Single NIC installation?

v7
hardware

(Valther Nielsen) #1

Currently I am running a Microsoft SBS on a computer with single NIC. Server is providing DHCP, DNS and Firewall services. Between the server and the Internet modem is a Nighthawk RC7900 router. In addition to normal network activities router also is connected to TV system Cameras and telephone system.
I would like to set up Nethserver in similar environment. Have done a little testing on another box with two NICs, but am unable to get things to work.
Is the single NIC solution possible, and affirmatively could you give some pretty specific instructions on how.
Thanks


(Michael Kicks) #3

Answer is yes. Nethserver acts only as server and not as firewall. Only 1 green interface.

But documentation already tells this feature…


(Michael Träumner) #4

@vbn Here is the link.

http://docs.nethserver.org/en/v7/base_system.html

If you need any help, let us know.


(Giacomo Sanchietti) #5

I suggest you to configure a machine with 2 nics.

1 greens interface for the LAN and 1 red for internet.
Connect the green interface to your LAN switch, and the red directly to your router


(Joel Clendineng) #6

Yes but you shouldn’t. 2 Minimum. A lot of other options out there if thats all your’e doing. Get a cheap dual nic off of ebay for 10 bucks and call it a day, you will not regret I promise :smiley:


(Rob Bosch) #7

In fact, I have NethServer running with 1 NIC. It serves all networking services except Gateway. NethServer relies on NAT to do the Gateway role. Therefor, if you want NethServer to conduct the Gateway role, you have to add, as @giacomo already stated, an extra network interface.

On my network another instance of NethServer is configured with 2 network interfaces and is doing the Gateway service.

If you run into any problems of have further questions, do ask away. We are here to help you out.


(Valther Nielsen) #8

Thank you for your replies.
I do have an extra NIC, but wanted to try with single NIC (by the way the manual is very light on detail for someone that knows as little as I do about this) since I was having a lot of problems with the standard configuration.
Tried again with two NICs and most things work perfectly.
What does not work for me is:
1 - no internet access from green zone
2 - smarthost is timing out
3 - server is rejecting test e-mails sent from the internet.
For the life of me I cannot find any firewall or other settings that will fix this.

Following are a couple of log extracts which might clarify:

maillog:
Oct 24 14:31:45 juliet postfix/qmgr[9510]: 7B5116009C895: from=vnielsen@deltaecho.lan, size=1807, nrcpt=1 (queue active)
Oct 24 14:32:15 juliet postfix/smtp[14747]: connect to comcast.net[69.252.80.75]:587: Connection timed out
Oct 24 14:32:15 juliet postfix/smtp[14747]: 7B5116009C895: to=valthernielsen@gmail.com, relay=none, delay=1102, delays=1072/0.05/30/0, dsn=4.4.1, status=deferred (connect to comcast.net[69.252.80.75]:587: Connection timed out)
Oct 24 14:35:30 juliet clamd[2258]: SelfCheck: Database status OK.
Oct 24 14:45:30 juliet clamd[2258]: SelfCheck: Database status OK.
Oct 24 14:51:45 juliet postfix/qmgr[9510]: 7B5116009C895: from=vnielsen@deltaecho.lan, size=1807, nrcpt=1 (queue active)
Oct 24 14:52:15 juliet postfix/smtp[15196]: connect to comcast.net[69.252.80.75]:587: Connection timed out
Oct 24 14:52:15 juliet postfix/smtp[15196]: 7B5116009C895: to=valthernielsen@gmail.com, relay=none, delay=2302, delays=2272/0.06/30/0, dsn=4.4.1, status=deferred (connect to comcast.net[69.252.80.75]:587: Connection timed out)
Oct 24 14:55:30 juliet clamd[2258]: SelfCheck: Database modification detected. Forcing reload.
Oct 24 14:55:31 juliet clamd[2258]: Reading databases from /var/lib/clamav
Oct 24 14:55:48 juliet clamd[2258]: Database correctly reloaded (6469679 signatures)
Oct 24 15:05:48 juliet clamd[2258]: SelfCheck: Database status OK.
Oct 24 15:08:42 juliet clamd[2258]: Reading databases from /var/lib/clamav
Oct 24 15:09:00 juliet clamd[2258]: Database correctly reloaded (6469944 signatures)

