Weird connection issues post-install [SOLVED]

[MikeHartman]

I'm having trouble getting even the most basic functionality on a brand-new Zentyal install working.

I just downloaded the current stable ISO last night and installed it on an old PC with two NICs. The goal is to have that PC act as router/gateway/firewall/dhcp server/local dns server. Layout looks like "Internet->eth0", "eth1->switch->other machines". I seem to have all the appropriate modules installed.

eth0 is set up as a WAN interface with DHCP, and is getting an external IP from my ISP fine. eth1 is configured as internal, static, with IP 192.168.1.1. I set it up to use 4.2.2.2 and 4.2.2.3 as the DNS servers. I started up the DHCP server and specified an address range.

Here's where it gets weird.

From the zentyal machine, I can ping 4.2.2.2 successfully. But I can't lookup "www.google.com". Anything involving DNS seems to fail, even though I can ping that DNS server. Also, even though I configured eth1 as static with IP 192.168.1.1 it's actually picking up a dynamic IP from zentyal via DHCP and showing up in the leases box of the dashboard.

Other machines attached to the switch successfully get an IP address from zentyal, but can't even ping 4.2.2.2. They also don't seem to be able to connect to the zentyal machine properly, to open the web interface for example. And I can't access web interfaces on those machines from the zentyal machine. But they must be able to connect to some extent or they wouldn't be getting IPs...

I've completely disabled the firewall module in case that was interfering somehow.

Something seems pretty hosed up here. I would think a plain vanilla router/gateway setup would work pretty well out of the box. Am I missing something?

[christian]

I don't know if you are missing something or if there is something wrong with your set up but I can tell you that out of the box install works very well for what you intend to do.
So I suppose there is something wrong somewhere...
I suspect something with default gateways but the strangest one is that you can't join Zentyal from the LAN.

Would you mind explaining a bit more of your network topology? Please also elaborate on your DHCP settings (for eth1).

[MikeHartman]

*** PARTIAL SOLUTION ***

After reading your message I checked under Core->Network->Gateways and noticed that the dhcp-gw-eth0 gateway that was created automatically didn't have a checkmark under "Default". I enabled that and it fixed a few things (but not everything):

- The zentyal machine can now load www.google.com, so I assume the DNS is ironed out there.
- The client machines can ping the zentyal machine and load it's admin interface (although it's still using an IP provided by DHCP instead of the one I configured on the interface(
- The zentyal machine can ping the client machines. I assume it could probably load a web interface on one of them but I don't currently have anything like that connected to test.

But the client machines still have no passthrough connectivity to the internet.

*** BACK TO THE TROUBLESHOOTING ***


Right now my network topology is extremely simple while I troubleshoot these issues. Basically just Internet->zentyal machine->switch->laptop.

My Internet is Verizon FIOS. There is no modem - I have an ethernet line running straight from the fiber termination to the zentyal machine. This setup worked with my previous router (a linksys) and seems to work here since I'm getting an external IP ok.

The idea is for the zentyal machine to have IP 192.168.1.1 on the LAN and handle pretty much everything in terms of network services. I'll just run down the list of my settings.

Core->Module Status:

I have Network, Firewall, Antivirus, DHCP, DNS, Events, IDS, Logs, Monitor, VPN, Traffic Shaping, Users and Groups, VoIP, File Sharing, HTTP Proxy, User Corner and Printer Sharing. All are enabled except Firewall, Traffic Shaping and HTTP Proxy. Not using most of these yet though so their settings are largely untouched.

Core->Network
    ->Interfaces
        eth0, DHCP, External (WAN) checked
        eth1, Static, External (WAN) NOT checked, IP 192.168.1.1, Netmask 255.255.255.0
    -> DNS
        4.2.2.2
        4.2.2.3
    -> Gateways
        enabled, dhcp-gw-eth0, IP 96.253.(*).(*), interface eth0, weight 1, default is checked (NOW)
    -> Static Routes
        none
Core->Services  (I don't really know what half of these are supposed to do)
        VoIP, internal checked
        any, internal not checked
        any TCP, internal not checked
        any UDP, internal not checked
        dhcp, internal checked
        dns, internal not checked
        eBox admin, internal checked
        ipp, internal checked
        ldap, internal checked
        samba, internal checked

Infrastructure->DHCP
    ->Common Options
        Default gateway: Zentyal
        Search domain: none
        Primary nameserver: local Zentyal DNS
        Secondary nameserver: none specified
        NTP server: none
        WINS server: none
        DHCP ranges: "dynamic", from 192.168.1.100 to 192.168.1.254
    -> Advanced options
        Default lease time: 1800 s
        Max. lease time: 7200 s
Infrastructure->DNS - nothing set up here yet

There are plenty of other config pages, but I haven't touched any of those other features yet and I don't think they'd have anything to do with such a basic issue...

[MikeHartman]

One other thing I just noticed:

While the client machines can't connect to the internet (ping 4.2.2.2 fails) they do seem to be able to connect to everything on the zentyal machine now. Because if I ping www.google.com, it does resolve that host to 74.125.91.147 (before proceeding to fail because it can't connect to 74.125.91.147).

The DNS is running on zentyal (192.168.1.1) and that's my only entry in /etc/resolv.conf on the client machine, so that seems to be where the resolution is coming from. Progress.

