Communication between 2 networks

Vlad (Vlad) 2017-10-26 05:42:41 UTC #1

Hello, couple of questions here.

Scenario, I got 2 Proxies for 2 different networks

Network A: 172.18.10.0/24 - Proxy Nethserver: 172.18.10.21 Alias: 173.17.1.21
Network B: 173.17.1.0/24 - Proxy Zentyal: 173.17.1.4 Alias:172.18.10.4

I want that these 2 networks can communicate as the proxies are also the gateways on their respective networks. So far I can ping/rdp from range 173.17 to 172.18, but not so on the other side. The NethSrv for testing purposes has an any/any/any accept rule in shorewall. On the Zentyal there are traffice rules allowing ICMP and 3389 through internal networks. Anybody can help with this? Since the hosts behind the Zentyal Gateway can communicate fine with the NethSrv network, Where is issue here? I feel i’m missing some very basic concept.

Side question: are interface aliases and vpn also green zones?

Any help Appreciated.

Vlad

jgjimenezs (Jose G Jimenez S ) 2017-10-26 11:15:50 UTC #2

Vlad:

Hello, couple of questions here.

Scenario, I got 2 Proxies for 2 different networks

Network A: 172.18.10.0/24 - Proxy Nethserver: 172.18.10.21 Alias: 173.17.1.21
Network B: 173.17.1.0/24 - Proxy Zentyal: 173.17.1.4 Alias:172.18.10.4

I want that these 2 networks can communicate as the proxies are also the gateways on their respective networks. So far I can ping/rdp from range 173.17 to 172.18, but not so on the other side. The NethSrv for testing purposes has an any/any/any accept rule in shorewall. On the Zentyal there are traffice rules allowing ICMP and 3389 through internal networks. Anybody can help with this? Since the hosts behind the Zentyal Gateway can communicate fine with the NethSrv network, Where is issue here? I feel i’m missing some very basic concept.

Side question: are interface aliases and vpn also green zones?

Any help Appreciated.

Vlad

Hi @Vlad
Are these isolated networks within a locality?

Vlad (Vlad) 2017-10-26 11:36:50 UTC #3

Hello Jose,

No, they share physical link, that’s why the aliases work, but before so that both sides could communicate, I had to give an IP and an alias to each host, and now I want to know if it’s possible to do it only on the gateways.

jgjimenezs (Jose G Jimenez S ) 2017-10-26 11:44:23 UTC #4

Can you show your configuration?

Vlad (Vlad) 2017-10-26 18:19:18 UTC #5

Which and how exactly can I do that?

jgjimenezs (Jose G Jimenez S ) 2017-10-26 19:08:28 UTC #6

a print screen of the module of your configurations

Vlad (Vlad) 2017-10-27 01:00:50 UTC #7

Here is one:

Here is the other

Proxy is working as intended:

besides the proxy and AD all other configs are as default.

jgjimenezs (Jose G Jimenez S ) 2017-10-27 10:49:58 UTC #8

@Vlad Did you check this answer?

https://community.nethserver.org/t/firewall-problem-unknown-destination-zone-alias/2892

Vlad (Vlad) 2017-10-30 04:02:02 UTC #9

Very informative post about shorewall and interfaces, I did mention that I placed the shorewall on a top of the list Accept/any/any/any rule so the issue is not related to the firewall.

After further investigation I found out that my installation of Nethserver is not addressing properly from either interfaces aliases or second physical network adapter, both route through the WAN gateway unless a static route is added, which shouldn’t be needed

As a workaround I removed the virtual interface and simply created a route to the zentyal proxy, however I don’t like this approach as this would make the Nethserver dependent on the zentyal proxy.

Any other ideas I could try?

Vlad (Vlad) 2017-11-01 02:41:38 UTC #10

Nobody?

mrmarkuz (Markus Neuberger) 2017-11-01 08:43:40 UTC #11

Hi @Vlad,

sorry for the late post…

Routing is state of the art, for unknown networks just make routes. Trying it with alias ips is the workaround IMO.

It’s the better approach because with your idea you send the packets through your networks until they reach some alias IP or some router blocks them. With the routes approach, the routers give packets only to a routed network, so this is less traffic and more structured.

Sorry, I don’t get this point of view. Setting an alias IP on the other side is a “dependency” too.

Vlad (Vlad) 2017-11-01 11:11:07 UTC #12

Not exactly, with an alias ip or logical ip the system creates a route that sends all packets destined for that network directly from that interface to the hosts (this is what is not working correctly) However with the mentioned workaround the packets first go through the Zentyal and then they reach the hosts.

jgjimenezs (Jose G Jimenez S ) 2017-11-01 11:41:53 UTC #13

could you make a diagram of what you want with your network? You’re using openvpn for this connection?
I’m sorry for the delay in answering you.

Vlad (Vlad) 2017-11-01 20:21:00 UTC #14

This is the Diagram.

I have a vpn roadwarrior working good besides the mentioned issue.

jgjimenezs (Jose G Jimenez S ) 2017-11-01 20:44:52 UTC #15

Are you using the connection between the switches? or between zentyal and nethserver?

Vlad (Vlad) 2017-11-01 21:23:40 UTC #16

I don’t follow, the servers are connected to the access ports on the switches the same as the other hosts, only the servers are the gateways.

jgjimenezs (Jose G Jimenez S ) 2017-11-01 23:02:39 UTC #17

I’ll try to emulate a configuration like yours and see what happens in your case.

mrmarkuz (Markus Neuberger) 2017-11-02 01:03:24 UTC #18

If you want the clients of each network to communicate with each other you’ll need a route from one to the other server because they don’t know each others networks.
Your clients may then use their specific server as gateway and for addresses of the other network it has to use the other server as gateway and vice versa.
It worked earlier because all clients were in two private networks because of their alias IP and connected with the switches without a router in between. The servers didn’t have a special connecting role, everything was connected because of being in same networks.

Without aliases and routes following will happen:
If you want to ping PC0 from PC5 then the ping goes from PC5 to any device reachable in the same network. PC0 is in another network so PC5 does not respond on ping. And Zentyal does not respond because the IP address is not the alias IP of Zentyal it’s just in the same network.
If you have a route on your Nethserver it will send the ping to the router address(gateway address) of the other server(Zentyal). Zentyal knows the incoming IP from Nethserver, because it belongs to a known network of itself and the ping is delivered from Zentyal to PC0.

Without aliases on each host you need routes!

Vlad (Vlad) 2017-11-03 05:36:30 UTC #19

That’s the problem markuz,
1st. The Zentyal does not allow to make a route to the Nethserver because it has an alias IP on the same subnet.
2nd. The Nethserver does allow to make a route and it sends packets successfully to some PCs on the Zentyal Network (like 2/3 of the total PCs) however the server itself can ping all the hosts on the Zentyal Network).

I will check to see if these PCs are not connected properly to the switches, but it’s strange that it can send packets to all of them.

mrmarkuz (Markus Neuberger) 2017-11-03 11:41:25 UTC #20

What about adding a 3rd network interface to NethServer and Zentyal and setup a connection between them as a separate network? Then you may just use routing and won’t need aliases anymore. It would be a better and safer approach I think.