Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Installation and Upgrades / Re: SNAT multiple virtual IP addresses
« on: August 20, 2014, 03:17:36 pm »
For anyone that may be in the same position as me. I got this working. Not sure why it didn't work the first time, but after a reboot and readding the rules for SNAT it is working perfectly now.
2
Installation and Upgrades / Re: Set network speed, duplex and autoneg on reboot
« on: August 20, 2014, 02:54:28 pm »
This worked perfectly. Thank you for the help.
3
Installation and Upgrades / Re: SNAT multiple virtual IP addresses
« on: August 19, 2014, 11:00:31 pm »
Strangely looking at
shouldn't my rule that I set up under Firewall > SNAT be in here?
Code: [Select]
sudo iptables -Lshouldn't my rule that I set up under Firewall > SNAT be in here?
4
Installation and Upgrades / Re: SNAT multiple virtual IP addresses
« on: August 19, 2014, 10:42:44 pm »
I still can't seem to get this working. I need outbound traffic from this pc to be seen as one of the virtual IP addresses on eth1.
5
Installation and Upgrades / SNAT multiple virtual IP addresses
« on: August 19, 2014, 09:41:15 pm »
What I am trying to accomplish is I want a specific machine on my lan to be seen publicly from a specific IP address. I have a block of 5 addresses from my ISP. In my network interface I have the first IP address configure as the first address in the block and four virtual IP's for the rest. I want this specific computer to be seen as one of these virtual IP addresses. Looks like I need to be using SNAT for this, but I can't seem to figure it out. I did find this on serverfault:
Once I set this up I get no access to the internet at all from the local pc. Can anyone clear this up who has done this. The documentation seems sparse for SNAT.
Code: [Select]
http://serverfault.com/questions/608228/how-to-configure-source-nat-private-ip-public-ip-outboundOnce I set this up I get no access to the internet at all from the local pc. Can anyone clear this up who has done this. The documentation seems sparse for SNAT.
6
Installation and Upgrades / Re: Set network speed, duplex and autoneg on reboot
« on: August 19, 2014, 09:36:13 pm »
Thank you for the input. I added it and will test tonight when I get a chance to reboot.
7
Installation and Upgrades / Set network speed, duplex and autoneg on reboot
« on: August 19, 2014, 09:04:57 pm »
I have a specific interface that needs set at 100M Full duplex with auto negotiation off. I can do this with ethtool, but it does not stay set after a reboot. If I do not manually set it my upload speed is basically cut it half. From what I'm told is that my Adtran for my fiber connection is set to 100M and sometimes the auto negotiation doesn't get it quite right. Any way to keep this setting permanent?
Manually I can do:
sudo ethtool -s eth1 speed 100 duplex full autoneg off
Manually I can do:
sudo ethtool -s eth1 speed 100 duplex full autoneg off
8
Installation and Upgrades / Adding services to /etc/services still not working for DNS SRV records
« on: January 15, 2013, 03:27:20 pm »
I am trying to add some SRV records for my dns settings and and it gave me "Service 'service-name' is not present in /etc/services". So I went to /etc/services added all the ones I needed at the bottom and saved.
Here are the ones I added:
caldav 80/tcp
caldavs 443/tcp
carddav 80/tcp
carddavs 443/tcp
autodiscover 80/tcp
ischedule 80/tcp
In the web interface I have successfully added my carddav and caldav SRV records but autodiscover and ischedule still will not add giving error "Service 'service-name' is not present in /etc/services" when clearly it is there. Any ideas?
Here are the ones I added:
caldav 80/tcp
caldavs 443/tcp
carddav 80/tcp
carddavs 443/tcp
autodiscover 80/tcp
ischedule 80/tcp
In the web interface I have successfully added my carddav and caldav SRV records but autodiscover and ischedule still will not add giving error "Service 'service-name' is not present in /etc/services" when clearly it is there. Any ideas?
