Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / Firewall blocking all connections from some internal computers
« on: May 31, 2013, 06:49:44 am »
Zentyal Version: 2.0.23
My Firewall packet filter setup is extremely simple:
Basically, anything originating in the internal network should be able to go wherever it wants.
This generally works on most of my machines. From 192.168.1.11 (odin) I can ping 192.168.1.1 (yggdrasil, where zentyal is running), 192.168.1.60 (hermod) and addresses on the internet.
But from hermod, I can only ping odin. If I try to ping yggdrasil (zentyal) it times out with no response. If I try to ping an address on the internet it times out with no response. If I try to ssh to zentyal it times out with no response. Zentyal is also responsible for my DNS and ignores those requests as well. I have yet to find any connection type that will work between hermod and zentyal or hermod and the internet.
Despite my very permissive firewall rules, it's the firewall that's blocking it. If I view the firewall logs I can see every connection attempt from hermod is dropped. Example screenshot attached.
Hermod joins the network with DHCP the same way odin does. There's no reason zentyal should be treating it differently. And I have almost nothing but "allow all" rules for the internal stuff. What could be the problem?
I'm attaching the output of iptables -L for reference, but I have no idea how to read it, or fix it if the Zentyal firewall interface isn't setting it up correctly.
Also, here's some output from /var/log/debug as I'm trying to ping zentyal and a google server from hermod:
May 31 00:51:35 yggdrasil kernel: [ 3283.078065] ebox-firewall drop IN=eth0 OUT=eth1 SRC=192.168.1.60 DST=74.125.131.105 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1384 SEQ=1 MARK=0x1
May 31 00:51:36 yggdrasil kernel: [ 3284.078218] ebox-firewall drop IN=eth0 OUT=eth1 SRC=192.168.1.60 DST=74.125.131.105 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1384 SEQ=2 MARK=0x1
May 31 00:54:46 yggdrasil kernel: [ 3473.858712] ebox-firewall drop IN=eth0 OUT= MAC=00:06:5b:fe:83:59:a0:88:b4:41:36:dc:08:00 SRC=192.168.1.60 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1386 SEQ=1 MARK=0x1
May 31 00:54:47 yggdrasil kernel: [ 3474.858519] ebox-firewall drop IN=eth0 OUT= MAC=00:06:5b:fe:83:59:a0:88:b4:41:36:dc:08:00 SRC=192.168.1.60 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1386 SEQ=2 MARK=0x1
My Firewall packet filter setup is extremely simple:
- Filtering rules from internal networks to Zentyal
- Decision=Drop, Source=Any, Service=ldap
- Decision=Accept, Source=Any, Service=Any
- Filtering rules for internal networks
- Decision=Accept, Source=Any, Destination=Any, Service=Any
- Filtering rules for traffic coming out from Zentyal
- Decision=Accept, Destination=Any, Service=Any
- Filtering rules from external networks to Zentyal
- Decision=Drop, Source=Any, Service=VoIP
- Filtering rules from external networks to internal networks
- No rules
- Rules added by Zentyal services (Advanced)
- A couple pages of rules, all with Decision=Accept
Basically, anything originating in the internal network should be able to go wherever it wants.
This generally works on most of my machines. From 192.168.1.11 (odin) I can ping 192.168.1.1 (yggdrasil, where zentyal is running), 192.168.1.60 (hermod) and addresses on the internet.
But from hermod, I can only ping odin. If I try to ping yggdrasil (zentyal) it times out with no response. If I try to ping an address on the internet it times out with no response. If I try to ssh to zentyal it times out with no response. Zentyal is also responsible for my DNS and ignores those requests as well. I have yet to find any connection type that will work between hermod and zentyal or hermod and the internet.
Despite my very permissive firewall rules, it's the firewall that's blocking it. If I view the firewall logs I can see every connection attempt from hermod is dropped. Example screenshot attached.
Hermod joins the network with DHCP the same way odin does. There's no reason zentyal should be treating it differently. And I have almost nothing but "allow all" rules for the internal stuff. What could be the problem?
