Topic: 6.0b3: Can't add local network (error"doesn't look like

[Daniele Procida]

I'm trying to add a Local network to SME 6.0b3.

I enter the network address, the subnet mask, and leave the router address blank.

The server manager complains about the router address field: "Doesn't look like an IP"

What should I enter here? (I have tried, just for the sake of it: the ISP's gateway, the WAN and LAN addresses of the SME server, and 0.0.0.0.)

Leaving it blank worked perfectly in 5.6.

Thanks,

Daniele

[Dan Brown]

From the front page, release notes for 6.0b3:

"Comments or bug reports should be sent to smebugs@mitel.com (and only there, please)"

But install the available updates from your favorite mirror first, in case they address this problem.

[Daniele Procida]

Dan Brown wrote:

> "Comments or bug reports should be sent to smebugs@mitel.com
> (and only there, please)"

I'm not certain it's a bug at all - it just might be my idiocy that's the problem.

> But install the available updates from your favorite mirror
> first, in case they address this problem.

I've installed them all already.

Is there some manual way of editing these settings via ssh?

Daniele

[Charlie Brady]

Daniele Procida wrote:

> I enter the network address, the subnet mask, and leave the
> router address blank.

From RELEASE-NOTES.txt (in the same directory as the .iso file):

 - A "router" setting must now be defined for any local network. This
   implies that all "local networks" must truly be local, i.e. not
   Internet addresses. This change is introduced to strongly discourage
   insecure configurations.

> What should I enter here?

You need to enter the address of the router which joins your LAN to the additional local network.

Charlie

[Daniele Procida]

>  - A "router" setting must now be defined for any local
> network. This  implies that all "local networks" must truly be local,
> i.e. not Internet addresses. This change is introduced to strongly
> discourage insecure configurations.

OK, so it was my idiocy that was the problem, just as I expected.

But still, I really need access to i-bays and user directories over the Internet, via AppleShare. The relase notes say:

If you wish to enable local network access, you can do so via:
 
  /sbin/e-smith/config setprop mysqld LocalNetworkingOnly no
  /sbin/e-smith/expand-template /etc/my.cnf
  /etc/rc.d/init.d/mysqld restart

so I'll give that a try. But, why is it MySQL that is implicated here?

Thanks,

Daniele

[Charlie Brady]

Daniele Procida wrote:
 
> But still, I really need access to i-bays and user
> directories over the Internet, via AppleShare. The relase
> notes say:
>
> If you wish to enable local network access, you can do so via:
>  
>   /sbin/e-smith/config setprop mysqld LocalNetworkingOnly no
>   /sbin/e-smith/expand-template /etc/my.cnf
>   /etc/rc.d/init.d/mysqld restart
>
> so I'll give that a try. But, why is it MySQL that is
> implicated here?

Sorry, there was a cut&paste error in the Release Notes. The text you quote above refers to a preceding paragraph:

 - The mysql database daemon is configured by default to accept only
   local connections (i.e. it is not accessible via the network).
   This is a security precaution. We only use mysql for webmail
   preferences, and only require access from localhost.
                                                                                               
I've corrected the error. Sorry for the confusion.

Charlie

[Alejandro Lengua]

So Daniele, did your project worked?
Does your remote (now local network) can access Internet?

[Daniele Procida]

Alejandro Lengua wrote:
>
> So Daniele, did your project worked?

No. I have still not succeeded in finding a way to make file-sharing from the SME server available across the Internet.

I've experimented with various things, but so far not with any luck.  Unfortunately this is a real problem for me.

Daniele

[Michael Soulier]

Daniele Procida wrote:
>
> No. I have still not succeeded in finding a way to make
> file-sharing from the SME server available across the Internet.

This is why VPNs were invented. Simply opening-up your server to a range of IPs is not even remotely safe, which is why it is no longer permitted in 6.0.

There are various VPN technologies available for Linux and other platforms, from FreeS/WAN, to OpenVPN, to PPTP and OpenSSH. OpenVPN is probably the simplest of these solutions, and it's available for many platforms.

Conversely, if you need a turn-key solution, you can purchase the commercial release.

Regards,
Mike

[Daniele Procida]

Michael Soulier wrote:

> > No. I have still not succeeded in finding a way to make
> > file-sharing from the SME server available across the
> Internet.
>
> This is why VPNs were invented. Simply opening-up your server
> to a range of IPs is not even remotely safe, which is why it
> is no longer permitted in 6.0.

I can understand that, especially in the context of a server system that has been developed and marketed with security as one of its prime considerations. I'd still prefer it to be an option though. Unfortunately VPN simply doesn't really meet all my needs (though it works well enough for me at some levels).

Would want I want to do be possible in the commercial release?

Daniele

[Daniele Procida]

> Would want I want to do be possible in the commercial release?

OK, stupid question: how do I actually purchase the commercial release? Some time spent browsing the Mitel site tells me all about it, but not how I purchase it or how much it will cost.

Daniele

[Alejandro Lengua]

Well, I thought you were wanting to share SME on several local networks.

