Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: solarwinds on August 14, 2011, 02:58:00 pm
-
Hello all, how do I allow clients to access mail sites? right now my clients cannot load to login page of yahoo mail, google mail, and etc on any web browsers. is there something wrong with my configuration? I'm using http proxy transparent. i already created https service with port 443 and allowed it on firewall but I cant still access mail sites. Any help is much appreciated.
Thanks!
Great minds think alike.
^_^
-
you say that you are having problems with port 443 and that you have already created and enabled a service for this port.
so it is difficult whatelse to suggest besides to:
logs > configure logs >
enable firewall
and leave it running for a couple of hours and then query the logs
Nicolas
www.brainpowered.net
-
thanks for the reply. yes it is hard. even the logs don't show anything about my https access. it only listed all http visited sites. T_T
-
May I suggest you try with non transparent proxy, ensure you can access using proxy and then if it works, and if you do need transparent mode, review again and again what you did in term of firewall rules.
-
could you also check your server logs for packets that have been dropped
cat /var/log/kern.log | grep -i dpt=443
if nothing is returned - please try
cat /var/log/kern.log | grep -i drop
the above command should show any packets dropped with HTTPS (443) as their destination
i have just checked my installation - while running proxy in transparent mode it is all fine
when switch the firewall rule for HTTPS to 'deny' for internal networks - my logs start getting message on both Zentyal Firewall log and /var/log/kern.log
let us know if there is any news
-
Hello Christian,
Yes Sir, I tried using proxy on browser and it worked. But when on transparent mode, i can just visit the sites but it will be loading all day until the request times out and turns everything to white screen. ^_^
Hello nicolasdiogo,
Even the logs don't show anything while on transparent mode. It only shows my http requests whether dropped or not.
But I found out something. Using network commands on CLI did the trick. After adding proper default routes on the CLI, I can then access all the mail sites. But the problem is, everytime "network module" is reloaded, default routes i added thru CLI disappears. Is there something wrong with my Zentyal configuration, or is there anything I missed?
Thanks for the reply!
"Great minds think alike"
-
I tried using proxy on browser and it worked. But when on transparent mode, i can just visit the sites but it will be loading all day until the request times out and turns everything to white screen.
Sorry, I simply not understand what you mean here :-[
so, if I take it as "it works in non transparent proxy mode", then:
- why not using this mode?
- it shows that you made something wrong with your "workaround via firewall for HTTPS" implementation
-
Yes Sir,
Thanks a lot for your reply.
We need transparent mode. Our clients here are not all IT literate. Therefore, we should use our information systems to work more efficiently and easy for the users. I mean like no brainer thing, just connect to our access points or switches and puff, coco crunch, internet is ready.
So I need help on how to serve internet, transparent proxy mode, without manually configuring gateways and network stuffs via CLI.
Firewall? so does it mean I need to allow the port "3128" on zentyal firewall?
^_^
"Great minds think alike."
-
Thinking that, in order to keep infrastructure efficient, it has to be transparent is a common mistake, from my standpoint.
Trying to minimize actions client side (because there is most of the time much more clients than server) is very obviously the main objective.
Then, coming back to proxy: HTTP works smoothly in transparent mode. You are not able, for some reason I don't understand, to set up the workaround via firewall as described in documentation.
May I suggest you have a look at this:
http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign (http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign)
It doesn't answer to your question but will explain some basics, I hope.
-
Ok, will check now. I appreciate much your help. Indeed, clients should have the least action, this is what customer service is all about. ^_^ Has anyone ever told you you're a hero? hehehe..
"Great minds think alike"
-
Whew. nice documentation. What am I missing here? Everytime the network module reloads, gateways disappear. Currently I have 3 wans, 2 static and 1 pppoe. Checking inside zentyal thru cli, without the gateways, clients don't have internet. Adding the gateways manually on cli, voila, client have internet access following the transparent http proxy filtering and firewall rules. Why do the gateways disappear? Is adding the gateways manually on the CLI the correct way to serve internet access to clients?
"Great minds think alike"
-
by saying
Everytime the network module reloads, gateways disappear
have you defined a gateway on Zentyal? as per docs
http://trac.zentyal.org/wiki/Documentation/Community/HowTo/GatewaySetup#a3.2.Gatewaysandloadbalancing
-
Still targeting as light as possible client administration, clients should rely on DHCP. So you need to ensure, once, that clients network is set to use DHCP.