firewall log:
Oct 24 14:00:31 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=10249 PROTO=UDP SPT=60158 DPT=8610 LEN=24
Oct 24 14:01:02 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=10560 PROTO=UDP SPT=57711 DPT=8610 LEN=24
Oct 24 14:01:23 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=91.195.103.82 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=240 ID=32456 PROTO=TCP SPT=54646 DPT=3390 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 24 14:01:34 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=10720 PROTO=UDP SPT=57807 DPT=8610 LEN=24
Oct 24 14:01:35 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=116.75.24.19 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=42 ID=17248 PROTO=TCP SPT=29269 DPT=2323 WINDOW=19821 RES=0x00 SYN URGP=0
Oct 24 14:02:05 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=10830 PROTO=UDP SPT=59184 DPT=8610 LEN=24
Oct 24 14:02:28 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=58.47.177.157 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=240 ID=45561 PROTO=TCP SPT=43767 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 24 14:02:36 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=10977 PROTO=UDP SPT=62873 DPT=8610 LEN=24
Oct 24 14:03:07 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=11043 PROTO=UDP SPT=62093 DPT=8610 LEN=24
Oct 24 14:03:24 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=1.22.180.82 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=47 ID=9259 PROTO=TCP SPT=39104 DPT=23 WINDOW=64936 RES=0x00 SYN URGP=0
Oct 24 14:03:24 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=40.71.93.154 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=235 ID=48972 PROTO=TCP SPT=57121 DPT=3390 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 24 14:03:38 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=11117 PROTO=UDP SPT=63951 DPT=8610 LEN=24
Oct 24 14:04:10 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=11180 PROTO=UDP SPT=60335 DPT=8610 LEN=24
Oct 24 14:04:39 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=31.7.238.130 DST=76.126.166.91 LEN=44 TOS=0x00 PREC=0x20 TTL=229 ID=10560 PROTO=TCP SPT=52415 DPT=33909 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 24 14:04:41 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=11367 PROTO=UDP SPT=62822 DPT=8610 LEN=24
Oct 24 14:05:12 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=11409 PROTO=UDP SPT=49707 DPT=8610 LEN=24
Oct 24 14:05:19 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=191.101.167.167 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=243 ID=10630 PROTO=TCP SPT=58846 DPT=3398 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 24 14:05:43 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=11443 PROTO=UDP SPT=53444 DPT=8610 LEN=24
Oct 24 14:05:44 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=124.31.59.227 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=50 ID=34811 PROTO=TCP SPT=34307 DPT=23 WINDOW=33269 RES=0x00 SYN URGP=0
Oct 24 14:05:56 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=123.184.158.158 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=41486 PROTO=TCP SPT=26382 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 24 14:05:57 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=51.15.204.4 DST=76.126.166.91 LEN=433 TOS=0x00 PREC=0x20 TTL=51 ID=4056 DF PROTO=UDP SPT=5242 DPT=5061 LEN=413
Oct 24 14:06:12 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=124.123.42.136 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=45 ID=1490 PROTO=TCP SPT=5402 DPT=23 WINDOW=3586 RES=0x00 SYN URGP=0
Oct 24 14:06:14 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=11480 PROTO=UDP SPT=58836 DPT=8610 LEN=24
Oct 24 14:06:46 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=11514 PROTO=UDP SPT=58778 DPT=8610 LEN=24
Oct 24 14:07:17 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=11635 PROTO=UDP SPT=53225 DPT=8610 LEN=24
Oct 24 14:07:48 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=11897 PROTO=UDP SPT=54713 DPT=8610 LEN=24
Oct 24 14:08:19 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=12070 PROTO=UDP SPT=64682 DPT=8610 LEN=24
Oct 24 14:08:51 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=12150 PROTO=UDP SPT=63015 DPT=8610 LEN=24
Oct 24 14:09:22 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=12375 PROTO=UDP SPT=52708 DPT=8610 LEN=24
Oct 24 14:09:23 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=116.72.10.136 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=44 ID=65248 PROTO=TCP SPT=49810 DPT=23 WINDOW=46570 RES=0x00 SYN URGP=0
Oct 24 14:09:50 juliet kernel: Shorewall:net2fw:DROP:IN=enp2s0 OUT= MAC=00:30:67:d0:19:41:00:01:5c:65:9e:46:08:00 SRC=95.215.1.37 DST=76.126.166.91 LEN=40 TOS=0x00 PREC=0x20 TTL=235 ID=33751 PROTO=TCP SPT=57108 DPT=4529 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 24 14:09:53 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=12558 PROTO=UDP SPT=57206 DPT=8610 LEN=24
Oct 24 14:10:24 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=12599 PROTO=UDP SPT=62697 DPT=8610 LEN=24
Oct 24 14:10:55 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=12681 PROTO=UDP SPT=54765 DPT=8610 LEN=24
Oct 24 14:11:27 juliet kernel: Shorewall:loc2fw:REJECT:IN=br0 OUT= MAC=3e:bd:44:9f:13:65:5c:51:4f:39:01:8e:08:00 SRC=192.168.1.23 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=12794 PROTO=UDP SPT=61628 DPT=8610 LEN=24

Maillog (showing rejection of incoming msg):

Oct 22 16:23:56 juliet postfix/smtpd[24620]: connect from in1.ghettosmtp.com[104.237.130.186]
Oct 22 16:23:57 juliet postfix/smtpd[24620]: NOQUEUE: reject: RCPT from in1.ghettosmtp.com[104.237.130.186]: 554 5.7.1 <in1.ghettosmtp.com[104.237.130.186]>: Client host rejected: Access denied; from=valthernielsen@gmail.com to=Vnielsen@billeskov.us proto=ESMTP helo=<in1.ghettosmtp.com>
Oct 22 16:23:57 juliet postfix/smtpd[24620]: disconnect from in1.ghettosmtp.com[104.237.130.186]

Your assistance is greatly appreaciated, and clearly I need it.
thanks again.


