When use VPN proxy/filter module not working with network segmentation


(Zimny) #1

Hi guys,
First and always appreciate all your work and enjoing your peace of software.

Issue:
Looks like proxy/filter module not working properly when we are implementing subnets.

Scenario:
Dedicated VPN server with transparent proxy/net filter module
Server has two NIC where green is:
192.168.0.10/21
VPN range is 192.168.0.0/29 - warrior mode

Problem:
All local machines connected to green interface hase transparent proxy and net filter working properly.
VPN clients has properly routed traffic but no proxy/filter.

Net 192.168.0.0/29 is a subnet to 192.168.0.0/21 which is green interface and trusted network.

Hope this help.
Not sure to be honest is this a proxy/filter issues or maybe VPN module.

Cheers,
Zimny


(Markus Neuberger) #2

Does it work if you enter your proxy settings manually? Maybe the transparent proxy does not work via VPN. Did you check if browsing goes over VPN?


(Zimny) #3

Hi Markus

Browsing through VPN working OK but proxy is not in use.
Local clients traffic is going through proxy no problems.
Proxy is in transparent mode with not allowed buypassing.
Transparent squid is working on non stanadart port 3128 and I need implement transparent proxy for local machines so not tried if proxy is working in manual mode but with manual mode never have any issues just always need manualy editing clients config files tu add proxy to it.

Did you reproduce the same issue with subneting your net?


(Michael Kicks) #4

@zimny i won’t use your segmentation for networking.
It’s really nice have VPN network segment bridged on Green interface, but for my perspective of network management, this is a potential issue for routing and firewalling. Not only firewall side, but also on client side.
Therefore,i suggest to change your VPN range to something different (192.168.5.0/29, for example)


(Zimny) #5

Hi Pike

Thanks for the reply.

For smal networks segmentation is not to much in use but for large environment is need (imagine switches to holds vlans on that layer).
I reproduced this bug to improve nethserver software.
I have done some more probes and I can see that signal-event is not working properly.
Some of the setup is just implementing on next reboot.
Also is good to know if your LAN clients are from VPN subnet or the entire network ones.
example IDS?
Do you have so many network skiled clients in your network who know about the broadcast, etc?

Love nethserver and using in in most af my environments.
But when something need be addressed there is the place