Then you have to set up DHCP server which will provide default gateway, DNS, IP address stuff. Centrally managed, easy and efficient 8)
-
Yes Sir, Gateways are defined correctly in the Zentyal GUI, documentation is so detailed and very helpful for an average person to understand. I'm also kind of a Linux dude so i kinda check on CLI also. Why are the default gateways not showing when i issue the command, "route" ? Using transparent http proxy, my clients do not have internet access unless i add the default gateways manually thru CLI. But not using transparent proxy, even the default gateways are not showing on CLI "route" command, clients have internet access.
With regards to clients, we already have dhcp server providing network stuffs including Zentyal as gateway. So this should be not a problem at all for a Network Administrator.
Any forms of help are much appreciated!
"Great minds think alike."
-
What you describe is perfectly normal: in transparent proxy mode, proxy IP address MUST be client default gateway.
Therefore if there is any problem with gateway definition client side, transparent proxy will not work. This is as simple as this.
Then real question is "why are clients not getting this default gateway value?"
Would you mind sharing "/etc/network/interfaces" for one of these clients, share screen copy of your DHCP configuration (Zentyal side) and finally once lease is renewed, share content of "route" command?
So far, you only wrote "yes it's well configured everywhere" (kind of) but if there is something wrong you even do not suspect, best way is to share what you did. ;)
-
hehehe, you are so awesome!
We are using vyatta dhcp server here. We only use Zentyal as our Internet gateway.
Clients are already using Zentyal as gateway. On the scenario here, the clients are already in perfect scenario. What I was trying to say was on the Zentyal side. The "route" command was issued inside Zentyal. And yes, the clients default gateway is the Zentyal itself.
Thank you!
"Great minds think alike"
-
hehehe, you are so awesome!
maybe because you provided too much information about your design :P
We are using vyatta dhcp server here. We only use Zentyal as our Internet gateway.
Clients are already using Zentyal as gateway. On the scenario here, the clients are already in perfect scenario. What I was trying to say was on the Zentyal side. The "route" command was issued inside Zentyal. And yes, the clients default gateway is the Zentyal itself.
So tell us a bit more about what you did Zentyal side.
I mean always stating "everything is perfect but it doesn't work" doesn't really help.
Default gateway is missing on Zentyal server? Fine, just configure it. ::) or if it doesn't work, please explain how you did configure Zentyal.
-
Hmm.. on Zentyal GUI, I followed the instructions in the documentation on adding gateways with corresponding weights. This is what I meant, base on Zentyal GUI, everything is perfect, because you can see the gateways you added in the list, you can ping the gateways in the diagnostics tools, and confident that the gateways are working by using zentyal's firefox, then checking the public ip one by one (three public IP's). But what I see in the GUI is different from the CLI, no default gateways on the CLI list. Is this normal?
Back to Zentyal GUI, I also enabled traffic balance and wan failover on my three WAN's.
Thanks!
-
Sorry, I've to give up :-[
It's definitely too difficult for me to get enough information from your side and understand what is really done.
2 posts above, I discover that Zentyal is not used as DHCP server and that default route issue is at Zentyal server itself.
Now, within this post, on more new aspect: you try to achieve load balancing across 3 WAN.
You still claim "everything is perfectly aligned with documentation but CLI different from GUI" without providing more detail and evidence of what you did.
So I apologize but with such level of input, I really can't help more. Maybe some other forum member will have better idea and guess better than I do what may exist or not on your side. :-[
-
Hello Sir,
I appreciate very much your help. Every reply gives me hope of getting there, closely.
As what the documentation stated, I fully understood and followed the instructions. What I meant perfect here: I really believe and confident that if I follow all the instructions, everything will work flawlessly. That is why I asked help, or would like to verify from anyone, is there anything I missed here?
Just one question Sir, on your Zentyal Server, do you see your default gateways (should be the Zentyal GUI Gateways) when you issue the CLI command "route"?
Thanks!
-
No ;D
-
So i assume you are using non transparent proxy? ^_^
-
it has just nothing to do and this works in both transparent and non transparent proxy mode.
-
Ok. I found it weird on my side. T_T Something that I don't know is wrong here. ^_^
I really hope this forum can help us solve this issue.
