Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: Vanish on August 19, 2011, 07:33:49 am
-
Hi, I have install the Zentyal 2.022 Free server and am trying to setup object policy's to put time of day limits for a certain computers within this object. I have created static route IPs for these objects. One for my daughter laptop and the other for her iPod Touch (which will not take the set IP I have put in for it). I have added a policy that says Always Deny from 00:00 to 08:00 All week. But it has not cut her net during that time.
So my questions are; 1:) how can I set that darn iPod Touch to have a static IP without having to do it manually?? (the stairs worked on every other machine in the house including my iMac), and 2:) Am I doing this object wrong and how would I change it so it will work and limit the net access during these times?
Thanks for any help I can get.
Jon
-
Hi!
I guess you could try to assign a reserved (static) IP address to the ipod thru DHCP by using its MAC address
-
I guess you could try to assign a reserved (static) IP address to the ipod thru DHCP by using its MAC address
I did that already and it still refuses to take the IP I set for it. Any other idea's why it would bypass the required IP even with its MAC address setup for a static?
-
It depends how the ipod is connected to your network :
- if wifi, then reserved static address thru DHCP should work
- if bluetooth, then it's in fact connected to your daughter's PC which acts as a gateway for the ipod, but I can't help you there, I'm not familiar with these toys...
-
It depends how the ipod is connected to your network :
- if wifi, then reserved static address thru DHCP should work
- if bluetooth, then it's in fact connected to your daughter's PC which acts as a gateway for the ipod, but I can't help you there, I'm not familiar with these toys...
It is set as DHCP and the static is set in Zentyal. I dunno, but it has taken the IP now it seems (or she has not turned it on lately).. but that is the least of my concerns at the moment.
The big thing I want to get working is limiting the time online and the website that are available to her. I have her in her own object and I created a Object policy ( I put my iPad into the group for testing purposes, but I have not get it to work yet. Any suggestions on this. Do I need to set it up differently or something?
-
Can no one help me with the Object Policies?!?
-
What would help is to understand if you object policy doesn't apply because your device is not part of the object you created (this is why you should care about DHCP working properly ;)) or if policy doesn't apply because of bug or other setting allowing to by-pass this policy.. position within the policy list does matter here, thus you have to tell us a bit more.
-
There are some things to check there:
- whether the iPod IP is the correct one
- whether the iPod is using Zentyal as gateway
- finally the policy is incorrect. The time period is when the policy is enforced, in other times the access is denied. So if you want to give access all time except 00:00 to 08:00 you must choose an 'Always allow' policy and set the timezone from 08:00 to 23:59.
Cheers,
Javier
-
Ok, I will break down what I have done for you to see it and maybe that will make it a little easier to help me..
So I started by making an object for my daughters devices (with one of my devices in it for testing purposes)...
Objects ▸ Alyssa (show help)
Members
Add new
Name IP address MAC address Action
Alyssa-PC 192.168.0.121/32 78:e4:00:c8:ef:d9
Jons iPad 192.168.0.123/32 d8:a2:5e:34:ea:8c
iPod Touch 192.168.0.120/32 64:b9:e8:f1:f3:63
Then I went into Object Policies under HTTP Proxy and set this Policy...
Object Policies (show help)
Editing object's policy
Object: Alyssa
Policy: Allow Always
Allowed time period: From 08:00 To 23:00 All Days
Time period when the access is allowed. It is ignored with a deny policy
Filter profile: Default
List of objects
Object Policy Allowed time period Group policy Filter profile Action
Alyssa Always allow 08:00-23:00 All week default
And from what I have read that is all I should have to do to setup Object policies to deny access to those devices anytime between 8am and 11pm.
Is there more that I have to do to make this work cause this has been very unsuccessful as of yet and I am tempted to change software because of the troubles I am having.
I hope this explains what I have done and maybe allow you to give me some suggestions/ answers for this.
Hope to hear from you soon.
Jon
-
Hello John,
this configuration seems to me correct. Check that Alyssa IP's is correct (MAC is unused in this case).
Probably the problem is that Alyssa is not accessing intenet through the proxy.
If you are using transparent mode check whether Alyssa is using it as gateway.
