • Guest
Re: Object Policy's
« Reply #16 on: September 06, 2011, 03:32:30 am »
... Is there something with those items and their IP configurations that I need manually set them to have the static IP or should they work the way I am hoping?
We use iPads at work and they have static IP addresses assigned through Zentyal, so at least in the iPad's case, it seems to me that it should work as you intend. We've not given the iPads any special treatment.

I'm having trouble thinking where the breakdown here is occurring. There really aren't that many places where things could go wrong. If the device is in fact connecting to Zentyal on its internal interface, if the object's MAC addresses are correct, if the object's IP addresses are in the correct subnet and not duplicated elsewhere and not taken from a defined range, and if the object has been included in Zentyal's DHCP service for the internal interface, it should just work. And proxy policies for the same object should then also work.

So as I've been reading along here I'm at a loss. Beyond operator error ( :-[ ) I've not had any experience with Zentyal's static assignments failing at all, let alone routinely. And I rely on that feature heavily. It baffles me that your setup isn't working.

The only thing that I wonder about is whether or not you are experiencing a difference in device behavior depending on whether or not the device is a wired device or a wireless device. If all wired devices work as expected and all wireless devices are not working as expected long term, maybe we need to look closer at how the wireless connections are taking place.

Vanish

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +1/-0
    • View Profile
Re: Object Policy's
« Reply #17 on: November 01, 2011, 04:36:21 am »
Sorry for the delay on the responses, ended up going for surgery. 

Back to the issues...

I have still not been able to make the iPads take a static IP via the Zentyal routes, intact the issue is with all my wireless items.  Now I am not using a true AP (Dlink Wireless DIR-655 which does not have a available DD-WRT for) for one of our wireless networks and the other wireless network is running a DD-WRT firmware on a Linksys WRT54G wireless router set to AP mode.  Could these be causing our IP issues?

Thank
Jon

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
Re: Object Policy's
« Reply #18 on: November 02, 2011, 12:43:25 am »
I'm starting to loose track...
Please start with checking how your "network objects" have been setup in Zentyal. Remove all spaces, underscores and, capitals and - from the names, both object names and members.
This is the first important step if you wan't to have Zentyal assigning a a static IP to client's. I call this Marcus' rule. 
Quote
Jons iPad
iPod Touch
This is definitely not going to work for static DHCP.
 
If that doesn't solve your issue:
If I understand the issue is not only with the iPads but all your wireless items? You have two AP's, one is a Dlink DIR-655 and the other is a WRT54G with DD-WRT on it?

The DIR-655 can be used as AP also if you wish. If it is doing router or gateway, it's client's will never get an IP from Zentyal but instead from the DIR-655 if it has it's DHCP server activated.
If you set the wireless clients with a static IP, their gateway will be the DIR-655 and that IP adress will have to fall in the same space as the DIR-655 lan IP.

If other router is a true AP, then you would rather not activate it's DHCP server. Generally, it's not a good idea to have multiple DHCP servers on your network.
Static IP and Zentyal gateway for clients on that AP won't be a problem because no router/firewall is active.

I have two DIR-300 and both have been flashed with DD-WRT. The only issue a ran into were incompatibilities with the WPA2+AES encryption security.
I had to use WPA personal+AES to get everyone on the AP.
   
At this very moment I have Zentyal handing out IP's for client's connected to the AP. Client isolation has been enabled and all works OK.
 
Cheers.
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

Vanish

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +1/-0
    • View Profile
Re: Object Policy's
« Reply #19 on: November 30, 2011, 05:31:35 am »
Quote
Please start with checking how your "network objects" have been setup in Zentyal. Remove all spaces, underscores and, capitals and - from the names, both object names and members.
This is the first important step if you wan't to have Zentyal assigning a a static IP to client's. I call this Marcus' rule. 

Check. Did this and this helped out a TON.  My iPad and Andriod phone are now taking the IP I am directing them to take.  Marcus' Rule = WIN!

Quote
The DIR-655 can be used as AP also if you wish. If it is doing router or gateway, it's client's will never get an IP from Zentyal but instead from the DIR-655 if it has it's DHCP server activated.
If you set the wireless clients with a static IP, their gateway will be the DIR-655 and that IP adress will have to fall in the same space as the DIR-655 lan IP.

If other router is a true AP, then you would rather not activate it's DHCP server. Generally, it's not a good idea to have multiple DHCP servers on your network.
Static IP and Zentyal gateway for clients on that AP won't be a problem because no router/firewall is active.

I have two DIR-300 and both have been flashed with DD-WRT. The only issue a ran into were incompatibilities with the WPA2+AES encryption security.
I had to use WPA personal+AES to get everyone on the AP.
   
