NethServer Version: 7
Module: VLAN and firewall
I am trying to give access to 1 pc from a VLAN 113 to another VLAN 112 to be able to do RDP to that pc on 112. so in the firewall I did create the object for both pcs with the correct IP addresses and then I did create 2 rules to allow communication between the two objects but with no success.
do I miss something?
Did you setup the VLANs in the network section? See also Base system — NethServer 7 Final
1 Like
yes i did with the ranges and so on. i do have connectivity between cvr in vlan111 and a single pc on vlan112 to be able to monitor cameras. so i am confused of why there are no even a ping between the two pcs that are mentioned in the above question.
Did you already exclude local firewall issues on the PCs?
Would you like to share your config to hopefully find the error?
VLAN networks:
db networks show
Firewall rules:
db fwrules show
1 Like
i will tommorow it is night here and i will take screenshots in the morning thank you 
1 Like
i want to give an rdp access via a laptop that is using wifi that is on VLAN 300 (green) to a vlan 200 (green) pc
[root@server ~]# db networks show
eno1=ethernet
role=
eno1.100=vlan
bootproto=none
gateway=
ipaddr=192.168.1.1
netmask=255.255.255.0
role=green
eno1.200=vlan
FwInBandwidth=
FwOutBandwidth=
bootproto=none
gateway=
ipaddr=192.168.2.1
netmask=255.255.255.0
role=green
eno1.300=vlan
FwInBandwidth=
FwOutBandwidth=
bootproto=none
gateway=
ipaddr=192.168.3.1
netmask=255.255.255.0
nslabel=
role=green
eno1.500=vlan
bootproto=none
gateway=
ipaddr=192.168.5.1
netmask=255.255.255.0
nslabel=
role=blue
eno2=ethernet
FwInBandwidth=30000000004446
FwOutBandwidth=10000000000124
bootproto=none
gateway=10.0.0.1
ipaddr=10.0.0.2
netmask=255.255.255.0
nslabel=Paltel
role=red
ppp0=xdsl-disabled
AuthType=auto
FwInBandwidth=
FwOutBandwidth=
Password=
name=PPPoE
provider=xDSL provider
role=red
user=
red1=provider
interface=eno2
weight=1
[root@server ~]#
but here is Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eno2
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eno2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1.100
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1.200
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1.300
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1.500
here is the firewall rules and the rules that related to the issue above is 26+27 for vlan 200 and vlan 300
[root@server ~]# db fwrules show
1=rule
Action=reject
Dst=cidr;camera
Log=none
Position=12
Service=any
Src=cidr;vpn
status=enabled
10=rule
Action=reject
Dst=cidr;pc
Log=none
Position=16
Service=any
Src=cidr;vpn
status=enabled
11=rule
Action=reject
Description=prevent inner network from accessing to the outer router
Dst=cidr;outerlan
Log=none
Position=17
Service=any
Src=any
status=enabled
12=rule
Action=accept
Description=allow admin to access to the outer router
Dst=cidr;outerlan
Log=none
Position=2
Service=any
Src=host;vpnadmin
status=enabled
14=rule
Action=accept
Dst=fw
Log=none
Position=2
Service=any
Src=host;vpnadmin
status=enabled
17=rule
Action=accept
Description=
Dst=fw
Log=none
Position=6
Service=any
Src=role;green
Time=
status=enabled
18=rule
Action=accept
Dst=fw
Log=none
Position=1
Service=service;httpd-admin
Src=host;ferasoffice
status=enabled
19=rule
Action=reject
Description=prevent all blue network from getting acess to server services
Dst=fw
Log=none
Position=5
Service=service;httpd-admin
Src=role;blue
status=enabled
20=rule
Action=reject
Description=prevent green network to gain access to admin
Dst=fw
Log=none
Position=3
Service=service;httpd-admin
Src=role;green
status=enabled
21=rule
Action=reject
Dst=role;green
Log=none
Position=13
Service=any
Src=role;blue
status=enabled
22=rule
Action=accept
Dst=host;nvr
Log=none
Position=6
Service=any
Src=host;vpnadmin
status=enabled
23=rule
Action=accept
Dst=host;nvr
Log=none
Position=5
Service=any
Src=host;feras-iphone2
status=enabled
24=rule
Action=reject
Description=
Dst=fw
Log=none
Position=4
Service=fwservice;new-server-manager
Src=role;green
Time=
status=enabled
25=rule
Action=accept
Description=
Dst=host;main_printer
Log=none
Position=3
Service=any
Src=cidr;wifi
Time=
status=enabled
26=rule
Action=accept
Description=
Dst=cidr;pc
Log=none
Position=10
Service=any
Src=host;laptop
State=new
Time=
status=enabled
27=rule
Action=accept
Description=
Dst=host;laptop
Log=none
Position=11
Service=any
Src=cidr;pc
State=new
Time=
status=enabled
28=rule
Action=accept
Description=
Dst=cidr;pc
Log=none
Position=1
Service=any
Src=host;laptop
State=new
Time=
status=enabled
29=rule
Action=accept
Description=
Dst=host;laptop
Log=none
Position=18
Service=any
Src=cidr;pc
State=new
Time=
status=enabled
3=rule
Action=reject
Description=
Dst=cidr;camera
Log=none
Position=14
Service=any
Src=cidr;pc
Time=
status=enabled
4=rule
Action=accept
Dst=host;nvr
Log=none
Position=9
Service=any
Src=host-group;officepcscam
status=enabled
5=rule
Action=accept
Dst=iprange;cameras
Log=none
Position=8
Service=any
Src=host;ferasoffice
status=enabled
6=rule
Action=reject
Description=
Dst=cidr;pc
Log=none
Position=15
Service=any
Src=cidr;camera
Time=
status=disabled
7=rule
Action=accept
Dst=host;nvr
Log=none
Position=4
Service=any
Src=host;ferasiphone
status=enabled
8=rule
Action=accept
Dst=cidr;pc
Log=none
Position=7
Service=any
Src=host;vpnadmin
status=enabled
From green to green no firewall rule is needed, it should just work.
You could enable logging for the firewall rules and check /var/log/firewall.log if the rules are applied correctly or if there is a misconfigured reject rule.
mmm what about routing should i add a route from 192.168.2.0 to 192.168.3.0?
No, the routes are already there:
ah yes i had a firewall rule to disallow vlan 300 from accessing 200 but i remove just to see where is the issue. so i guess i should focus on the firewall on local machines and see.
thank you
1 Like