How to configure nethserver with 2 NICs


#1

Hi,

I would like to configure Nethserver for a lan network with 2 NICs: eth0 (192.168.2.253), for the lan (green) and eth1(10.1.50.1) for the internet (red).

The clients receive their ips (reservation) and I want that my server can download the blacklist of Toulouse by cron (I’m french).

Also, I want that an unknown client, without reservation, obtain an ip (ok with the dhcp’s range 192.168.2.1 to 192.168.2.78) but also that he can’t go to the web. That’s OK if I block the traffic to internet (red interface).

When I ping 8.8.8.8 or 10.1.50.50, from the server, I’ve this error: icmq_seq=1 Destination Host Unreachable. I come from Zentyal and I did not have this problem…
What must I add or change to allow the server to ping 8.8.8.8 or my dongle3G (10.1.50.50) whithout creating rules to accept any every where.
ping 10.1.50.50 is ok with this rules:

I joined some additionnal screenshots to show you my configuration.

Thanks a lot


(Roberto Sitzia) #2

Hi @cyberfrk

just a question: could you post list of modules/features that you have installed from Software center section or take a screnshot of it?

I would like to help you but I need this additional information.


#3

@sitz, I installed:
backup, bandwith, monitor, basic firewall, dns and DHCP server, file server, intrusion prevention system, web filter and web proxy (with nethserver-lightsquid).

Thks


(Roberto Sitzia) #4

Hi @cyberfrk

modules you have installed are right.
When you try to ping an external host such as 8.8.8.8 the ping is from NethServer or from a LAN client?
Are you able to connect a client (PC or Notebook) with an hub/swicth in the red zone and assign to it an IP in the class eg. 10.1.50.2/24 then try to ping 8.8.8.8 from this client?

What you are experiencing is an anomalous behavior.


(Alessio Fattorini) #5

Try to remove gateway on Green Lan (eth0) and re-try ping to 10.1.50.50


#6

Hi

@sitz,
When you try to ping an external host such as 8.8.8.8 the ping is from NethServer or from a LAN client?
=> with Firewall rules|configure|Traffic to internet Blocked and the rule any/any disabled, the ping 8.8.8.8 or 10.1.50.50 results Destination Host Unreachable.
If I change Traffic to internet to “Allowed” or I enable the rule, the ping 8.8.8.8 and 10.1.50.50 are OK (no packet lost).

Are you able to connect…
=> No problem if I remove the Nethserver and connect the dongle3G (red zone) and the client (10.1.50.2) to the switch. Ping 8.8.8.8 is OK…!
I’m agree with you, this is strange… :frowning:

@alefattorini,
I removed the gateway on Green Lan (eth0), ping 10.1.50.50 is OK if I allow or enable the rule (any/any). Same result as above (unreachable) if I block the traffic or disable the rule…

Where is the problem ?!
Do you want some logs?


#7

Then, if someone wants spend (or lose) time for me, I’ll format and reinstall my config. What are the steps, the order, what do I plug in, what do I inquire for eth0 , eth1 etc …?

What I want (who is probably easy for you but obviously not for me…) :frowning:
Configure Nethserver for a lan network. I want that an unknown client, without reservation, obtain an ip but also that he can’t go to the web whithout authorization (firewall’rules).

My hardware:
2 NICs (1 for lan and 1 for the dongle3G (only to test before deploying), 1 switch, and 1 client…

Thks a lot!


(Roberto Sitzia) #8

Hi @cyberfrk I want to spend (not to lose) time with you! :wink:

You don’t need firewall rules just install firewall module and proxy web modules.
Within Proxy Web configuration you can block traffic for clients on your LAN.

Check this


#9

Hi,

I’ve followed your advice
After many changes and tests, here is my configuration where “all” is ok. The client with no reservation obtain an @ip in the DHCP and my server can install nethserver’s packages and update the blacklist:
Remplace the gateway 10.1.50.1 by 192.168.2.253.
Create an “IP ranges” in Firewall objects who’s the same as the range of DHCP server. And 2 rules:
rule 1 drop from rangeDHCP to interface red, any service
rule 2 accept from any host to interface red, service any service

The server is “Primary Domain Controller”, my client as joined the domaine without problem.
Now, I would like to filter, allow and deny the web surfing for the users depending several filter (strict, permissive and others) but with no really success. I think the only the default (filter) is used…

I will create a new post.
Thks for all