At this very moment I have Zentyal handing out IP's for client's connected to the AP. Client isolation has been enabled and all works OK.

Check, I have the AP's working properly now too. 

Now I have played with the object policies and have got them to work with limited success.  I have the Transparent Proxy Active and I can make a policy shut dow the network to selected devices at 22:00 as directed.  How ever I can not put the time limits I am wanting in play (22:00 to 08:00). So that policy will shut down the access from 22:00 to 23:59.  Now I have tried making a second Object group (as you are limited to only 1 object policy per object group) that is the same as the primary group and created a second object policy that shuts access off from 00:00 to 08:00 and it is in first, then the other policy (which has the same devices in it) shut down from 22:00 to 23:59.

Now I can make one policy work just fine.  No issues it deactivates and reactivates as expected, but as soon as I add the send policy in so I can get the time frames I am wanting and it has issues, connection is dropped random;y throughout the day.

I have tried setting the Transparent Proxy to Always Deny and just use the Object policy to allow during 08:00 to 22:00.  But then I have to make a policy to allow full time access to the rest of the network by putting each of the computers into a object and activating it like that which doesn't work as we have many visitors in our home and I do not want to have to add each of them as well. 

Any help I could get with this would be awesome or if you need me to explain it better ask the questions needed and I will answer them to the best of my ability.

Thanks
Jon

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
Re: Object Policy's
« Reply #20 on: November 30, 2011, 06:28:26 am »
I hear you. That part of Zentyal is still work in progress, at least for me. Some others have reported inconsistencies with object policies.
I'd go for the second option you mentioned. Set default policy always deny and allow the objects from 8.00 until 22.00.
The idea is, for your visitors for whom you can't (or won't) make objects, just create one object "dhcpguests" and put some (let's say 10) IP adresses inside but leave the MAC field for those addresses empty. That group you put in the allways allow policy. If someone visits you and the MAC address is not in one of your other groups (with limited access) than he will just get an IP from the "DHCP Guests" object and be able to use the network without restrictions.

The only vulnerable part is that the not allowed clients may spoof their MAC and get an "always allow" IP.

Anyway I'm glad you sorted out the rest of your issues.
Cheers.   


Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

robb

  • Guest
Re: Object Policy's
« Reply #21 on: November 30, 2011, 10:28:38 am »
I haven't seen this in the discussion yet, so can you check if Zentyal is the only DHCP server on your network? If, for instance, your router is also actively giving out IP addresses, you have a problem with your rules.

Vanish

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +1/-0
    • View Profile
Re: Object Policy's
« Reply #22 on: November 30, 2011, 06:25:26 pm »
I hear you. That part of Zentyal is still work in progress, at least for me. Some others have reported inconsistencies with object policies.
I'd go for the second option you mentioned. Set default policy always deny and allow the objects from 8.00 until 22.00.
The idea is, for your visitors for whom you can't (or won't) make objects, just create one object "dhcpguests" and put some (let's say 10) IP adresses inside but leave the MAC field for those addresses empty. That group you put in the allways allow policy. If someone visits you and the MAC address is not in one of your other groups (with limited access) than he will just get an IP from the "DHCP Guests" object and be able to use the network without restrictions.

The only vulnerable part is that the not allowed clients may spoof their MAC and get an "always allow" IP.

Anyway I'm glad you sorted out the rest of your issues.
Cheers.

I have thought of doing this, but my daughter(s) are pretty smart and will learn this trick WAY to fast.  I am going to work with the 2 different policies for a bit and see if I can get them to work out for me.  I will check back in, in a few days with an update if I figured them out.  Im the mean time, I will try your suggestion and see how it goes for the time being.

I haven't seen this in the discussion yet, so can you check if Zentyal is the only DHCP server on your network? If, for instance, your router is also actively giving out IP addresses, you have a problem with your rules.

I have the DHCP thing all figured out now thanks to Marcus' Rule.  Thanks though.

Thanks

Jon

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Re: Object Policy's
« Reply #23 on: December 01, 2011, 09:16:49 am »
Hello,

there was a regression in HTTP proxy's object policy in 2.2 series . It affected when the objects had a filter policy and the global policy was set to anything else than 'Filter' or 'Authorize and filter'.

Maybe this was causing some of you trouble?.

The fix is in changeset 23714 ->  http://trac.zentyal.org/changeset/23714

Regards,
Javier

Vanish

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +1/-0
    • View Profile
Re: Object Policy's
« Reply #24 on: March 20, 2012, 04:12:07 am »
Quote
Hello,

there was a regression in HTTP proxy's object policy in 2.2 series . It affected when the objects had a filter policy and the global policy was set to anything else than 'Filter' or 'Authorize and filter'.

Maybe this was causing some of you trouble?.