Thanks!
"Great minds think alike"
-
1 - Default gateway is defined somewhere in /etc/network.interfaces :D
2 - IPtables is running, isn't it? ;)
-
IPtables is not running. ^_^
-
Hello All,
I'm having difficulty with HTTPS access using Zentyal 2.3.
>>HTTP Transparent Proxy
>>WAN Failover enbled
>>Multi GW Rules Enabled (i have two WANs)
>>HTTPS (port 443)already added on FW rule
Given the config above, why can't I access mail sites and any https sites?
Further inquiries upon request.
"Great minds think alike"
-
anything linked to this post:
http://forum.zentyal.org/index.php/topic,7752.msg32892.html#msg32892 (http://forum.zentyal.org/index.php/topic,7752.msg32892.html#msg32892) ???
-
Ah,
so theres always been problem with Zentyal on HTTPS? I thought 2.3 is the solution for this bug. i really hope Zentyal will make a fix for this. thank you for the support.
-
??? My reply was in fact a question: ???
is THIS post linked to the previous one describing almost same issue although tittle is about mail?
and NO there is no problem with HTTPS except some implementation problem from users not understanding how it works or doing little mistakes ;)
Last but not least, last stable version is 2.2 8)
-
awts.. my bad.. But I'm glad I got your attention. Given the config i said above, it means I made a little (could be big) mistake?
And no it's kinda different, because before i Can still log in the yahoo messenger. But now, evrything that needs authentication, i can't log in.
ThankS!
-
Again, you do not answer to my question:
is this thread similar to the other one you started?
I assume the answer is yes, thus I'm going to merge both.
Then back to your point: you will definitely have to provide detail.
-
Hello All,
I'm having difficulty with HTTPS access using Zentyal 2.2.
>>HTTP Transparent Proxy
>>WAN Failover enabled
>>Multi GW Rules Enabled (i have two WANs)
>>HTTPS (port 443)already added on FW rule (internal to external, source any destination any service https)
Given the config above, why can't I still access mail sites and any https sites?
"Great minds think alike"
-
In order to ease investigation, did you try:
- using only one WAN (fail-over disabled)
- using non transparent proxy
-
Yes, Thank you!
I tried non transparent and still not working.
I will try disabling WAN failover, will give you update, ASAP.
Thanks!
-
Up.
-
I tried also using one WAN. No fail over and load balance.
Still not working.. T_T
Thanks.
-
I tried non transparent and still not working.
Hoops! So issue is somewhere else???
What does it mean "not working"?
Do you get some error message?
-
I mean it keeps on loading until the page says "..too long to respond.."
-
could you run the following from a linux client within your network:
tracepath bbc.co.uk/443
and post it back
-
messenger@imserver315:~$ tracepath bbc.co.uk/443
1: im315.kcc 0.115ms pmtu 1500
1: 172.16.2.100 0.935ms
1: 172.16.2.100 1.061ms
2: gw315.kcc 0.394ms
3: no reply
4: no reply
5: no reply
6: no reply
-
is your zentyal gateway
gw315.kcc
i should asked before - could you also run:
tracepath bbc.co.uk/80
thanks,
-
messenger@imserver315:~$ tracepath bbc.co.uk/80
1: im315.kcc 0.220ms pmtu 1500
1: 172.16.2.100 0.990ms
1: 172.16.2.100 0.979ms
2: gw315.kcc 0.433ms
3: no reply
4: no reply
5: no reply
6: no reply
Yes Sir that is my Zentyal. Why is there no reply? Maybe the site is filtered?
-
I'm afraid this trace route on port 80 will not reflect behaviour with HTTPS (port 443) because you are using transparent proxy ::)
-
Ok, I tried non transparent and still the same result. ^_^
messenger@imserver315:~$ tracepath bbc.co.uk/80
1: im315.kcc 0.220ms pmtu 1500
1: 172.16.2.100 0.990ms
1: 172.16.2.100 0.979ms
2: gw315.kcc 0.433ms
3: no reply
4: no reply
5: no reply
6: no reply
Thanks!
-
This is not what I meant ;)
Furthermore (and I still need to investigate this), I suspect something strange when you swing between transparent and non transparent mode because packets still look like "captured" even when running non transparent mode and decide not to use proxy.
