red is WWW
blue are WiFi devices
green are my regulars
every NIC has its own VLAN configured with my switch
my rules look like this:
my idea was not to give everyone in blue and green access to red so i created my host Group inet-members.
my problem is with my “blue” members… sometimes it works sometimes not… in a case of 1 of 10 my browser want to load a Website but stuck after a few seconds… when i wait 30 seconds it loads the page correctly…
i think it’s a config problem from my side.
anyone an idea for my problem or a smarter way for my realization
I am happy about every help
greetings chris
Something else: Do you have DHCP in blue? If yes: how you are sure, that every Client will stay at the same IP and your hosts in the host group will apply?
hey guys thanks a lot for replying, @ssabbath cause the chip i must take a look tomorrow @hunv i make a IP reservation manualy and put them after that in the host group.
so by the way… is it even possible to do it with firewall rules and the host group? i’m not sure
Hi,
Internally, NS has rules like green > blues > orange > red
Your second and thrid rules are in contradiction with the default rules.
I think it’s better to suppress all the fist three rules and make a user group that not allow to go to the net and make an single rule to reject this group on red
Edit: By experience, it can be a pain to restrict access by zone or machine.
to restrict the web access, let the proxy doing the job.
AT the firewall level, just restrict by type of service ( dns, http, …)
@ssabbath i hav 3 different Chips because the Hardware was still available: e1000, r8169, sky2
I’m very confused at the moment… i think i need another hobby
I have deleted ALL fw rules and the internal rule blue -> red should allow my blue members automaticly inet access but it dosn’t work permanently only sporadically
green ->red no problem.
not so important , but you can avoid a lot of routing problems with a correct RFC1918 private addresses. 192.168.0.0/24 172.16-31.0.0/16 10.0.0.0/8
Obviously you can use a narrower subnet mask for reduce hosts…
I used to assign 172.16.0.0 address space (mask 24) for connections between firewall/lan gateway and ISP device, but now biggest ISP of italy is using that space for internet connections…
You should, if possible. Why?
As a popular example: Take a look at the Domain wordpress.com. IP: 192.0.78.9
If you have a PC in that range or with that IP, you will not be able reach that IP. If your router is configured not to forward this range to the red adapter, you will also not reach the whole range of IPs.
And there will be also Websites in the 192.0.173.0/24 and 192.0.200.0/24-Range what will have that problem. If you will use them somewhen is another question, but the chance of that scenario is present.
As @pike said:
Use one of this:
192.168.0.0/24
172.16-31.0.0/16
10.0.0.0/8
peronally I like the 10.*-Range(s) because they are shorter
i’ve changed the NIC now enp2s0 is blue and enp3s9 is green… Problem is still there… now i don’t have inet from green neither from blue.
My FW-logs Looks like this
Looks great for me
can the Problem be my static routes?
I’ve run into a similar issue before on someone elses setup. This can be caused because the system knows that those IP addresses ARE external IP address’s and sometimes it bypasses the inter routing and tries to send that packet directly to the external address. Like an internet providers router forwarding the packet to the next hop. The firewall rules are no doubt playing a part but I have seen this before with valid rules and wrong addressing. I use rules similar to what your trying and my system works fine.
I have 3 vlans. Internal servers, internal clients(my families desktops/laptops), and my guest WiFi vlan. My WiFi vlan and my internal vlan are both going through my ubiquiti access point.
I use a class a private IP address (10.168../24) and I use the third octet to determined the different networks.
Internal vlan has one dhcp, Guest has another, and servers has a third. Neither the green nic nor the blue nic have an IP address directly addressed. All have a sub interface.
You can also try setting a static external to the internet. But that shouldn’t be required as long as the system knows which way is external. Though as I was saying above it might be confused and think its part of the “system”.
shame, shame, shame
my vlan configuration was not right… not sure why but now it works.
i was pretty sure that THIS little thing was right… who am i that was looking at nethserver for the fault
so by the way… i will change the ip ranges like you wish and i change the NIC.
thanks to all who spend time with me ^^
shame, shame, shame