If you are not using it, alyssa browser's must be configured to use Zentyal and you must forbid the HTTP traffic from tAlyssa (or its net) otherwise it could circumvent the proxy.
-
this configuration seems to me correct. Check that Alyssa IP's is correct (MAC is unused in this case).
I am using the mac address to assign her a specific IP. This is working on the Laptop, however it is not working on her iPod or my iPad. Not sure if its because they are apple products, but can you help me figure those out as well.
Probably the problem is that Alyssa is not accessing intenet through the proxy.
If you are using transparent mode check whether Alyssa is using it as gateway.
If you are not using it, alyssa browser's must be configured to use Zentyal and you must forbid the HTTP traffic from tAlyssa (or its net) otherwise it could circumvent the proxy.
I do not have any proxy active. I did not know I need to active the proxy's. I have no experience with proxy's and what would be the easiest way to set said proxy up.
Thanks
Jon
-
Then I went into Object Policies under HTTP Proxy and set this Policy...
Object Policies (show help)
Editing object's policy
Object: Alyssa
Policy: Allow Always
Allowed time period: From 08:00 To 23:00 All Days
Time period when the access is allowed. It is ignored with a deny policy
Filter profile: Default
List of objects
Object Policy Allowed time period Group policy Filter profile Action
Alyssa Always allow 08:00-23:00 All week default
If you set a policy under "http proxy" then yes, the proxy must be active.
Policies will never work if the proxy is not active.
First step is to activate it, decide whether you want it transparent or non-transparant. The latter requires that you configure the clients.
Cheers.
-
If you set a policy under "http proxy" then yes, the proxy must be active.
Policies will never work if the proxy is not active.
First step is to activate it, decide whether you want it transparent or non-transparant. The latter requires that you configure the clients.
Ok. I have never step either a transparent or non-transparent so I want the easiest one to do. I have tried turning Transparent on in HTTP Proxy -> General, but it did nothing for it. Do I need to setup a port or anything for it. Sorry for asking so many questions, I just really want to get this working. Plus I have another friend locally that is trying to do the same and I can pass this information onto him.
Thanks
-
Ok. I have never step either a transparent or non-transparent so I want the easiest one to do. I have tried turning Transparent on in HTTP Proxy -> General, but it did nothing for it. Do I need to setup a port or anything for it. Sorry for asking so many questions, I just really want to get this working. Plus I have another friend locally that is trying to do the same and I can pass this information onto him.
Thanks
No, there is no need to set up a port. Just make sure the module is installed on your system, and that it is running (you can see it on the dashboard under "HTTP proxy").
In my case I have set it transparent, no need to configure the clients.
I have blocked out all social network and dating sites for some people on the network, using object policies. It does work as expected.
The proxy used in Zentyal is Squid, there is a lot of info about this on the web and it is also explained in the Zentyal documentation. You might want to read up on it.
Cheers.
-
No, there is no need to set up a port. Just make sure the module is installed on your system, and that it is running (you can see it on the dashboard under "HTTP proxy").
In my case I have set it transparent, no need to configure the clients.
I have blocked out all social network and dating sites for some people on the network, using object policies. It does work as expected.
The proxy used in Zentyal is Squid, there is a lot of info about this on the web and it is also explained in the Zentyal documentation. You might want to read up on it.
Cheers.
Thank you for the input. I will play with this and read into it further to see if I can get it working. I would like to use the transparent as then I do not need to mess with the clients.
Now the continued issue with the static IP on the iPod Touch. I have set it up in the object to get said IP, yet it is still taking one from the DHCP server. I also have an iPad in that group with a static IP and it took it for a while, but lately it has been taking from the DHCP as well.
I do have an iMac in the house, but it takes the static IP I have given it (in Zentyal) and never lost it. Is there something with those items and their IP configurations that I need manually set them to have the static IP or should they work the way I am hoping?
Thanks
Jon
-
If you choose to set a static IP, that means that Zentyal is not handing out IP's. The client is configured with an IP address in the same subnet, use Zentyal as default gateway and needs a DNS server.
If you currently have the iMac on a static IP, that is not going to change when you activate the proxy, if that is your question.
Cheers.