I plan to have 2 local networks with access to Internet
192.168.10.0 attached directly to SME BOX
192.168.20.0  attached to its own router/gateway with the WAN IP like 192.168.10.x, is it what I am thinking correct?


INTERNET
    |
SME BOX -----LAN 1 (192.168.10.0)
                          |
                      Router (Wan IP=192.168.10.100 /LAN IP: 192.168.20.1)
                          |
                     LAN 2 (192.168.20.0)

[Charlie Brady]

Alejandro Lengua wrote:
 
> I plan to have 2 local networks with access to Internet
> 192.168.10.0 attached directly to SME BOX
> 192.168.20.0  attached to its own router/gateway with the WAN
> IP like 192.168.10.x, is it what I am thinking correct?

Yes, that is exactly what the "local networks" feature provides.

Charlie

[Charlie Brady]

Daniele Procida wrote:

> I can understand that, especially in the context of a server
> system that has been developed and marketed with security as
> one of its prime considerations. I'd still prefer it to be an
> option though.

Windows networking (SMB) and Appletalk are not designed as "hard" protocols to be exposed to the Internet. Your request is very unusual. I'm also not certain that it is possible, as netatalk only listens on a single interface (the LAN).

Charlie

[Michael Soulier]

> I can understand that, especially in the context of a server
> system that has been developed and marketed with security as
> one of its prime considerations. I'd still prefer it to be an
> option though. Unfortunately VPN simply doesn't really meet
> all my needs (though it works well enough for me at some
> levels).

How does a VPN not meet your needs?

> Would want I want to do be possible in the commercial release?

Yes. Beyond PPTP, MAS 6.0 supports IPSec Roadwarrior VPNs via X.509 certs and l2tp, which is built into Win2K and WinXP.

Mike

[Michael Soulier]

Daniele Procida wrote:
>
> OK, stupid question: how do I actually purchase the
> commercial release? Some time spent browsing the Mitel site
> tells me all about it, but not how I purchase it or how much
> it will cost.

Mitel sells via resellers and distributors. Think of purchasing a PC from Dell instead of Microsoft. MS could not possibly provide support to their entire user-base, so they work through retail and OEM channels.

You should have one or more resellers in your area, depending on where you are.

http://www.mitel.com/contact_solution_provider/index.cfm

Feel free to contact Dan York (dan_york@mitel.com) if you have a bad experience with this.

Mike

[Daniele Procida]

> Windows networking (SMB) and Appletalk are not designed as
> "hard" protocols to be exposed to the Internet. Your request
> is very unusual. I'm also not certain that it is possible, as
> netatalk only listens on a single interface (the LAN).

AppleTalk is certainly not designed for the Internet, because it's not an IP-based protocol. However, it's AppleShare (over IP) and not AppleTalk that I'm after (the former is a file-sharing protocol, the latter a networking protocol).

So far as I'm aware it is perfectly possible to have AppleShare running on more than one interface. It is also, again so far as I understand it, very secure, or at least much more secure than many other traditional Internet protocols such as FTP.

Daniele

[Daniele Procida]

Michael Soulier wrote:
>
> > I can understand that, especially in the context of a server
> > system that has been developed and marketed with security as
> > one of its prime considerations. I'd still prefer it to be an
> > option though. Unfortunately VPN simply doesn't really meet
> > all my needs (though it works well enough for me at some
> > levels).
>
> How does a VPN not meet your needs?

What I'm after is a small server in my office to store files on, which I can access from anywhere. My clients only ever use Macs, so AppleShare (which is well integrated into every version of the Mac OS and is very familiar to my clients) is by far the preferred way of accessing those files.

I'd like to be able to create user volumes on the server so particular clients get to see particular things, to have a read-only public access volume for guests, and so on.

Basically, if it's plain old AppleShare, it'll work as a useful resource, but if anything beyond that is required (such as VPN) I'll still be able to use it, but it will simply be a non-starter as far as my clients are concerned.

(There is one more thing that I'm after, which is for my clients to be able to upload things via AppleShare to volume, and their clients to be able to download them via HTTP. But that's further down the road than this.)

Sorry if I seem to be asking the impossible, or even just the undesirable, in all this. I'm not trying to be obstinate, but I do know what I'd like to achieve, and if it turns out that SME can do it then I'll be very pleased.

Regards,

Daniele

[Michael Soulier]

Daniele Procida wrote:
>
> I'd like to be able to create user volumes on the server so
> particular clients get to see particular things, to have a
> read-only public access volume for guests, and so on.
>
> Basically, if it's plain old AppleShare, it'll work as a
> useful resource, but if anything beyond that is required
> (such as VPN) I'll still be able to use it, but it will
> simply be a non-starter as far as my clients are concerned.

I fail to understand why. If you're talking about a remote office, set up a permanent VPN from it to the main office with the fileserver. The entire point of a VPN is that it is transparent to the users. Anything you can do locally from the SME server, you can do over a properly configured VPN.

If this is not a remote office, and you have roadwarriors wishing the same functionality, then it's a small requirement to have them click on an icon and wait for the VPN to be established before accessing the private office network.

> (There is one more thing that I'm after, which is for my
> clients to be able to upload things via AppleShare to volume,
> and their clients to be able to download them via HTTP. But
> that's further down the road than this.)

