NethServer Version: 7.8.2003
I need some assistance configuring a NETHSERVER to allow a server complete access to the internet without interigation. I am trying to get the server to connect to an IDrive backup account but the only way I can get this to work is to disable the Proxy.
My green zone is set to transparent with SSL.
This is what I have tried:
- I created a new filter, allowed everything and setup the server ip as a host in the firewall and allocated it to the filter. Made sure the filter allowed direct access to IP addresses.
- Disabled proxy content filter. Still unable to connect to IDrive servers via 443.
- Placed all of the IDrive Ip addresses and domains in the Domains without Proxy (BTW this has never ever worked for me on any of my servers)
- Drank a bottle of Gin and pondered the meaning of it all.
- Put manual proxy settings in the Idrive software through port 3128.
At the moment I am working remotely on the server and am cautious to put the server ip in Hosts without proxy as in my experience the host loses internet connectivity during this process.
Any help would be greatly apprecaited.
What would work, assuming your Nethserver is your DNS, DHCP, Firewall and also Proxy…
- Use manual setting for your Proxy on GREEN (LAN)
- Make use of wpad / proxy dns entries (Create server-Aliases in Dashboard / Cockpit for wpad.yourdomain.com and proxy.yourdomain.com, both pointing to your Nethserver)
- Adapt proxy.pac to allow direct access to iDrive for that specific server.
All Windows Server and Workstation Systems from WinNT til Win10 and Server 2019 will automatically respect wpad and use it. No need for transparent.
Macs and Linux can also use this setting, but needs to be enabled, Windows has this as default.
or even better, here:
TIP: Use the DIRECT function for IDrive, this forces a bypass of your Proxy. As the Proxy is not in transparent mode, this will work.
My 2 cents
Thanks Andy for your feedback. This looks like an option but just seems like a really complex setup for something that should be really easy, namely: Allow the device on this IP complete and full access to the internet.
The one issue I have with the above is the DHCP sits on a Windows Server to allow two subnets to work. Nethserver will only allow me a single subnet. Eg: I need 255.255.254.0 to increase my range.
Thanks again for the suggestion.
A modification of DHCP is not really needed for this example, only DNS and WPAD.
It’s not that complicated, changing the transparent to manual and two dns aliases in your dns server (be it windows or nethserver) won’t take 5 minutes.
Modifiying WPAD would take perhaps 10 minutes, copy / pasting is usually much faster, but as this is your first try, we allow for more time! WPAD is very powerful - and it’s automatically respected by default with Windows. You can do a lot more - or just do as needed to allow IDrive to work.
“Transparent” may be easy on the first look, but underneath the surface it can entail a lot more.
My 2 cents
I understand. So what you saying is that nethserver not being the DHCP server wont make a difference? How will mobile devices respond to the WPAD setup?
Just to clarify, with transparent proxy there is no way to select an IP to have full access to the internet while having Proxy and Content Filter enabled?
Accept your 2 cents and raise you another 2 cents.
AFAIK, on both Android and iOS you need to allow it, just as on Mac and Linux.
On iPhones it’s under the specific WLan setup.
I assume on Android it’s similiar, but at the moment i don’t have a working Android to verify.
I have set this up for a client, though, and they had both iOS and Android phones, and on both the proxy was used.
To make it double-proof, the firewall was modified to allow only the Nethserver (and the Squid Proxy running there) unlimited Internet access on 80 and 443. All other hosts (PCs, Servers, Mobile devices) had to use the Proxy to get Internet.
In the end it worked very well, the specific server (bookkeeping system) could be reached directly, all others were proxied,even though all traffic went through the Proxy.
Transparent Proxy Mode
AFAIK, as soon as Transparent mode is set, all traffic on Ports 80/443 are sent through the proxy, also as your NethServer usually is the firewall in these cases. That’s why excluding an IP doesn’t quickly help, as the nethserver is also the firewall.
iPhone (sry german…)
Configure proxy (bottom) ->
Set to automatic!
Standard in all Windows OS since WinNT…
At home, I’m also using WPAD, but my NethServer isn’t my DHCP Server. DHCP is running on my OPNsense firewall, as the version there is so much more powerful than DHCP in either Windows or NethServer. You can have different DNS Servers (I’m using also a PI-Hole at home, so this is important!) and have only my PCs, Notebooks and Mobiles use the PI-Hole, but not the other servers.
My 2 cents
Ok thanks. I will store this as an option.
But I am really hoping there is another way. The site is complex and to be dealing with WPAD and devices not working because of incorrect settings would create more work that putting in another internet connection and routing the server through that.
Truly, thanks again for your suggestions, you have given me a lot go think about.
I still assume that most “devices” are still Windows PCs or Notebooks - and they’ll work as expected!
As to “complicated” sites… Everything is relative, a very smart swiss once said - i believe his name was Einstein…
These two networks are “simple” networks from my clients, both are a doctors practice. Here I need absolute control, as certain devices like Ultrasonic or X-Ray contain limited or even embedded XP or Embedded Win7 systems, where you do not have many options - and mostly no access to the system.
Yet even though they have their own PACS system, they still need access to external hospitals PACS systems…
My 2 cents
I don’t think it’s possible. It’s a simple shorewall exclusion. If you can reporduce the problem, please report here all the steps.
Hi Filippo, are you saying by putting the host in the ip without proxy proxy it wont cut internet?
Will it likely allow the server full access to the internet without proxy and filter restriction?
So when I try this (putting the server in the Hosts without proxy section) I cannot get to any webpages or sign in to the backup software. So the server with that ip completely loses access to browsing (Not I am in Transparent with SSL).
I had hoped this would give me full access to the internet so the backup software connection would work.
You may have created some firewall rules somewhere that block internet access. Have a look in firewall.log.
This is what I have in my firewall rules:
I am just blocking external access from coming in. I am not entirely sure what to look for in the firewall log but it looks clear. The log shows the last activity was at 5am this morning.
Would it help if I posted some of that log?
Updated: I have tried to disable both those rules but still get the issue with cloud backup.
So I think I may have solved the issue and I wanted to share for some feedback.
I needed to create an entry in the firewall to allow the server Access to Any like this:
and then I need to list the host in the “Hosts without Proxy” like this:
When I did these two things, suddenly the Idrive service was allowed.
Does the firewall entry have any security risks from outside the network?