VPN and firewall problem

[southy]

Hello everyone,
I have searched this forum but I didn't found a solution so excuse me if I'm double posting. I'm new to eBox/Zentyal so any help is welcome.

Here is quick description of configuration:
Server: VMWare machine,
Network:
    eth0 - internal, static, 192.168.2.17, mask 255.255.255.0;
    eth1 - external, static, 192.168.2.11, mask 255.255.255.0;
    gateway - 192.168.2.2

First problem is the firewall - when I turn it on, access from LAN (192.168.2.0/24) is unavailable although there is the rule for "internal networks to Zentyal" from any, services ssh, ebox admin. The similar thing is when client connects through VPN (I manually adder this rule to "external networks to Zentyal"). After I disable Firewall it's available again. Is there any other way to display firewall configuration except Zentyal web interface and iptables from command line?
Can anyone help, please?

The second problem is VPN setup. Current configuration is following:
VPN network is 10.0.1.0/24, without NAT, client-to-client allowed, listening on eth1, advertised network is 192.168.2.0/24. My idea is to allow access to VPN clients to 192.168.2.0/24 subnet. Am I doing it wrong? How should I configure this?

Thanks

[robb]

How can you have internal and external interface on the same subnet?

[southy]

Hmm, I guess I have an architectural problem (and lack of knowledge on the subject). My situation is that I have port forwarding controlled by ISP and directed to 192.168.2.11 and my LAN is also on 192.168.2.x. Can anyone give me suggestion how to configure my VPN to allow acces to 192.168.2.x subnet?

Although my concept is wrong, why do I loose access to Zenyal when I turn the firewall on (and I have rules that should allow traffic towards it)?

[christian]

Why don't you deploy your Zentyal server between you ISP and your LAN 
External Zentyal interface can be 192.168.2.x while internal one (and your LAN) could be 192.168.1.x 

[southy]

But then I have to make Zentyal a gateway and change LAN configuration. My server running Zentyal is VM with limited hardware capabilities and at this time it's not planned to have upgrade. If I create a new subnet (192.168.10.x) and move servers I need to access from outside into that new subnet should following configuration work:

Network:
    eth0 - internal, static, 192.168.6.1, mask 255.255.255.0;
    eth1 - external, static, 192.168.2.11, mask 255.255.255.0;
    gateway - 192.168.2.11

VPN:
    network - 10.0.1.0/24
    without NAT
    client-to-client allowed
    listening on eth1
    advertised network 192.168.6.0/24

Thank You

[ichat]

im not sure what exactly you are trying to acomplish here.

but   in general:

a: why do you want vpn to your 'web?' servers?   
b: if zentyal has its own wan adaptor (physical) on the  vmware host,  connected to your 'modem/router'
than put that ip  into a demilitarised zone  (DMZ)  ...  and put all your servers (are they also hosted on the same vmware infra??)  in a  'server, netwerk,   in example    192.168.10.x/24  or  while your  zentyal clients (windows /linux / mac  destkop are in yet another    network ie:   192.168.11.x/24


and from zentyal do proper portforwarding on a per protocol or per  port/server   way...

if this doesn't make sense to you, you might want to read up on some routing 101.