Anyway, back tp you point: I'm not sure tracepath will use proxy, thus is testing on port 80 meaningful? (tracerpath uses UDP and HTTP uses TCP ;) )
traceroute -T -p port target will use TCP.
But what you show here is that you never go further than Zentyal box as if route to destination was unknown.
What happens when you check the same directly from Zentyal box?
-
Thank you.
FYI, use of proxy, transparent or not, while testing from Zentyal itself is irrelevant.
So it looks like something wrong at FW level because from gateway you can reach this target (meaning route is known and allowed) while machines inside your network can reach further than... I don't know what ;)
Some questions here:
- what is 222.127.106.205 ? is it the external IP address of your Zentyal server because your ADSL device is not router but bridge. (this is a public IP in Philippines)
- what is 172.16.2.100?
- what is gw315.kcc IP address?
Well,, what I try to understand is your network design :D
-
To not take it the wrong way but you should have described all this long time ago >:(
and even with your explanations, I don't understand what your network is made off except that you are using VLANs (are you sure about this. I suspect this is not VLAN but just multiple subnets with router in the middle) and 2 Zentyal.
I strongly suggest you post either a drawing or provide clearer explanation... or someone else will understand better than I do and I have to give up :-\
gw315.kcc is the domain name of kccgw (Zentyal) host which has the ip 172.16.1.1
This is kind of meaningless. It can't be domain name (I grabbed it from tracepath). I suppose you mean that your Zentyal host name is gw315.kcc Which one, the PROD one or DEV one?
If both PROD and DEV Zentyal connect to internet, how to you handle switch from one to the other, especially with transparent proxy feature? and what's about default gateway?
-
Yes Sir it is VLAN. I am a network administrator, and networking is my expertise. ^_^
But these infos won't help us solve the issue. DEV is on isolated Network.
So all suggestions i got from this forum are excuted on DEV, this is to eliminate any network issue.
Take this DEV diagram, A very simple diagram.
client >> Zentyal >> Internet
Do not think about my Prod. We use our DEV for simulations. ^_^
thanks!
-
OK, cool, let's then discuss real network stuff as this is domain you understand ;)
<im315.kcc client> (172.16.2.x) <--> (172.16.2.100) <router> (172.16.1.x) <--> (172.16.1.1) <Zentyal DEV gw315.kcc> (222.127.106.205) <--> internet link
Is THAT correct?
Assuming answer is yes ::) and assuming you have enabled transparent proxy, then HTTPS uses only firewall.
when you trace route from your client to internet, you stop at Zentyal server (internal interface) while Zentyal itself is able to connect to internet.
As you are network expert, we can assume there is not issue with network like missing default route or stuff like this ;)
Therefore the only solution is that firewall is preventing packets to exit through Zentyal. Do you agree? If yes, then look at firewall rules again (BTW, look at FW log, it may help).
I would say that:
- FW is not configured to allow all internal flow to exit to internet (why not, this makes sense)
- you may have only authorized 172.16.1.0/24 ???
Sorry, I can't help more than this :-[
-
Yes Yes Yes!
I got your point Sir, very helpful.
On Firewall (Internal to external), source ANY destination ANY service ANY decision ACCEPT.
Just tried this. Still not working. T_T
client >> Zentyal >> Internet
-
Can you post the result of "sudo traceroute -T -p 443 bbc.co.uk" from im315.kcc?
-
I'm sorry to tell this. traceroute command is no more available in Ubuntu 11.04.
^_^
-
You mix up "no more available" and not in default package list ;) I'm using it running 11.04 meaning you can just install it :P
Anyway, being creative, you can try tracepath instead of traceroute but it will use UDP only if I'm not wrong. I'm sure you know this better than I do.
-
Yes, but tracepath do not have -T command. And i already posted tracepath earlier. wait, let me connect my debian device for traceroute.
-
sudo traceroute -T -p 443 bbc.co.uk
traceroute to bbc.co.uk (212.58.241.131), 30 hops max, 40 byte packets
1 172.16.1.111 (172.16.1.111) 1.229 ms 1.438 ms 1.649 ms
2 gw315.kcc (172.16.1.1) 0.236 ms 0.237 ms 0.228 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 *^C
Thanks!
-
Yes, but tracepath do not have -T command. And i already posted tracepath earlier. wait, let me connect my debian device for traceroute.
