This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / Firewall block packets to virtual interface
« on: April 16, 2014, 09:34:11 am »
Hi, All!
I have one main and one remote office which connected throw VLAN level 2 via ISP.
In main office were fresh installation zentyal 3.4, default config, eth1 as internal interface connected to VLAN:
eth1 192.168.100.1
virtual interface on eth1 10.202.115.1
in remote office were mikrotik WLAN connected to VLAN
WLAN 10.202.115.5
I can ping 10.202.115.5 from zentyal itself, and from all 192.168.100.0/24
subnet. But all other packets ware blocked by zentyal firewall:
zentyal-firewall drop IN=eth1 OUT=eth1
MAC=00:0e:0c:84:9c:a4:94:de:80:02:db:a8:08:00 SRC=192.168.100.3 DST=10.202.115.5 LEN=40 TOS=0x00 PREC=0x00 TTL=127
ID=28863 DF PROTO=TCP SPT=31526 DPT=8291 WINDOW=256 RES=0x00 ACK URGP=0 MARK=0x1
but in firewall internal network filter rules i have only any-to any accept
rule.
Why and where such packets blocked by zentyal? Why icmp packets not blocked?
thanks.
P.S.
So, if i change microtik WLAN address to 192.168.100.205 for example
evrthing is OK via eth1 interface, ofcourse...
I have one main and one remote office which connected throw VLAN level 2 via ISP.
In main office were fresh installation zentyal 3.4, default config, eth1 as internal interface connected to VLAN:
eth1 192.168.100.1
virtual interface on eth1 10.202.115.1
in remote office were mikrotik WLAN connected to VLAN
WLAN 10.202.115.5
I can ping 10.202.115.5 from zentyal itself, and from all 192.168.100.0/24
subnet. But all other packets ware blocked by zentyal firewall:
zentyal-firewall drop IN=eth1 OUT=eth1
MAC=00:0e:0c:84:9c:a4:94:de:80:02:db:a8:08:00 SRC=192.168.100.3 DST=10.202.115.5 LEN=40 TOS=0x00 PREC=0x00 TTL=127
ID=28863 DF PROTO=TCP SPT=31526 DPT=8291 WINDOW=256 RES=0x00 ACK URGP=0 MARK=0x1
but in firewall internal network filter rules i have only any-to any accept
rule.
Why and where such packets blocked by zentyal? Why icmp packets not blocked?
thanks.
P.S.
So, if i change microtik WLAN address to 192.168.100.205 for example
evrthing is OK via eth1 interface, ofcourse...
2
Russian / Журналы файрволла
« on: February 21, 2014, 04:45:45 am »
Стоит Zentyal 3.3.4, неожиданно заметил, что каждый день в 08:00 перестают заполняться журналы файрволла. Помогает вкл/выкл настройки "Журналы"-"Настройки журналов"-"Файрволл". Имхо, началось после одного из обновлений, т.к. раньше не было.
В качестве костылей думаю создать задание cron с командами перезапуска журналирования. Как это сделать или по-другому исправить?
Спасибо.
В качестве костылей думаю создать задание cron с командами перезапуска журналирования. Как это сделать или по-другому исправить?
Спасибо.
Pages: [1]