I'm attaching the output of iptables -L for reference, but I have no idea how to read it, or fix it if the Zentyal firewall interface isn't setting it up correctly.
Also, here's some output from /var/log/debug as I'm trying to ping zentyal and a google server from hermod:
May 31 00:51:35 yggdrasil kernel: [ 3283.078065] ebox-firewall drop IN=eth0 OUT=eth1 SRC=192.168.1.60 DST=74.125.131.105 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1384 SEQ=1 MARK=0x1
May 31 00:51:36 yggdrasil kernel: [ 3284.078218] ebox-firewall drop IN=eth0 OUT=eth1 SRC=192.168.1.60 DST=74.125.131.105 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1384 SEQ=2 MARK=0x1
May 31 00:54:46 yggdrasil kernel: [ 3473.858712] ebox-firewall drop IN=eth0 OUT= MAC=00:06:5b:fe:83:59:a0:88:b4:41:36:dc:08:00 SRC=192.168.1.60 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1386 SEQ=1 MARK=0x1
May 31 00:54:47 yggdrasil kernel: [ 3474.858519] ebox-firewall drop IN=eth0 OUT= MAC=00:06:5b:fe:83:59:a0:88:b4:41:36:dc:08:00 SRC=192.168.1.60 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1386 SEQ=2 MARK=0x1
2
Installation and Upgrades / Zentyal-powered LAN DNS not working?
« on: September 28, 2011, 12:53:41 am »
Previously I managed my (all-linux) LAN DNS needs by manually updating host files on every machine. This is a giant pain, but I've never run a router that offered to handle it for me semi-automatically (at least in a way that actually worked). I recently moved all my network services over to a Zentyal machine with the aim of correcting problems like that.
I've been able to get fixed IP addresses based on MAC address working. I also have a few clients in that list which had trouble actually picking up an address via DHCP (mostly wireless APs), so I had to set their addresses manually in the client config (but they're still using the same fixed address that DHCP would assign them).
I want to be able to refer to all these machines directly by name from every client, just as I could with a local host file. I don't want to have to type a domain every time. I want this to work whether it's a fixed address handed out by DHCP or one of the ones I had to work around manually. I don't have a problem manually managing the list of all clients & IPs, as long as I only have to do it in one place.
My results so far:
If I create a standard domain (non-dynamic) and create a few hostnames under it, I can't actually resolve those hostnames from any of the clients. It doesn't seem to work at all. For example, new domain "hartman" has hosts "mike" and "steve". I connect to the network with client "bob", get my IP and see that /etc/resolv.conf properly points to the Zentyal box. But pinging "mike", "mike.hartman", "steve" and "steve.hartman" all fail with "unknown host". I can ping their IP addresses fine though.
If I create a dynamic domain (create empty domain, go to dhcp->dynamic dns options, enable it and select that new domain) those machines are now reachable using "mike.hartman" and "steve.hartman", but still not by "mike" or "steve". This is despite the fact that I enter "hartman" as the search domain everywhere I can (dhcp->common options->search domain, network->dns->search domain and I could have sworn one other place that I can't find now).
I've restarted my laptop's connection to the network several times in case it was caching something / not picking up the search domain. Although it seems like one of those search domain settings should be instructions to Zentyal itself on how to look up incoming unqualified hostname requests, rather than just telling Zentyal what search domain to pass along to the clients. Because ideally you don't want to depend on the clients behaving according to your instructions when you have total control over what the DNS returns to them anyway.
