Allow ip on green interface

Riccardo_Prandini · May 12, 2020, 9:13am

Hi i have Neth 192.168.1.41 that do AD 192.168.1.40 and samba.

My gateway is a router with DNS reported.

My green is located in Switch with is attached to router/firewall.

I had posted a long time ago where to made the neth working i had to attach also the red one to the router (I thought that it is not needed because my traffic flow via firewall anyway) thi is not a problem a lot of time ago I opened a Topic about this

NETH|<--green->SWITCH<->FIREWALL<->ISP ROUTER
          |<--red-->-------------------------------------ISP ROUTER

Everything is working

=======================================================================

My firewall manage VPN AND inside the lan I can have IP of 192.168.100.x that try to reach 192.168.1.x

I have managed to permit those IP 100.x to reach windows machine 1.x and open some services on win.

neth filter those requests, how to manage the request that came from green interface.

Andy_Wismer · May 12, 2020, 9:37am

Hi

I don’t quite understand why you insrtalled the full firewall with 2 interfaces on your NethServer, since you have a separate hardware router / firewall?

Just remove the unnessary firewall (There still remains a firewall in NethServer!) and the second network NIC.

Set the gateway of your NethServer to the existing firewall.

That keeps things simpler, less headaches and the same level of security from the Internet you have now. Security is determined by your existing firewall…

My 2 cents
Andy

robb · May 12, 2020, 9:38am

Can you check there is a static route between the 2 subnets (192.168.1.x and 192.168.100.x) That is necessary to be able to make the subnets able to reach each other.

/edit @Andy_Wismer is right. If you already have a firewall there is no need for a RED interface on your nethserver. You can safely remove the RED interface. On the green interface make sure the internal IP address of your firewall is set as gateway for your GREEN interface.

Riccardo_Prandini · May 12, 2020, 10:21am

OK my problem is not red interface.
Neth is not the firewall is the AD server.

My problem is
neth filter request on green interface that are not in 192.168.1.x.
I need to allow 192.168.100.x on green

For example http-admin is unreachable from an ip 192.168.100.x.

so I have made some attempts.

1)Security-> trusted networks add 192.168.100.x
NO SUCCESS

2)Security -> network Services httpd-admin Aceept green no other selection possible

3)Configuration -> Network alias 192.168.100.41
NO SUCCESS

Is there an implicit rule.

Have I the same problem with AD on 192.168.1.40 ?

Andy_Wismer · May 12, 2020, 11:49am

Hi

I think there are a few misunderstandings here…

If NethServer is not your firewall, why is one interface red?
You could have two green, if you only need 2 networks…

If you need 2 networks, it is better to let your router do that.

If not firewall, why 2 network interfaces, AND one of the two is RED?

If it IS acting as firewall, red MUST point to the internet.
And red will not accept connections…

You contradict yourself within two sentences:

“Everything is working” (Then why this post?)

“My firewall manage VPN AND inside the lan I can have IP of 192.168.100.x that try to reach 192.168.1.x”
(Try to reach? Meaning it’s NOT working?)

My 2 cents
Andy

Riccardo_Prandini · May 12, 2020, 12:29pm

Hi

I think there are a few misunderstandings here…

I don’t think

If NethServer is not your firewall, why is one interface red?
You could have two green, if you only need 2 networks…

I have detached red so forget red
I have only 1 cable on green iterface

NETH|<--green->SWITCH<->FIREWALL<->ISP ROUTER

If you need 2 networks, it is better to let your router do that.

My main lan is 192.168.1.x

Firewall can manage IPSEC remote user or SSL VPN user so they can be reflected on the main LAN but with a different IP

IPSEC 192.168.100.x
SSL 192.168.200.x

                           ____________________REMOTEUSER                         
                           |
NETH|<--green->SWITCH<->FIREWALL<->ISP ROUTER

If not firewall, why 2 network interfaces, AND one of the two is RED?

Forget RED it is not the focus

If it IS acting as firewall, red MUST point to the internet.
And red will not accept connections…

Connection are flow to neth via GREEN

You contradict yourself within two sentences:
“Everything is working” (Then why this post?)

No this is the firs part of a sentence but I explain well
AD and SAMBA actually is working in LAN when reached by 192.168.1.x

“My firewall manage VPN AND inside the lan I can have IP of 192.168.100.x that try to reach 192.168.1.x”
(Try to reach? Meaning it’s NOT working?)

Any external machine that has 192.168.100.x (if connected with IPSEC) or 192.168.200.x (SSL VPN) can reach any machine inside the LAN for example 192.168.1.35 (an http server) but NETH which has ip 192.168.1.41 can’t be reached on any of its port http, http-admin, samba, etc. by IPSEC or SSL VPN machine.

My questionis is “Is there something that discard packet on NETH” I think the answer is YES, how to enable 192.168.100.x to reach NETH services. My concern is also on AD, in NETH it is created using a wizard and result on another IP 192.168.1.40

Andy_Wismer · May 12, 2020, 1:15pm

@Riccardo_Prandini

OK, that’s much better understandable for me!

I think in that case, your solution is simple: Trusted Networks!

Add in your two VPN Networks, 100 and 200…
This adds a rule allowing access to the two networks!

Finito!

Explanation: Trusted Networks are allowed to access (reach) the Windows Services (AD / Shares).

You also need to use this feature, if say connecting to your office Nethserver from home with a roadwarrior VPN or even a site 2 site VPN. The home LANs IPs should go in this list too.

Andy

Note: If this solves your problem, please mark this as solution…

Riccardo_Prandini · May 12, 2020, 2:10pm

I thought that could be the solution but as I said before it is not working

1)Security-> trusted networks add 192.168.100.x
NO SUCCESS

My neth is a bit old NethServer release 7.6.1810

192.168.5.0 is another VPN for the test but the same thing

Where could be the log ?

pike · May 12, 2020, 2:30pm

Time to update, man!
And you should post english screenshots, not italian (devo dirlo anche a chi è della mia lingua… )
Click on “Visualizza Log”, messages should be the right place to search.
In any case, the screen you posted do not contain 192.168.100.x/24 as trusted hosts.
Again…
Time to update, man!

Riccardo_Prandini · May 12, 2020, 2:44pm

As I said

192.168.5.0 is another VPN for the test but the same thing

Ok nex time in English I hope it solve the situation

under ShowLog i know that i can filter by a word inside a log, but only log that come out are the one with log of user action

/var/log/secure 41 risultati filtrati
/var/log/httpd-admin/access_log 37 risultati filtrati
/var/log/messages 19 risultati filtrati
/var/log/firewall.log 12 risultati filtrati
/var/log/shorewall-init.log 6 risultati filtrati

I hope the update solve the problem, I’m not so confident.

pike · May 12, 2020, 2:46pm

Reading logs correctly is matter of time, patience, and brains. You have to keep focus to keep confidentiality and understand the results.

Riccardo_Prandini · May 12, 2020, 2:47pm

Thanks !

royceb · May 12, 2020, 3:58pm

Backup before the upgrade just in case.