(Filippo Carletti) #9
  1. Please show output of db networks show

  2. smarthost

Even here comcast is not responding, I think you need to call them to ask for a working configuration.

# nc -v 69.252.80.75 587
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connection timed out.
  1. I see vnielsen@deltaecho.lan and Vnielsen@billeskov.us
    Please show db domains show

(Valther Nielsen) #10

db domains show
billeskov.us=domain


(Valther Nielsen) #11

db domains show output
billeskov.us=domain
AlwaysBCCStatus=disabled
Description-virtual domain
DisclaimerStatus=disabled
TransportType=LocalDelivery
UnknownRecipientsActionType=bounce

deltaecho.lan=domain
AlwaysBccAddress=
AlwaysBCCStatus=disabled
Description=
DisclaimerStatus=disabled
TransportType=LocalDelivery
UnknownRecipientsActionDeliverMailbox=
UnknownRecipientsActionType=bounce

remote.billeskov.us=domain
AlwaysBbbStatus=disabled
Description=mail
DisclaimerStatus=disabled


(Valther Nielsen) #12

last two lines of db domains show output

TransportType=LocalDelivery
UnknownReceipientsAction=bounce.

db networks show output

br0=bridge
FwinBandwidth=
FwOutBandwidth=
gateway=192.168.1.2
ipaddr=192.168.1.2
netmask=255.255.255.0
role=green

enp1s0=ethernet
FwinBandwidth=
FwOutBandwidth=
bridge-be0
role=bridged

enp2s0=ethernet
FwinBandwidth=
FwOutBandwidth=
bootproto=dhcp
role=red

ppp0=disabled

red1=provider
interface=emp2s0
weight=1

Regarding smarthost I discovered one problem, smtp had been left off proper address is smtp.comcast.net. I ran the Ncat command with that change and ESMTP server reported ready… O course they still reject mail because deltaecho.lan is not a valid sender. I need to figure out to send as billeskov.us.

Sorry to have chopped the message up, but I did a couple of unintended 'send’s.
I really applreciate your assistance, and hopefully we can get this working. It is getting boring to have to disconnect the server to get internet connection.


(Markus Neuberger) #13

Leave the gateway of green bridge empty via Web UI, you should already have a gateway on red interface via DHCP.
The gateway is usually not the same as the local IP because it should be the way to internet. You need at least one gateway and yours is on red interface.

Then Internet should work.


(Valther Nielsen) #14

The gateway entry on the green bridge was removed and it made no difference.

Regarding smarthost. Comcast comes back with the following: valthernielsen@gmail.com: host smtp.comcast.net[96.114.157.81] said: 550
5.1.0 vnielsen@deltaecho.lan sender rejected : invalid sender domain (in
reply to MAIL FROM command)
What do I change to get server to report my registered mail domain?


(Markus Neuberger) #15

Are you behind your router with your Nethserver or did Nethserver replace the router?
Are LAN and WAN IPs in the same network?
Does your red interface have an IP address via DHCP?
You can see IP addresses in dashboard or with

ifconfig

or

ip addr

(Valther Nielsen) #16

Nethserver replaces the router, LAN and WAN IPs are different. The red interface does get IP from ISP via DHCP. When I connect Nethserver to the modem l just use the router as a switch for the green network.


(Markus Neuberger) #17

Do you have the DHCP server active on Nethserver to serve IP, gateway and nameservers to your clients?
Your clients have to use Nethserver as gateway and should use it as DNS. I assume you disabled the DHCP server on your router because it may conflict with Nethserver DHCP.
You may also use static IP configuration for one of your clients and just set Nethserver as gateway and DNS for quick testing.


(Valther Nielsen) #18

Yes, Nethserver is active and issuing addresses. Likewise DHCP disabled on router. You may be onto something - I am writing this from a Nethserver client with a fixed IP address. Nothing else seems to be going through (including my phones). Hopefully this gives you a clue to get this fixed.
Thank you very much again.


(Valther Nielsen) #19

I have continued experimenting, but am getting nowhere. Has anybody got any ideas why it might work with static client addresses, but not with DHCP? Unfortunately it is not feasible to change all clients to static addresses.
Anything changed in 7.4 that might change this?


(Markus Neuberger) #20

I had a similar issue now. A Windows 10 client did work with static IP but not with DHCP. I found out that on my old router I had DHCPv6 still active. After turning it off and set my Windows 10 host in Nethserver DHCP settings to an address reservation with different IP address, it worked.


(Valther Nielsen) #21

Apparently that is not my issue. IPv6 is disabled on the router as well as DHCP for IPv4. Nonetheless my Win10 Pro client cannot get through and neither can my Ooma or Hopper3. For the Hopper static address is not an option.
If I get this worked out there is still the problem of the sender e-mail address. Will it be necessary to use my registered domain instead of FQDN during installation?
Thank you for your help.