Nothing changes…
When I ping google for example I see this in nethserver firewall:
Shorewall:loc2fw:REJECT:IN=eth16 OUT= MAC=12:a3:cd:bd:52:2a:a6:74:4b:fe:18:4b:08:00 SRC=192.168.5.239 DST=192.168.5.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48548 DF PROTO=TCP SPT=36066 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
That means that it should be shorewall that is blocking my requests to the internet and not proxmox right?
Seems so. At least you can check off the Proxmox, it’s not the problem here…
My 2 cents
Andy
How would shorewall reject packets from green to internet when all firewall rules are disabled? Where could one enable/disable this? I cannot find the problem 
As I myself don’t use NethServer as firewall, except for a friends home server with a very simple setup, I can’t really help here.
OPNsense works well for me as firewall.
Maybe @mrmarkuz has some tips?
My 2 cents
Andy
DNS is blocked on the firewall for green, that’s really strange.
Maybe you just mixed up red/green interface?
In Proxmox you just mapped 1 interface to a vmbr but 2 interfaces are needed for a firewall/gateway.
It seems you set IPs for NethServer at Proxmox level, that’s not needed.
Here is an example of a 2 interface Proxmox config:
auto lo
iface lo inet loopback
auto enp2s0f0
iface enp2s0f0 inet manual
auto enp2s0f1
iface enp2s0f1 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.1.20/24
gateway 192.168.1.11
bridge-ports enp2s0f0
bridge-stp off
bridge-fd 0
auto vmbr1
iface vmbr1 inet manual
bridge-ports enp2s0f1
bridge-stp off
bridge-fd 0
As regards shorewall issues, you may try to disable it to check if it’s just a shorewall issue.
shorewall clear
To reenable:
signal-event firewall-adjust
I tried to disable shorewall and the problem continued.
Previously, I only tried to ping google.com and never tried the IP. I can ping the internet by IP, so the problem should be in DNS resolution.
Any tips in how to test/fix DNS problems in nethserver?
Thanks
Which DNS servers are configured on Neth?
config show dns
To test DNS you may use nslookup or dig, see wiki for more info.
Result of config show dns:
dns=configuration
NameServers=1.1.1.1,1.0.0.1
I have removed all interfaces except vmbr1 (IP: 192.168.0.0/24), disabled all firewall rules , cleared DHCP leases, tried to use 8.8.8.8,8.8.4.4 as the nameserver and the problem doesn’t change.
From nethserver I am able to ping the internet, but from a vm net2loc rejects my requests to a website. I am still able to ping public IPs.
Any idea on the problem that I have?
Could you share the whole shorewall reject please?
I think if you get net2loc when browsing from a client it looks like you mixed red and green interface.
This seems wrong as you set a network instead of a single IP. As written here, you don’t need to set the Neth IP in proxmox. Only the IP to reach the Proxmox web UI is mandatory in Proxmox.
Jan 12 16:26:32 marte kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:50:56:00:d8:50:0c:86:10:ed:36:4f:08:00 SRC=185.196.220.58 DST=144.76.114.216 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=41869 PROTO=TCP SPT=53223 DPT=23555 WINDOW=1024 RES=0x00 SYN URGP=0
Jan 12 16:26:33 marte kernel: Shorewall:loc2fw:REJECT:IN=eth1 OUT= MAC=aa:92:a7:4c:2c:8a:a6:2e:e8:95:06:7f:08:00 SRC=192.168.0.135 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60589 DF PROTO=TCP SPT=47102 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 12 16:26:34 marte kernel: Shorewall:loc2fw:REJECT:IN=eth1 OUT= MAC=aa:92:a7:4c:2c:8a:a6:2e:e8:95:06:7f:08:00 SRC=192.168.0.135 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60590 DF PROTO=TCP SPT=47102 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
I am sorry, but I am not understanding what you mean by saying I mixed red and green interfaces.
I wished for proxmox and nethserver to have different multiple IPs.
You are saying that I don’t need to put the CIDR in proxmox, if I am setting it in nethserver?
OK, it’s loc2fw, not net2loc, so it’s the same error as before. It doesn’t allow DNS requests.
I thought you were using red instead of green role because of net2loc error.
When you want to use Nethserver as a firewall/gateway it needs at least 2 interfaces (one red, one green)
You should use one vmbr for the red Neth interface and internet and another one for the green Neth interface and the client VMs.
Yes.
But I can? I’ld like for it to be visible in proxmox.
Hi @DDD
If you want your Proxmox to be visible to your “LAN”, just put in a free IP of the LAN eg:
192.168.0.61/24
Where 192.168.0.61 would be the Internal IP of your Proxmox.
Note:
Do NOT add in a Gateway here - Proxmox can only use one gateway!
For this reason Proxmox is available on your LAN, but will not be available over VPN, as Proxmox will use it’s default gateway.
On my Proxmox at Hetzner vmbr0 is LAN, vmbr1 is WAN…
Additional Notes:
As I understand, you also have a “Server Public IP” (Haupt-IP) and an additional Subnet of 6 usable IPs.