The fix is in changeset 23714 ->  http://trac.zentyal.org/changeset/23714

Regards,
Javier

Since I have upgraded to V2.2 on my server and done some minor tweaks I have been able to make my object policies work properly.  I have created 3 object's with policies everything is working wonderfully.

However I have run into some limitations that I am unsure how to over come.

I have created a 'limited access' user that the net is only available from 08:00 to 22:00 and when it comes to http access the policy is working well.  However, if I am using my iPad and trying to access the web through a specific app, then net is still open.  For example, I try to access http://www.facebook.com after 22:00 and it says it is denied.  but if I use my Facebook app on my iPad it works fine. 

From the reading I have done, this is because I am using a transparent proxy.  However I don't have the slightest idea where to start on creating a proxy server on my Zentyal box to be able to have better restriction on my network.  Any help with this would be much appreciated.

*** Also, I have successfully been able to add a VNC server to Zentyal as well as created media shares that a WD Live TV can see and access movies from.  If you have questions on either of these items, please let me know and I will help as much as I can. ***

Thanks

Jon

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Object Policy's
« Reply #25 on: March 20, 2012, 01:41:04 pm »
To get away from transparent proxy.... you just have to go to the proxy module and uncheck the transparent mode.

Now you will have to configure all your machines to point to the correct port (This port is listed under the proxy module).  Also make sure that this port is opened in your internal firewall.

Manually configuring your machines works well for desktops and machines that will not leave your work area.  If however you have machines such as notebooks, laptops, ipads, etc..... that might be using wifi outside of the work area is going to cause a problem.  You will have to manually reconfigure those machines to not use the defined proxy server every time you leave the work area.

Now there is a solution to solve this problem as well.  If you search the post here you for proxy.pac ..... you will find how to make your machines automatically configure the correct proxy settings.  I have to add that I don't use this automatic configuration so I am not sure how it works with ipads or phones.  I can tell you that I did test it for my notebooks at it worked properly.

Good luck !!

Vanish

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +1/-0
    • View Profile
Re: Object Policy's
« Reply #26 on: March 20, 2012, 04:19:48 pm »
Quote
To get away from transparent proxy.... you just have to go to the proxy module and uncheck the transparent mode.

Now you will have to configure all your machines to point to the correct port (This port is listed under the proxy module).  Also make sure that this port is opened in your internal firewall.

Manually configuring your machines works well for desktops and machines that will not leave your work area.  If however you have machines such as notebooks, laptops, ipads, etc..... that might be using wifi outside of the work area is going to cause a problem.  You will have to manually reconfigure those machines to not use the defined proxy server every time you leave the work area.

Now there is a solution to solve this problem as well.  If you search the post here you for proxy.pac ..... you will find how to make your machines automatically configure the correct proxy settings.  I have to add that I don't use this automatic configuration so I am not sure how it works with ipads or phones.  I can tell you that I did test it for my notebooks at it worked properly.

Good luck !!

I am using this for home purposes ATM and am learning on it at the same time.  This way I am able to put it into my business when I am efficient at it.  As for a full proxy I know I would have to setup each individual machine/wireless device to make it work which I do not want to have to do cause I have a teenage daughter that I am trying to through these permissions at without her knowing.  I am currently running 2 wireless access points where one of them shuts the wireless off at 22:00 so there is no access at all, but I would like her to be able to still access the internal network, just no web access. 

I will look into that proxy.pac and see how it works, but in the meantime is there a way to make the transparent proxy work for me?

Thanks

Jon


vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Object Policy's
« Reply #27 on: March 20, 2012, 06:42:50 pm »
What I find strange is that the apps do not get restricted like regular http traffic.  I guess the question is do the apps use http or https??

If they would use https it would make sense because https traffic is not proxied.

Now currently there is no way to proxy https traffic with transparent proxy, but only with non-transparent.  As I said one option would be to use an automatic proxy configuration such as proxy.pac

However another option is to block https traffic (port 443) in the firewall for the specified length of time.  I know you don't want to do this manually every day and morning, but you could create a cron job that runs at a specified time every day.  It could be just a simple one:

Cron job a:  Block port 443 for subnet xxx.xxx.xxx.xxx/24    execute cron job every day at 22:00
Cron job b:  Allow port 443 for subnet xxx.xxx.xxx.xxx/24    execute cron job every day at 8:00

Now I don't know the exact code in the cli to block or unblock specific ports for a specific subnet, but I am sure you can find it through google.

Anyway this is how I would attempt to do this if I had to block the https(443) port for a specific time and for a specific IP address or subnet.

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Object Policy's
« Reply #28 on: March 20, 2012, 06:45:03 pm »
On my system I have webmin installed in order to create cron jobs easier.  (well and to manage my disks + raid + mount configuration)