So main issue at the moment - why is no internet traffic being passed through to the clients? If zentyal has a connection to the internet, and the clients have a connection to zentyal, then it seems like zentyal is either actively blocking the traffic or at least failing to pass it.

[christian]

Thank you for this very detailed network description. It may help later.
So, we progress a bit, hopefully in the right direction 

Now that default routing is fixed, let's look at services you want to use:

But the client machines still have no passthrough connectivity to the internet.

except if you decide to authorize everything (and I'll comment this later hereafter), "passthrough connectivity" is a bit misleading and you should instead describe service you intend to use. e.g. access to internet with browser to access web servers.
This means that you either have to enable HTTP proxy module or set firewall rules so that access is granted from internal network(LAN) to internet.
As I notice HTTP proxy is not installed, this is what you have to do first.

If you intend to authorize everything in "passthrough" mode:
- then why do you put Zentyal in the middle? it will be more efficient to have simple router with NAT. it can still provide DHCP, DNS, mail but don't need to work in "traversing" mode.

[MikeHartman]

Let me rephrase what I'm trying to accomplish, because I don't think it's that unusual.

I'm trying to replace my old linksys router with something more full-featured. I want better monitoring, logging, more granular control over a lot of things, etc. I'll probably move my web server onto that same machine eventually too. The basic behavior of that old router is to allow every outgoing connection by default, but block every incoming connection by default. So computers on the network can browse the web, use ftp, ssh, game online, etc. but any incoming traffic is caught by the firewall unless a specific port forward is set up (say to forward port 80 to my web server, or ssh to a specific machine on the network).

That's basically what I'm trying to duplicate here at minimum. I plan on building on that and adding some more advanced behaviors into the mix eventually, but for now I'd be happy just getting the really basic router/firewall behavior working. I've been stuck without the internet since I started this zentyal installation a couple days ago. I'm only able to respond to this via my phone.

[christian]

Mike,

No there is nothing unusual.
The very minimum is firewall authorizing connection from internal network to internet on port 80 & 443 if you want to authorized out-going HTTP & HTTPS.
With DNS module, it avoids to authorize firewall request though firewall plus it provides so cache.
You don't need anything else (unless I'm wrong) to permit web browsing from LAN to Internet.

[MikeHartman]

Thanks! Can you spell that out for me a bit more though?

Right now I have the firewall totally disabled. Are you saying that without the firewall on it defaults to everything blocked vs everything allowed? That's not what I expected but I can work around that.

So it sounds like I need to enable the firewall, and then add a rule to allow outgoing traffic only from the lan to the internet. Where exactly would I make that change? And is there a way to do one rule that opens all ports (again, for outgoing traffic only)?

[christian]

No, I'm saying that in order to replicate what you had with your previous device and filter incoming flow, the very minimum is firewall.

1 - ensure that in Service/service menu, you have a service for HTTP.
2 - go to Firewall then packet filter section. You will have on the right, one section to configure rules for "Filtering rules for internal networks" Click there and add one rule (add new) to ACCEPT source ANY destination ANY service "the one describing HTTP"

ensure Firewall module is enabled. This should work... 

[MikeHartman]

Awesome, that seems to have done the trick. Thanks so much! There's plenty more I want to tweak, but at least with the internet available to the rest of the house again I can do it from someplace more comfortable than my networking closet.

Mike

[christian]

Well, it works  Nothing surprising still 

Then now that it works, you have to understand that Zentyal can do much more than simple firewalling 
Additional filtering with proxy may help, as well as DNS caching and some other stuff too. The point is really, as I wrote earlier, to define services you want to use so that you can make the right design choice.

[MikeHartman]

Yeah, I definitely plan on fiddling with a lot of those other modules later. At the moment I'm just trying to get back most of the functionality I already had with the old router so I have a familiar foundation to build on.

On that note, I've run into one more basic networking problem (hopefully the last). Every computer attached to the switch can now get on the internet, load the zentyal web interface and ping each other. However, they can't use each other's network services as they could with the old router. For example, I can ping my media server from my laptop but I can't ssh into it. I get an "ssh: connect to host 192.168.1.11 port 22: Connection refused" message, even though that server is set up to allow incoming ssh connections. I can ssh from any computer to the zentyal server ok, but zentyal can't ssh into any of the other computers either.

The only firewall rule I have is under "Packet Filter->Internal Networks". It's set to ALLOW ANY source to ANY destination on ANY service. As I understand it, that should allow any connection that originates on the internal network. It's just a more permissive version of the http rule you suggested.

Any idea where it's getting hung up?

[christian]

wait a minute: is Zentyal firewall between your clients and servers they want to access?

[MikeHartman]

No, that's what's confusing me. The setup is Internet->zentyal->switch->all these other computers. The same setup worked when I was using the old router instead of zentyal, so I don't think it has anything to do with the switch. And the switch really is just a dumb switch - it doesn't have any router or firewall features. Given that the zentyal firewall has a set of firewall rules just for the internal network I assumed it must have something to do with it.

[MikeHartman]

Scratch that, I guess zentyal doesn't have anything to do with it. If I attach a wireless AP to the switch, and connect two laptops over wifi, I can ssh between them. But they still can't ssh to the media server. So it looks like it's only ssh traffic that goes over the switch that's the problem. Then again, I can ssh into the zentyal server from one of those laptops, and that connection also traverses the switch. I can't think why the switch would differentiate between the zentyal server and any of the others...