9
Installation and Upgrades / Re: DNS Name Resolution from Mac
« on: January 07, 2013, 10:31:24 pm »
It was NOT set as dynamic. I changed it so it is set as dynamic for this domain. How long will it take for this name resolution to take effect?
10
Installation and Upgrades / Re: DNS Name Resolution from Mac
« on: January 07, 2013, 08:27:38 pm »
We have two windows 2003 servers with one active directory domain. With nslookup I get this when looking up my firewall:
~ » nslookup firewall
Server: 10.20.20.1
Address: 10.20.20.1#53
Name: firewall.XXXX.com
Address: 10.20.20.1
Name: firewall.XXXX.com
Address: ISP IP
nslookup of a host in DHCP pool:
~ » nslookup windows-vm-1
Server: 10.20.20.1
Address: 10.20.20.1#53
** server can't find windows-vm-1: NXDOMAIN
~ » nslookup windows-vm-1.XXXX.com
Server: 10.20.20.1
Address: 10.20.20.1#53
** server can't find windows-vm-1.XXXX.com: NXDOMAIN
I am using Zentyal 3 with all latest updates and latest Zentyal components.
~ » nslookup firewall
Server: 10.20.20.1
Address: 10.20.20.1#53
Name: firewall.XXXX.com
Address: 10.20.20.1
Name: firewall.XXXX.com
Address: ISP IP
nslookup of a host in DHCP pool:
~ » nslookup windows-vm-1
Server: 10.20.20.1
Address: 10.20.20.1#53
** server can't find windows-vm-1: NXDOMAIN
~ » nslookup windows-vm-1.XXXX.com
Server: 10.20.20.1
Address: 10.20.20.1#53
** server can't find windows-vm-1.XXXX.com: NXDOMAIN
I am using Zentyal 3 with all latest updates and latest Zentyal components.
11
Installation and Upgrades / Re: DNS Name Resolution from Mac
« on: January 07, 2013, 06:16:01 pm »
That info makes sense thanks for clarifying christian. I had some hardware issues with my firewall and long story short I ended up reinstalling zentyal os and even now I cannot get DNS to resolve hostnames at all from OS X or Linux. Windows is working but I suspect it is using netbios. My Mac gets a dynamic IP and the search domain is correctly set yet I cannot ping any hostname is the DHCP pool. I can ping the hostnames of servers I have manually set in the dns settings of Zentyal. I figured with a fresh install it would be working. In the dashboard I can see a list of all my DHCP clients and their hostnames are correctly displayed there yet I can't ping them.
12
Installation and Upgrades / DNS Name Resolution from Mac
« on: December 19, 2012, 09:30:11 pm »
I am having an issue with a Mac resolving hostnames on the network. I can resolve names from any windows PC. Zentyal is the primary DNS server and is also the gateway for the network. What is odd though is the Mac can resolve a few of the hostnames but not all. Out of lets say 200 DHCP clients the Mac can resolve maybe 5 clients by hostname and these clients are in the DHCP pool and not static. The Mac can resolve all the static hosts configured in Zentyal no problem either. Is there a way to flush the DHCP leases to force clients to get a new address? I have restarted both DHCP and DNS on Zentyal and that didn't do it. The DHCP settings also specify a search domain, and the Mac does get this and can successfully ping just the hostname instead of FQDN. Has anyone come across this?
13
Installation and Upgrades / Re: MiniUPNPD setup and configuration help
« on: November 21, 2012, 08:46:49 pm »
From all the messing around I have done with this it seems that there is a syntax error in the code I copied. In the last line it doesn't like the "!". I simplified the code as follows just to see if it'll work.
iptables -t nat -N MINIUPNPD
iptables -t nat -I PREROUTING -j MINIUPNPD
iptables -t filter -N MINIUPNPD
iptables -t filter -I FORWARD -j MINIUPNPD
I can now successfully restart the firewall service and all seems ok now except that it still isn't forwarding ports. I can run this on the iptables:
chris@ubuntu:~$ sudo iptables -L | grep -i upnp
MINIUPNPD all -- anywhere anywhere
Chain MINIUPNPD (1 references)
So it shows there are rules in iptables now and I made sure miniupnpd is running. Not sure what else to check really. I am no iptables expert by any means so if someone else is and could let me know if I'm doing something wrong that would be great.