1 - of course if you use tracepath, syntax is a bit different ::) ::) ::)
2 - Yes you posted it already but in the meantime you may have changed FW rules isn't it?
is 172.16.1.111 the IP of your router?
Did you also look at FW log?
I really give up now.
There is something wrong between network and FW. Packet are dropped at Zentyal level.
You have to investigate on your side:
- check logs if you don't know where to look at
- stop proxy and try again
- review settings
but from my side there is nothing else I can do. Sorry for that :-[
-
to test non-transparent you have to use
tracepath bbc.co.uk/443
443 is the port for HTTPS
-
agree with Christian,
this is a soap-opera!
-
Do you confirm such test really makes sense?
My understanding, although I could be wrong, is that tracepath uses UDP while HTTP (and HTTPS) uses TCP, reason why I suggested to use traceroute with -T option (to force TCP) and -p [port] option to test port 443.
Anyway, issue looks like not related to HTTPS but something with firewall. From Zentyal he his able to reach outside but from inside with "any to any accept", packets are dropped at Zentyal entry level and we have no feedback about firewall log, so I preferred to give up.
-
agreed
earlier on - we suggested for having a look at Zentyal logs as well kernel logs
and it did not show any packet dropped.
it would seem to be something else.
-
If packets are not dropped, then it's something like wrong route but solarwindz defining himself as network expert, I suppose this should not occur ;)
-
Awts. I thought this is a forum, not a debate section. Why do you spend your time with such approach if I was just asking for help, a support? ^_^
I told you earlier that, to compensate this, i manually added in the Zentyal my ISP gateways. If you review my earlier posts, after manually adding the gateways, everything is working fine. But i also said, that this is not what we want to happen. because Zentyal is suppose to do the job.
So, If you think I offended you, accept my apology. This is not the time to boast what we know, or to compare how more you know than I do, but this forum is suppose to help the readers, to "share" to them what we know. Networking is all about sharing, right? (Network administrator code of ethics) ^_^
Anyways, thank you for your support!
^_^
-
Maybe it looks different and you perceive it the wrong way but we were trying to help and support you.
However this appears to be difficult because understanding of what you have on you side, what is configured, working and not working is fuzzy. Is it due to cultural or language barrier, I don't know but, as a result, this is an heavy and painful task, reasons why I preferred to give up.
At least with this last post you make a clear statement that looks almost a conclusion: your point is that default gateway is missing on Zentyal box and you had to add it manually. :o ::) :o
Trust me, and this is perhaps not your fault, it was not clear before or mixed in the middle of plenty of useless information. As network expert, what is, according to you, the added value of tracing route if you know that default route is missing? We are just all wasting time :-[ You because you make useless tests, us because we investigate for something you already solved, at least with workaround.
So, as you now have the answer to your question, if you feel this to be a bug, open a ticket ;) and stamp this post as [SOLVED].
TTFN.
-
Okay. Manually adding the default ISP gw is not the exact solution. ^_^
-
Either you get external IP address from DHCP server and then DHCP server is responsible for providing the default gateway or you set it up manually and you have to do it using Zentyal GUI.
Then if what you set is not kept after reboot or service restart, this is a bug (assuming you do not apply manual changes using CLI that may prevent Zentyal to work properly), then create a ticket.
Is there anything else to add?
-
Got it. Found the problem. Network > Gateways should only contain list that are marked as external (WAN). Putting a LAN gateway (redirector) in this list causes https access problem.
Hey, may you grant me this last request? Please mark this as solved. I'm not able to log in to the account I used to post this topic. That's why I created another account to reply, as you can notice.
Thank you for bearing with me brosef.
Thanks!
-
Glad you solve your issue.
You had multiple gateways defined at Zentyal level with some being "internal" :o :o :o wow
Funny enough, this is what you, somewhat, suggest to arielf: stacking bounces by defining different default gateways... I definitely do not share this kind of design and prefer to make it "simple by design".
I will change your post as [SOLVED]
-
Yep, it's because I have VLANs in the network. And Zentyal is not the VLAN core. So i thought I need to add the lan gateway (inside Zentyal) so that static routes declared would work (same as my layer 3 switch, my VLAN core).
I'm glad it's working now. A plaque of appreciation for christian. Now i need to focus on my zentyal 2.2 content filtering that is currently not working.
Thanks!
-
good !