Author Topic: Can't access web interface if firewall is turned on  (Read 6243 times)

rcook

  • Guest
Can't access web interface if firewall is turned on
« on: January 21, 2012, 09:01:17 pm »
Pretty straight forward, if the firewall module is enabled I can't get to the web interface.

The Zentyal box has 2 NIC's, one is configured as the external the other internal. I am still in the testing phase of deploying Zentyal so for now I have my DSL treating the external Zentyal IP as a DMZ allowing all traffic to pass to it.

I've reinstalled the entire system to no avail. It's definitely the firewall causing the issue.

Network Map:

Code: [Select]


                                                                                /--> Zentayl External NIC: 192.168.1.220 / 255.255.255.0 / 192.168.1.1 gateway
Internet --> DSL Modem/Router/Gateway --> switch --
                                                                                \--> Zentyal Internal NIC: 192.168.1.230 / 255.255.255.0



I can't ping either of the IP's at all, I can from the Zentyal box ping the DSL modem, google.com, and the workstation that I'm using. I've tried changing the Internal IP to 192.168.2.230 but that had no effect.

As soon as I turn off the firewall module I have full web access to Zentyal with no issues.

I just tried connecting the external NIC directly to the DSL's switch and then connecting the Internal NIC to the LAN switch, as soon as I turned on the firewall I have no web connection at all and can ping neither NIC.

Suggestions?


rcook

  • Guest
Re: Can't access web interface if firewall is turned on
« Reply #1 on: January 21, 2012, 09:19:19 pm »
Well it appears that if I enable DHCP on eth0 I can now reach the web interface. Well that's just odd as hell and I'm sure by design but I'll be damned if I know why.

robb

  • Guest
Re: Can't access web interface if firewall is turned on
« Reply #2 on: January 22, 2012, 03:03:01 pm »
As a gateway your zentyal network is not setup correctly.

You should change it as follows:

Code: [Select]
Internet --> DSL Modem/Router/Gateway --> Zentyal External NIC: 192.168.1.220 / 255.255.255.0 / 192.168.1.1 gateway
/--> Zentyal Internal NIC: 192.168.2.230 / 255.255.255.0  switch -- INTERNAL LAN (subnet 192.168.2.0/24) gateway 192.168.2.230

The essence is that your Zentyal server is BETWEEN your internet connection and your LAN. and ONLY activate DHCP on your INTERNAL lan.

rcook

  • Guest
Re: Can't access web interface if firewall is turned on
« Reply #3 on: January 22, 2012, 03:32:01 pm »
As a gateway your zentyal network is not setup correctly.

You should change it as follows:

Code: [Select]
Internet --> DSL Modem/Router/Gateway --> Zentyal External NIC: 192.168.1.220 / 255.255.255.0 / 192.168.1.1 gateway
/--> Zentyal Internal NIC: 192.168.2.230 / 255.255.255.0  switch -- INTERNAL LAN (subnet 192.168.2.0/24) gateway 192.168.2.230

The essence is that your Zentyal server is BETWEEN your internet connection and your LAN. and ONLY activate DHCP on your INTERNAL lan.

From my original post:


I just tried connecting the external NIC directly to the DSL's switch and then connecting the Internal NIC to the LAN switch, as soon as I turned on the firewall I have no web connection at all and can ping neither NIC.

Suggestions?

No matter I put smoothwall on the box and it's working as it should.

robb

  • Guest
Re: Can't access web interface if firewall is turned on
« Reply #4 on: January 22, 2012, 04:28:23 pm »
Ofcourse you don't get inet access with external NIC connected to the router as long you have your 2 NIC's configured on THE SAME SUBNET. They MUST be configured on different subnets. Another option is to NOT use Zentyal as a gateway and only use it as one of the other roles, but then you only need 1 NIC as zentyal will become part of your internal network.

rcook

  • Guest
Re: Can't access web interface if firewall is turned on
« Reply #5 on: January 23, 2012, 04:02:13 pm »
Ofcourse you don't get inet access with external NIC connected to the router as long you have your 2 NIC's configured on THE SAME SUBNET. They MUST be configured on different subnets. Another option is to NOT use Zentyal as a gateway and only use it as one of the other roles, but then you only need 1 NIC as zentyal will become part of your internal network.

You don't read real well do you. It's ok. Everything you need to know is in my post go back and try re-reading it really slowly. Needless to say this is a firewall issue on Zentyal's part, using the exact same network configurations I was able to get both Smoothwall and ClearOS working just fine. Would have loved to try Zentyal but it's a no go if I have to disable the firewall.

Oh well, later.

robb

  • Guest
Re: Can't access web interface if firewall is turned on
« Reply #6 on: January 23, 2012, 04:27:29 pm »
I can say the same to you: you don't read too well. I'm afraid it's rather basic networking principles and in some way you do not seem to understand that you need NAT between your DSL conection and the rest of your LAN for Zentyal to act as a Gateway with firewall.
Anyway, if you think Zentyal is not for you, then that's your loss... I  hope you find a solution that suites your needs.

antechinus55

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Can't access web interface if firewall is turned on
« Reply #7 on: January 26, 2012, 03:07:34 am »
I have a similar problem. I have set up zentyal on a server with 2 nics, but only enabled eth1 as static with address 192.168.10.10. The home network setup is cable modem to wireless/giga ethernet router which is the dhcp server for the network (to which the wireless components of the network connect as do 2 ethernet enabled devices) to giga switch to which the zentyal server and remaining ethernet connected devices connect. The DHCP server (router) is set up with most of the ethernet connected devices with static addresses. The dhcp server and the zentyal server are in agreement about both the zentyal server's MAC and DHCP address. I can ping all devices on the internal network from the zentyal server. I can connect to the zentyal server from within the internal network, using both the web interface and ssh in a terminal window. I cannot ping or connect to the WAN from the zentyal server.
I assumed this was a setup issue, so I reinstalled the software. same issue. I then disabled all services, same issue. I then restarted only network (and its dependencies), same issue.
I am sure it is a config issue, but can't figure out what it is.
any help appreciated.

robb

  • Guest
Re: Can't access web interface if firewall is turned on
« Reply #8 on: January 26, 2012, 08:12:53 am »
Looks like the same issue and the same solution.

Can you post how your subnets look like? example: internet - router - subnet - zentyal - subnet
Also post your DHCP scope and where you configure that.

hyerk

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +2/-0
    • View Profile
Re: Can't access web interface if firewall is turned on
« Reply #9 on: January 27, 2012, 04:24:58 pm »
antechinus55 ,

I'll give this a shot. Hopefully I can read well enough to understand  ;).

It soulds like a DNS issue on your Zentyal server. 
You stated....
1. You CAN ping the Zentyal server from internal devices and access the web interface.
2. You CAN ping other devices from the Zentayl server.
3. You CANNOT access the WAN or internet.

Using your Zentyal web interface under your core components -> Network -> DNS and make sure the DNS server is correct. 

To test, remove the static IP from the zentyal server and have it use DHCP.  If it works, then it's DNS.

Hope this helps.
 
« Last Edit: January 27, 2012, 04:41:14 pm by hyerk »