Also for debug purposes I will list my config files and setup info:
eth0 - lan - 10.1.1.5
eth1 - wan - Dynamic IP from ISP
/etc/miniupnpd/miniupnpd.conf
##############################################
# WAN network interface. If not supplied here, then
# we're going to use /etc/default/miniupnpd
ext_ifname=eth1
# if the WAN interface has several IP addresses, you
# can specify the one to use below. If you use the
# interface name defined in /etc/default/miniupnpd, then
# the init.d script will calculate it for you, so in most
# cases, you wont need to define it here.
#ext_ip=
# LAN network interfaces IPs / networks
# there can be multiple listening ips for SSDP traffic.
# should be under the CIDR form, eg: nnn.nnn.nnn.nnn/zz
# where zz is the netmask (number of bits with value 1)
#
# HTTP is available on all interfaces
# When MULTIPLE_EXTERNAL_IP is enabled, the external ip
# address associated with the subnet follows. for example :
# listening_ip=192.168.0.1/24 88.22.44.13
# listening_ip=192.168.0.1/24
# listening_ip=192.168.1.1/24
listening_ip=10.1.1.5/24
# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
port=0
# path to the unix socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock
# enable NAT-PMP support (default is no)
enable_natpmp=yes
# enable UPNP support (default is yes)
enable_upnp=yes
# chain names for netfilter (not used for pf or ipf).
# default is MINIUPNPD for both
#upnp_forward_chain=MINIUPNPD
#upnp_nat_chain=MINIUPNPD
# lease file location
#lease_file=/var/lib/miniupnp/upnp.leases
# bitrates reported by daemon in bits per second
bitrate_up=1000000
bitrate_down=10000000
# "secure" mode : when enabled, UPnP client are allowed to add mappings only
# to their IP.
secure_mode=yes
# default presentation url is http address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url=http://www.mylan/index.php