My Setup:
Main IP of the Server (Haupt-IP)
Additional Pool of IPs:
IP: x.x.x.248
Subnet Mask:255.255.255.248 ( /29 )
8 IPs, 6 usable.
Proxmox Network allocations:
vmbr0 = LAN 172.26.11.61
vmbr1= WAN (Haupt-IP) (Not used by any VMs!)
vmbr2 = WAN x.x.x.249 (1st IP of the Subnet - after the network address!)
My OPNsense Firewall uses vmbr2 for it’s WAN connection (WAN x.x.x.250/29).
In your case, this would need to be the RED NIC.
The GREEN NIC would be on vmbr0 in my setup.
On OPNsense I needed to set up 4 things:
I have no idea if NethServer can handle several 1:1 NATs…
On Proxmox, the trick with vmbr2 is needed, as the additional subnet is “routed” via the main server IP, but because both IPs are in different ranges, the first one has to go to Proxmox…
Hope this helps…
My 2 cents
Andy
PS: The plan shown in the beginning of this thread is this exact setup, maybe helps in visualizing the situation…
I don’t want that. Through the VPN connection I will have clients that I do not trust, so having proxmox in LAN is not something I wish for.
My system is:
proxmox having the VM. Nethserver as a firewall (managing networks, DHCP, VPN).
Then I have multiple green interfaces that are separated from each other and cannot communicate between themselves (Firewall block green to green). In those I have vms that only can communicate with a VPN client that I define in firewall objects and in a firewall rule.
All these interfaces do not need internet, only a private IP.
The VPN clients can only look into one of those interfaces that I define which via firewall.
This is all set up and correctly working.
The problem is that I also want to have another green interface that has access to the internet. Which someone other than myself had correctly setup, and I don’t know how to. That person blocked internet in all green interfaces except for vmbr1. I have no idea how, and can no longer ask.
Something happened sometime in the last month or so that it stopped working.
My use case is not normal. but nethserver has worked pretty well for this. The only problem that I would like to remove is the x.x.x.1 Ip in the green network pointing to nethserver, but being trusted networks I cannot remove that.
I hope that this helps to see the problem.
As noted above, Proxmox would NOT be accessible to VPN users, will not even answer to a PING…
The internal IP on Proxmox is useful eg for Monitoring, but is not needed for routing, etc…
But this is not needed for the additional IPs you have.
The above “additional notes” are only if you have additional IPs in a subnet from Hetzner.
For the additional GREEN networks you could use a fake gateway, distributed by DHCP.
This could be an unused IP on your network, eg x.x.x.2…
Or just hardcode the fake gateway on any VMs in those GREEN subnets (Static IP).
According to NS not using DNS - #5 by Pitmaster
I have two files resolv.conf and resolv.conf.save is this correct?
I am not understaing what Pitmaster ment when saying he renamed the files.
resolv.conf:
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#
domain mydomain.com
search mydomain.com
# dnsmasq is enabled on this machine:
nameserver 127.0.0.1
resolv.conf.save:
; generated by /usr/sbin/dhclient-script
search your-server.de mydomain.com
nameserver 213.133.98.98
nameserver 213.133.99.99
nameserver 213.133.100.100
Yes, resolv.conf.save is a just a backup created by dhclient.
He renamed resolv.conf.save to resolv.conf.
Did you already check if dnsmasq is running on NethServer?
systemctl status dnsmasq -l
dnsmasq is running:
● dnsmasq.service - DNS caching server.
Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/dnsmasq.service.d
└─ipset.conf
Active: active (running) since Fri 2022-01-14 15:07:04 WET; 19min ago
Process: 10968 ExecStartPre=/etc/e-smith/events/actions/nethserver-squid-ipset (code=exited, status=0/SUCCESS)
Main PID: 10971 (dnsmasq)
CGroup: /system.slice/dnsmasq.service
└─10971 /usr/sbin/dnsmasq -k
Jan 14 15:07:04 mydomain.com dnsmasq-dhcp[10971]: DHCP, IP range 10.0.10.2 -- 10.0.10.254, lease time 365d6h
Jan 14 15:07:04 mydomain.com dnsmasq-dhcp[10971]: DHCP, IP range 10.0.9.2 -- 10.0.9.254, lease time 365d6h
Jan 14 15:07:04 mydomain.com dnsmasq-dhcp[10971]: DHCP, IP range 10.0.8.2 -- 10.0.8.254, lease time 365d6h
Jan 14 15:07:04 mydomain.com dnsmasq-dhcp[10971]: DHCP, IP range 10.0.7.2 -- 10.0.7.254, lease time 365d6h
Jan 14 15:07:04 mydomain.com dnsmasq-dhcp[10971]: DHCP, IP range 192.168.0.2 -- 192.168.0.254, lease time 1d
Jan 14 15:07:04 mydomain.com dnsmasq-tftp[10971]: TFTP root is /var/lib/tftpboot
Jan 14 15:07:04 mydomain.com dnsmasq[10971]: using nameserver 1.0.0.1#53
Jan 14 15:07:04 mydomain.com dnsmasq[10971]: using nameserver 1.1.1.1#53
Jan 14 15:07:04 mydomain.com dnsmasq[10971]: read /etc/hosts - 17 addresses
Jan 14 15:07:04 mydomain.com dnsmasq-dhcp[10971]: read /etc/dnsmasq-dhcp-hosts