So here's my setup:
Zentyal 2.0.21
Modules (a lot installed but plenty not actually being used yet)
Network (running)
Firewall (running)
Antivirus (running)
Apache (running)
VoIP (running)
Certificate Authority (not created)
DHCP (running)
DNS (running)
Events (running)
IDS (running)
Logs (running)
Monitor (running)
VPN (running)
Printer Sharing (running)
File Sharing (running)
HTTP Proxy (disabled)
Traffic Shaping (disabled)
User Corner (running)
Users and Groups (running)
Network->DNS
Domain Name Server Resolver List
127.0.0.1
4.2.2.2
4.2.2.3
Search Domain
hartman
Objects->Objects List
"fixed"
mike - 192.168.1.20 - XX:XX:XX:XX:XX:XX
steve - 192.168.1.21 - YY:YY:YY:YY:YY:YY
bob - 192.168.1.22 - ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
wifia - 192.168.1.30 - AA:AA:AA:AA:AA:AA (wifia doesn't like to get its address from DHCP so it's also hardcoded on the client)
wifib - 192.168.1.31 - BB:BB:BB:BB:BB:BB (wifib doesn't like to get its address from DHCP so it's also hardcoded on the client)
DHCP->Service Configuration->Common Options
Default Gateway - Zentyal
Search Domain - Zentyal domain - Hartman
Primary nameserver - local Zentyal DNS
Secondary nameserver - (blank)
NTP Server - none
WINS Server - none
DHCP->Service Configuration->Dynamic DNS Options
Enabled - yes
Dynamic domain - hartman
Static domain - same as dynamic domain
DHCP->Ranges
"dynamic" - from 192.168.1.100 to 192.168.1.254
DHCP->Fixed Addresses
"fixed"
DNS->List of Domains
"hartman"
hostnames - "ns" - 127.0.0.1
Dynamic? - yes
I can't think of any other settings that should affect this. Any suggestions? Why aren't the search domain settings being properly applied? Why don't static domains seem to work at all?
I've been able to get fixed IP addresses based on MAC address working. I also have a few clients in that list which had trouble actually picking up an address via DHCP (mostly wireless APs), so I had to set their addresses manually in the client config (but they're still using the same fixed address that DHCP would assign them).
I want to be able to refer to all these machines directly by name from every client, just as I could with a local host file. I don't want to have to type a domain every time. I want this to work whether it's a fixed address handed out by DHCP or one of the ones I had to work around manually. I don't have a problem manually managing the list of all clients & IPs, as long as I only have to do it in one place.
My results so far:
If I create a standard domain (non-dynamic) and create a few hostnames under it, I can't actually resolve those hostnames from any of the clients. It doesn't seem to work at all. For example, new domain "hartman" has hosts "mike" and "steve". I connect to the network with client "bob", get my IP and see that /etc/resolv.conf properly points to the Zentyal box. But pinging "mike", "mike.hartman", "steve" and "steve.hartman" all fail with "unknown host". I can ping their IP addresses fine though.
If I create a dynamic domain (create empty domain, go to dhcp->dynamic dns options, enable it and select that new domain) those machines are now reachable using "mike.hartman" and "steve.hartman", but still not by "mike" or "steve". This is despite the fact that I enter "hartman" as the search domain everywhere I can (dhcp->common options->search domain, network->dns->search domain and I could have sworn one other place that I can't find now).
I've restarted my laptop's connection to the network several times in case it was caching something / not picking up the search domain. Although it seems like one of those search domain settings should be instructions to Zentyal itself on how to look up incoming unqualified hostname requests, rather than just telling Zentyal what search domain to pass along to the clients. Because ideally you don't want to depend on the clients behaving according to your instructions when you have total control over what the DNS returns to them anyway.