# report system uptime instead of daemon uptime
system_uptime=yes
# notify interval in seconds. default is 30 seconds.
notify_interval=60
# unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=20
# clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600
# log packets in pf (default is no)
#packet_log=no
# anchor name in pf (default is miniupnpd)
#anchor=miniupnpd
# ALTQ queue in pf
# filter rules must be used for this to be used.
# compile with PF_ENABLE_FILTER_RULES (see config.h file)
#queue=queue_name1
# tag name in pf
#tag=tag_name1
# make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
#quickrules=no
# uuid : generate your own with "make genuuid"
uuid=fb1e5c36-2e31-4947-831d-cb836d0b0f2b
# serial and model number the daemon will report to clients
# in its XML description
serial=173
model_number=173
# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
#allow 12345 192.168.7.113/32 54321
#allow 1024-65535 192.168.0.0/16 1024-65535
#allow 1024-65535 10.0.0.0/8 1024-65535
allow 1024-65535 10.1.1.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
/etc/default/miniupnpd
##############################################
# Set to 1 to start the daemon. Desactivated by default, because
# you don't want the outside to control your UPnP router, and
# as a consequence MiniUPnPd_LISTENING_IP should be set to a
# reasonable value before enabling the daemon.
START_DAEMON=1
# Define here the external interface connected to the WAN (eg: the public
# IP address NIC)
MiniUPnPd_EXTERNAL_INTERFACE=eth1
# IP that the daemon should listen on.
# Note that you do *not* want this to be 0.0.0.0, as you don't want
# your MiniUPnPd to be controled by anyone on the internet.
MiniUPnPd_LISTENING_IP=10.1.1.5/24
# This defines other options which you might want to use when
# starting MiniUPnPd. Note that the -S option is important:
# -S sets "secure" mode : clients can only add mappings to their own ip
# (see man page)
MiniUPnPd_OTHER_OPTIONS="-N -f /etc/miniupnpd/miniupnpd.conf"
iptables -t nat -N MINIUPNPD
iptables -t nat -I PREROUTING -j MINIUPNPD
iptables -t filter -N MINIUPNPD
iptables -t filter -I FORWARD -j MINIUPNPD
I can now successfully restart the firewall service and all seems ok now except that it still isn't forwarding ports. I can run this on the iptables:
chris@ubuntu:~$ sudo iptables -L | grep -i upnp
MINIUPNPD all -- anywhere anywhere
Chain MINIUPNPD (1 references)
So it shows there are rules in iptables now and I made sure miniupnpd is running. Not sure what else to check really. I am no iptables expert by any means so if someone else is and could let me know if I'm doing something wrong that would be great.
Also for debug purposes I will list my config files and setup info:
eth0 - lan - 10.1.1.5
eth1 - wan - Dynamic IP from ISP
/etc/miniupnpd/miniupnpd.conf
##############################################
# WAN network interface. If not supplied here, then
# we're going to use /etc/default/miniupnpd
ext_ifname=eth1
# if the WAN interface has several IP addresses, you
# can specify the one to use below. If you use the
# interface name defined in /etc/default/miniupnpd, then
# the init.d script will calculate it for you, so in most
# cases, you wont need to define it here.
#ext_ip=
# LAN network interfaces IPs / networks
# there can be multiple listening ips for SSDP traffic.
# should be under the CIDR form, eg: nnn.nnn.nnn.nnn/zz
# where zz is the netmask (number of bits with value 1)
#
# HTTP is available on all interfaces
# When MULTIPLE_EXTERNAL_IP is enabled, the external ip
# address associated with the subnet follows. for example :
# listening_ip=192.168.0.1/24 88.22.44.13
# listening_ip=192.168.0.1/24
# listening_ip=192.168.1.1/24
listening_ip=10.1.1.5/24
# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
port=0
# path to the unix socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock
# enable NAT-PMP support (default is no)
enable_natpmp=yes
# enable UPNP support (default is yes)
enable_upnp=yes
# chain names for netfilter (not used for pf or ipf).
# default is MINIUPNPD for both
#upnp_forward_chain=MINIUPNPD
#upnp_nat_chain=MINIUPNPD
# lease file location
#lease_file=/var/lib/miniupnp/upnp.leases
# bitrates reported by daemon in bits per second
bitrate_up=1000000
bitrate_down=10000000
# "secure" mode : when enabled, UPnP client are allowed to add mappings only
# to their IP.
secure_mode=yes
# default presentation url is http address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url=http://www.mylan/index.php