-
... Is there something with those items and their IP configurations that I need manually set them to have the static IP or should they work the way I am hoping?
We use iPads at work and they have static IP addresses assigned through Zentyal, so at least in the iPad's case, it seems to me that it should work as you intend. We've not given the iPads any special treatment.
I'm having trouble thinking where the breakdown here is occurring. There really aren't that many places where things could go wrong. If the device is in fact connecting to Zentyal on its internal interface, if the object's MAC addresses are correct, if the object's IP addresses are in the correct subnet and not duplicated elsewhere and not taken from a defined range, and if the object has been included in Zentyal's DHCP service for the internal interface, it should just work. And proxy policies for the same object should then also work.
So as I've been reading along here I'm at a loss. Beyond operator error ( :-[ ) I've not had any experience with Zentyal's static assignments failing at all, let alone routinely. And I rely on that feature heavily. It baffles me that your setup isn't working.
The only thing that I wonder about is whether or not you are experiencing a difference in device behavior depending on whether or not the device is a wired device or a wireless device. If all wired devices work as expected and all wireless devices are not working as expected long term, maybe we need to look closer at how the wireless connections are taking place.
-
Sorry for the delay on the responses, ended up going for surgery.
Back to the issues...
I have still not been able to make the iPads take a static IP via the Zentyal routes, intact the issue is with all my wireless items. Now I am not using a true AP (Dlink Wireless DIR-655 which does not have a available DD-WRT for) for one of our wireless networks and the other wireless network is running a DD-WRT firmware on a Linksys WRT54G wireless router set to AP mode. Could these be causing our IP issues?
Thank
Jon
-
I'm starting to loose track...
Please start with checking how your "network objects" have been setup in Zentyal. Remove all spaces, underscores and, capitals and - from the names, both object names and members.
This is the first important step if you wan't to have Zentyal assigning a a static IP to client's. I call this Marcus' rule.
Jons iPad
iPod Touch
This is definitely not going to work for static DHCP.
If that doesn't solve your issue:
If I understand the issue is not only with the iPads but all your wireless items? You have two AP's, one is a Dlink DIR-655 and the other is a WRT54G with DD-WRT on it?
The DIR-655 can be used as AP also if you wish. If it is doing router or gateway, it's client's will never get an IP from Zentyal but instead from the DIR-655 if it has it's DHCP server activated.
If you set the wireless clients with a static IP, their gateway will be the DIR-655 and that IP adress will have to fall in the same space as the DIR-655 lan IP.
If other router is a true AP, then you would rather not activate it's DHCP server. Generally, it's not a good idea to have multiple DHCP servers on your network.
Static IP and Zentyal gateway for clients on that AP won't be a problem because no router/firewall is active.
I have two DIR-300 and both have been flashed with DD-WRT. The only issue a ran into were incompatibilities with the WPA2+AES encryption security.
I had to use WPA personal+AES to get everyone on the AP.
At this very moment I have Zentyal handing out IP's for client's connected to the AP. Client isolation has been enabled and all works OK.
Cheers.
-
Please start with checking how your "network objects" have been setup in Zentyal. Remove all spaces, underscores and, capitals and - from the names, both object names and members.
This is the first important step if you wan't to have Zentyal assigning a a static IP to client's. I call this Marcus' rule.
Check. Did this and this helped out a TON. My iPad and Andriod phone are now taking the IP I am directing them to take. Marcus' Rule = WIN!
The DIR-655 can be used as AP also if you wish. If it is doing router or gateway, it's client's will never get an IP from Zentyal but instead from the DIR-655 if it has it's DHCP server activated.
If you set the wireless clients with a static IP, their gateway will be the DIR-655 and that IP adress will have to fall in the same space as the DIR-655 lan IP.
If other router is a true AP, then you would rather not activate it's DHCP server. Generally, it's not a good idea to have multiple DHCP servers on your network.
Static IP and Zentyal gateway for clients on that AP won't be a problem because no router/firewall is active.
I have two DIR-300 and both have been flashed with DD-WRT. The only issue a ran into were incompatibilities with the WPA2+AES encryption security.
I had to use WPA personal+AES to get everyone on the AP.
At this very moment I have Zentyal handing out IP's for client's connected to the AP. Client isolation has been enabled and all works OK.