So here's my setup:
Zentyal 2.0.21
Modules (a lot installed but plenty not actually being used yet)
Network (running)
Firewall (running)
Antivirus (running)
Apache (running)
VoIP (running)
Certificate Authority (not created)
DHCP (running)
DNS (running)
Events (running)
IDS (running)
Logs (running)
Monitor (running)
VPN (running)
Printer Sharing (running)
File Sharing (running)
HTTP Proxy (disabled)
Traffic Shaping (disabled)
User Corner (running)
Users and Groups (running)
Network->DNS
Domain Name Server Resolver List
127.0.0.1
4.2.2.2
4.2.2.3
Search Domain
hartman
Objects->Objects List
"fixed"
mike - 192.168.1.20 - XX:XX:XX:XX:XX:XX
steve - 192.168.1.21 - YY:YY:YY:YY:YY:YY
bob - 192.168.1.22 - ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
wifia - 192.168.1.30 - AA:AA:AA:AA:AA:AA (wifia doesn't like to get its address from DHCP so it's also hardcoded on the client)
wifib - 192.168.1.31 - BB:BB:BB:BB:BB:BB (wifib doesn't like to get its address from DHCP so it's also hardcoded on the client)
DHCP->Service Configuration->Common Options
Default Gateway - Zentyal
Search Domain - Zentyal domain - Hartman
Primary nameserver - local Zentyal DNS
Secondary nameserver - (blank)
NTP Server - none
WINS Server - none
DHCP->Service Configuration->Dynamic DNS Options
Enabled - yes
Dynamic domain - hartman
Static domain - same as dynamic domain
DHCP->Ranges
"dynamic" - from 192.168.1.100 to 192.168.1.254
DHCP->Fixed Addresses
"fixed"
DNS->List of Domains
"hartman"
hostnames - "ns" - 127.0.0.1
Dynamic? - yes
I can't think of any other settings that should affect this. Any suggestions? Why aren't the search domain settings being properly applied? Why don't static domains seem to work at all?
3
Installation and Upgrades / Weird connection issues post-install [SOLVED]
« on: September 13, 2011, 10:12:53 pm »
I'm having trouble getting even the most basic functionality on a brand-new Zentyal install working.
I just downloaded the current stable ISO last night and installed it on an old PC with two NICs. The goal is to have that PC act as router/gateway/firewall/dhcp server/local dns server. Layout looks like "Internet->eth0", "eth1->switch->other machines". I seem to have all the appropriate modules installed.
eth0 is set up as a WAN interface with DHCP, and is getting an external IP from my ISP fine. eth1 is configured as internal, static, with IP 192.168.1.1. I set it up to use 4.2.2.2 and 4.2.2.3 as the DNS servers. I started up the DHCP server and specified an address range.
Here's where it gets weird.
From the zentyal machine, I can ping 4.2.2.2 successfully. But I can't lookup "www.google.com". Anything involving DNS seems to fail, even though I can ping that DNS server. Also, even though I configured eth1 as static with IP 192.168.1.1 it's actually picking up a dynamic IP from zentyal via DHCP and showing up in the leases box of the dashboard.
Other machines attached to the switch successfully get an IP address from zentyal, but can't even ping 4.2.2.2. They also don't seem to be able to connect to the zentyal machine properly, to open the web interface for example. And I can't access web interfaces on those machines from the zentyal machine. But they must be able to connect to some extent or they wouldn't be getting IPs...
I've completely disabled the firewall module in case that was interfering somehow.
Something seems pretty hosed up here. I would think a plain vanilla router/gateway setup would work pretty well out of the box. Am I missing something?
I just downloaded the current stable ISO last night and installed it on an old PC with two NICs. The goal is to have that PC act as router/gateway/firewall/dhcp server/local dns server. Layout looks like "Internet->eth0", "eth1->switch->other machines". I seem to have all the appropriate modules installed.
eth0 is set up as a WAN interface with DHCP, and is getting an external IP from my ISP fine. eth1 is configured as internal, static, with IP 192.168.1.1. I set it up to use 4.2.2.2 and 4.2.2.3 as the DNS servers. I started up the DHCP server and specified an address range.
Here's where it gets weird.
From the zentyal machine, I can ping 4.2.2.2 successfully. But I can't lookup "www.google.com". Anything involving DNS seems to fail, even though I can ping that DNS server. Also, even though I configured eth1 as static with IP 192.168.1.1 it's actually picking up a dynamic IP from zentyal via DHCP and showing up in the leases box of the dashboard.
Other machines attached to the switch successfully get an IP address from zentyal, but can't even ping 4.2.2.2. They also don't seem to be able to connect to the zentyal machine properly, to open the web interface for example. And I can't access web interfaces on those machines from the zentyal machine. But they must be able to connect to some extent or they wouldn't be getting IPs...
I've completely disabled the firewall module in case that was interfering somehow.
Something seems pretty hosed up here. I would think a plain vanilla router/gateway setup would work pretty well out of the box. Am I missing something?
Pages: [1]