# report system uptime instead of daemon uptime
system_uptime=yes
# notify interval in seconds. default is 30 seconds.
notify_interval=60
# unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=20
# clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600
# log packets in pf (default is no)
#packet_log=no
# anchor name in pf (default is miniupnpd)
#anchor=miniupnpd
# ALTQ queue in pf
# filter rules must be used for this to be used.
# compile with PF_ENABLE_FILTER_RULES (see config.h file)
#queue=queue_name1
# tag name in pf
#tag=tag_name1
# make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
#quickrules=no
# uuid : generate your own with "make genuuid"
uuid=fb1e5c36-2e31-4947-831d-cb836d0b0f2b
# serial and model number the daemon will report to clients
# in its XML description
serial=173
model_number=173
# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
#allow 12345 192.168.7.113/32 54321
#allow 1024-65535 192.168.0.0/16 1024-65535
#allow 1024-65535 10.0.0.0/8 1024-65535
allow 1024-65535 10.1.1.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
/etc/default/miniupnpd
##############################################
# Set to 1 to start the daemon. Desactivated by default, because
# you don't want the outside to control your UPnP router, and
# as a consequence MiniUPnPd_LISTENING_IP should be set to a
# reasonable value before enabling the daemon.
START_DAEMON=1
# Define here the external interface connected to the WAN (eg: the public
# IP address NIC)
MiniUPnPd_EXTERNAL_INTERFACE=eth1
# IP that the daemon should listen on.
# Note that you do *not* want this to be 0.0.0.0, as you don't want
# your MiniUPnPd to be controled by anyone on the internet.
MiniUPnPd_LISTENING_IP=10.1.1.5/24
# This defines other options which you might want to use when
# starting MiniUPnPd. Note that the -S option is important:
# -S sets "secure" mode : clients can only add mappings to their own ip
# (see man page)
MiniUPnPd_OTHER_OPTIONS="-N -f /etc/miniupnpd/miniupnpd.conf"
14
Installation and Upgrades / Re: MiniUPNPD setup and configuration help
« on: November 21, 2012, 03:45:14 pm »
Just following up. It was an insight on my part. I forgot to make the firewall.postservice executable. So that is fixed now. My next issue is in the actual script to add the rules. Here is the output when it tries to run:
chris@ubuntu:/sbin$ sudo /etc/init.d/zentyal firewall restart
* Restarting Zentyal module: firewall [fail]
root command /etc/zentyal/hooks/firewall.postservice 1 failed.
Error output: Bad argument `MINIUPNPD'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.12: cannot have ! before -j
Try `iptables -h' or 'iptables --help' for more information.
It seems there is an issue, but the user-defined chain is clearly defined with "$IPTABLES -t nat -N MINIUPNPD" when it adds the MINIUPNPD chain to the nat table. Any ideas?
chris@ubuntu:/sbin$ sudo /etc/init.d/zentyal firewall restart
* Restarting Zentyal module: firewall [fail]
root command /etc/zentyal/hooks/firewall.postservice 1 failed.
Error output: Bad argument `MINIUPNPD'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.12: cannot have ! before -j
Try `iptables -h' or 'iptables --help' for more information.
It seems there is an issue, but the user-defined chain is clearly defined with "$IPTABLES -t nat -N MINIUPNPD" when it adds the MINIUPNPD chain to the nat table. Any ideas?
15
Installation and Upgrades / MiniUPNPD setup and configuration help
« on: November 21, 2012, 01:42:23 am »
I have installed MiniUPNPd for UPNP from the Quantal repository. I am using the latest Zentyal 3 version. No problems with the install whatsoever, its the configuration that has me puzzled. I was looking at the clearOS forum because they have this package for their OS and others have helped. Here is the url I was looking at:
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,40/func,view/id,21002/
So I already have it installed and set the WAN interface to be my eth1 port and the listening IP Address to be 10.1.1.5 which is my lan IP Address on eth0. The part that I can't figure out is it implies that I have to make a manual entry in my IPTABLES for it to work. The instructions mention a script that runs during firewall start so I looked up the hooks for Zentyal and it says to use firewall.postservice for firewall scripts. So as root I created a file in /etc/zentyal/hooks/firewall.postservice and added the IPTABLES code:
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
#EXTIF= (not required as uses automagic to determine WAN, can be manually specified)
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
On firewall restart it doesn't complain about an error, but when I run: iptables -L there are not listings for MINIUPNPD.
When I restart the miniupnpd service it does add its own chain but there are no values under it.
Just trying to get help from anyone who has worked with this. Thank you.
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,40/func,view/id,21002/
So I already have it installed and set the WAN interface to be my eth1 port and the listening IP Address to be 10.1.1.5 which is my lan IP Address on eth0. The part that I can't figure out is it implies that I have to make a manual entry in my IPTABLES for it to work. The instructions mention a script that runs during firewall start so I looked up the hooks for Zentyal and it says to use firewall.postservice for firewall scripts. So as root I created a file in /etc/zentyal/hooks/firewall.postservice and added the IPTABLES code:
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
#EXTIF= (not required as uses automagic to determine WAN, can be manually specified)
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
On firewall restart it doesn't complain about an error, but when I run: iptables -L there are not listings for MINIUPNPD.
When I restart the miniupnpd service it does add its own chain but there are no values under it.
Just trying to get help from anyone who has worked with this. Thank you.