Check, I have the AP's working properly now too.
Now I have played with the object policies and have got them to work with limited success. I have the Transparent Proxy Active and I can make a policy shut dow the network to selected devices at 22:00 as directed. How ever I can not put the time limits I am wanting in play (22:00 to 08:00). So that policy will shut down the access from 22:00 to 23:59. Now I have tried making a second Object group (as you are limited to only 1 object policy per object group) that is the same as the primary group and created a second object policy that shuts access off from 00:00 to 08:00 and it is in first, then the other policy (which has the same devices in it) shut down from 22:00 to 23:59.
Now I can make one policy work just fine. No issues it deactivates and reactivates as expected, but as soon as I add the send policy in so I can get the time frames I am wanting and it has issues, connection is dropped random;y throughout the day.
I have tried setting the Transparent Proxy to Always Deny and just use the Object policy to allow during 08:00 to 22:00. But then I have to make a policy to allow full time access to the rest of the network by putting each of the computers into a object and activating it like that which doesn't work as we have many visitors in our home and I do not want to have to add each of them as well.
Any help I could get with this would be awesome or if you need me to explain it better ask the questions needed and I will answer them to the best of my ability.
Thanks
Jon
-
I hear you. That part of Zentyal is still work in progress, at least for me. Some others have reported inconsistencies with object policies.
I'd go for the second option you mentioned. Set default policy always deny and allow the objects from 8.00 until 22.00.
The idea is, for your visitors for whom you can't (or won't) make objects, just create one object "dhcpguests" and put some (let's say 10) IP adresses inside but leave the MAC field for those addresses empty. That group you put in the allways allow policy. If someone visits you and the MAC address is not in one of your other groups (with limited access) than he will just get an IP from the "DHCP Guests" object and be able to use the network without restrictions.
The only vulnerable part is that the not allowed clients may spoof their MAC and get an "always allow" IP.
Anyway I'm glad you sorted out the rest of your issues.
Cheers.
-
I haven't seen this in the discussion yet, so can you check if Zentyal is the only DHCP server on your network? If, for instance, your router is also actively giving out IP addresses, you have a problem with your rules.
-
I hear you. That part of Zentyal is still work in progress, at least for me. Some others have reported inconsistencies with object policies.
I'd go for the second option you mentioned. Set default policy always deny and allow the objects from 8.00 until 22.00.
The idea is, for your visitors for whom you can't (or won't) make objects, just create one object "dhcpguests" and put some (let's say 10) IP adresses inside but leave the MAC field for those addresses empty. That group you put in the allways allow policy. If someone visits you and the MAC address is not in one of your other groups (with limited access) than he will just get an IP from the "DHCP Guests" object and be able to use the network without restrictions.
The only vulnerable part is that the not allowed clients may spoof their MAC and get an "always allow" IP.
Anyway I'm glad you sorted out the rest of your issues.
Cheers.
I have thought of doing this, but my daughter(s) are pretty smart and will learn this trick WAY to fast. I am going to work with the 2 different policies for a bit and see if I can get them to work out for me. I will check back in, in a few days with an update if I figured them out. Im the mean time, I will try your suggestion and see how it goes for the time being.
I haven't seen this in the discussion yet, so can you check if Zentyal is the only DHCP server on your network? If, for instance, your router is also actively giving out IP addresses, you have a problem with your rules.
I have the DHCP thing all figured out now thanks to Marcus' Rule. Thanks though.
Thanks
Jon
-
Hello,
there was a regression in HTTP proxy's object policy in 2.2 series . It affected when the objects had a filter policy and the global policy was set to anything else than 'Filter' or 'Authorize and filter'.
Maybe this was causing some of you trouble?.
The fix is in changeset 23714 -> http://trac.zentyal.org/changeset/23714
Regards,
Javier
-
Hello,
there was a regression in HTTP proxy's object policy in 2.2 series . It affected when the objects had a filter policy and the global policy was set to anything else than 'Filter' or 'Authorize and filter'.
Maybe this was causing some of you trouble?.
The fix is in changeset 23714 -> http://trac.zentyal.org/changeset/23714
Regards,
Javier
Since I have upgraded to V2.2 on my server and done some minor tweaks I have been able to make my object policies work properly. I have created 3 object's with policies everything is working wonderfully.
However I have run into some limitations that I am unsure how to over come.
I have created a 'limited access' user that the net is only available from 08:00 to 22:00 and when it comes to http access the policy is working well. However, if I am using my iPad and trying to access the web through a specific app, then net is still open. For example, I try to access http://www.facebook.com after 22:00 and it says it is denied. but if I use my Facebook app on my iPad it works fine.
From the reading I have done, this is because I am using a transparent proxy. However I don't have the slightest idea where to start on creating a proxy server on my Zentyal box to be able to have better restriction on my network. Any help with this would be much appreciated.
*** Also, I have successfully been able to add a VNC server to Zentyal as well as created media shares that a WD Live TV can see and access movies from. If you have questions on either of these items, please let me know and I will help as much as I can. ***
Thanks
Jon
-
To get away from transparent proxy.... you just have to go to the proxy module and uncheck the transparent mode.
Now you will have to configure all your machines to point to the correct port (This port is listed under the proxy module). Also make sure that this port is opened in your internal firewall.
Manually configuring your machines works well for desktops and machines that will not leave your work area. If however you have machines such as notebooks, laptops, ipads, etc..... that might be using wifi outside of the work area is going to cause a problem. You will have to manually reconfigure those machines to not use the defined proxy server every time you leave the work area.
Now there is a solution to solve this problem as well. If you search the post here you for proxy.pac ..... you will find how to make your machines automatically configure the correct proxy settings. I have to add that I don't use this automatic configuration so I am not sure how it works with ipads or phones. I can tell you that I did test it for my notebooks at it worked properly.
Good luck !!
-
To get away from transparent proxy.... you just have to go to the proxy module and uncheck the transparent mode.
Now you will have to configure all your machines to point to the correct port (This port is listed under the proxy module). Also make sure that this port is opened in your internal firewall.
Manually configuring your machines works well for desktops and machines that will not leave your work area. If however you have machines such as notebooks, laptops, ipads, etc..... that might be using wifi outside of the work area is going to cause a problem. You will have to manually reconfigure those machines to not use the defined proxy server every time you leave the work area.
Now there is a solution to solve this problem as well. If you search the post here you for proxy.pac ..... you will find how to make your machines automatically configure the correct proxy settings. I have to add that I don't use this automatic configuration so I am not sure how it works with ipads or phones. I can tell you that I did test it for my notebooks at it worked properly.
Good luck !!
I am using this for home purposes ATM and am learning on it at the same time. This way I am able to put it into my business when I am efficient at it. As for a full proxy I know I would have to setup each individual machine/wireless device to make it work which I do not want to have to do cause I have a teenage daughter that I am trying to through these permissions at without her knowing. I am currently running 2 wireless access points where one of them shuts the wireless off at 22:00 so there is no access at all, but I would like her to be able to still access the internal network, just no web access.
I will look into that proxy.pac and see how it works, but in the meantime is there a way to make the transparent proxy work for me?
Thanks
Jon
-
What I find strange is that the apps do not get restricted like regular http traffic. I guess the question is do the apps use http or https??
If they would use https it would make sense because https traffic is not proxied.
Now currently there is no way to proxy https traffic with transparent proxy, but only with non-transparent. As I said one option would be to use an automatic proxy configuration such as proxy.pac
However another option is to block https traffic (port 443) in the firewall for the specified length of time. I know you don't want to do this manually every day and morning, but you could create a cron job that runs at a specified time every day. It could be just a simple one:
Cron job a: Block port 443 for subnet xxx.xxx.xxx.xxx/24 execute cron job every day at 22:00
Cron job b: Allow port 443 for subnet xxx.xxx.xxx.xxx/24 execute cron job every day at 8:00
Now I don't know the exact code in the cli to block or unblock specific ports for a specific subnet, but I am sure you can find it through google.
Anyway this is how I would attempt to do this if I had to block the https(443) port for a specific time and for a specific IP address or subnet.
-
On my system I have webmin installed in order to create cron jobs easier. (well and to manage my disks + raid + mount configuration)