The second is simple. The former _must_ be secure. Permitting arbitrary uploads from the internet is "not a good thing"!

> Sorry if I seem to be asking the impossible, or even just the
> undesirable, in all this. I'm not trying to be obstinate, but
> I do know what I'd like to achieve, and if it turns out that
> SME can do it then I'll be very pleased.

I don't see why not. I still don't follow why a VPN would be a burden to anyone. Remember, the whole point is that it is transparent.

With the 6000 MAS, we offer a 6042 VPN solution that permits establishment of VPNs to remote offices at the click of a mouse, between as many 6042s as you've purchased (6000 + a software blade).

Regards,
Mike

[Daniele Procida]

Michael Soulier wrote:

> > Basically, if it's plain old AppleShare, it'll work as a
> > useful resource, but if anything beyond that is required
> > (such as VPN) I'll still be able to use it, but it will
> > simply be a non-starter as far as my clients are concerned.
>
> I fail to understand why.

Because it's not what they want, or what they'll manage to use successfully and consistently without my help. If I can give them something that works almost exactly like the normal AppleShare file-sharing they're used to, they'll probably get the hang of it after two or three weeks, though they'll still be phoning me up each time to ask if the server's down because it's not popping up in the Chooser. Each thing that's in any way different from what they normally do when they accessed shared volumes is going to result in frustration. None of them are stupid or anything, but very many of  them have tremendous difficulties with computers.

> I don't see why not. I still don't follow why a VPN would be
> a burden to anyone. Remember, the whole point is that it is
> transparent.

You'll just have to trust me that for many of my clients it simply would be too much trouble to make it worth their while to use.

Daniele

[Michael Soulier]

Daniele Procida wrote:
>
> You'll just have to trust me that for many of my clients it
> simply would be too much trouble to make it worth their while
> to use.

If your clients have no time to use the internet securely, they shouldn't be using it. Ask them how much time they'll have when someone hijacks their data. Seems that people always have time to fight fires, but not enough time to prevent them.

Implemented correctly, it should be invisible. I fail to see how invisible is "too much trouble".

Regards,
Mike

[Daniele Procida]

In SME 6, you can't add a local network which is on the WAN side of the server - that's what the developers consider VPN to be for. Unfortunately, VPN won't be a practicable option for my purposes.

I've found a way round this. I don't doubt that this solution will be severely frowned upon (at best) by the developers of SME (who are after all engaged in trying to put out a secure product), because it defeats some of the security of the server. So, if you do do this, be warned that SME support staff (Michael Soulier) have explicitly said that it is not a "good thing".

Having said that, it *did* provide me with what I needed, which was to enable AppleShare access to the server from anywhere on the Internet without having to use VPN. It does this by making the server consider any Internet address to be on a Local Network. This is the terminal command:

/sbin/e-smith/config setprop local access public

I would prefer to have enabled access to Internet AppleShare clients by modifying the firewall template fragments, so that instead of this rather extreme way of opening things up I could have just enabled access on port 548. Unfortunately, despite much experimenting I was not successful, which is why I had to resort to this.

I hope the SME support people aren't too appalled at this crude bit of hackery.

Daniele

[Michael Soulier]

Daniele Procida wrote:
>
> In SME 6, you can't add a local network which is on the WAN
> side of the server - that's what the developers consider VPN
> to be for. Unfortunately, VPN won't be a practicable option
> for my purposes.

I'll take your word for it, since I still don't understand how something transparent can be unacceptable to your clients.

> /sbin/e-smith/config setprop local access public

For the record, that instructs the server to treat all networks as local. In other words, it is completely open.

> I hope the SME support people aren't too appalled at this
> crude bit of hackery.

It's not hackery, it's a feature. However, it's one that I cannot advise you use on the internet. I suggest you reconsider.

Regards,
Mike

[Daniele Procida]

> > In SME 6, you can't add a local network which is on the WAN
> > side of the server - that's what the developers consider VPN
> > to be for. Unfortunately, VPN won't be a practicable option
> > for my purposes.
>
> I'll take your word for it, since I still don't understand
> how something transparent can be unacceptable to your clients.

I don't know of any freeware, shareware, or moderately-priced VPN client software for earlier versions of the Mac OS. In fact I don't know of *any* VPN client software for versions prior to Mac OS 8. If the VPN clients simply don't exist, or if they're $100 each, it's not going to be viable.

Sometime in the future when everyone has moved to Mac OS X VPN might be an option for them, but it won't be for a few years. Even then, though, the thought of having to provide additional support for VPN (over and above the support for AppleShare over IP) is not one I find attractive.

I know you consider VPN to be a transparent solution. But what's transparent to someone who's experienced with the Internet and networking is not necessarily transparent to someone who has trouble with the very concept of a network. At the very least I will have to install and configure software on dozens of clients' computers.

> It's not hackery, it's a feature. However, it's one that I
> cannot advise you use on the internet. I suggest you
> reconsider.

I just meant that my way round the issue is a crude hack, precisely because of the way it opens things up.

As Michael says, this is a very far from ideal solution. But at least it's making it possible for me to test some of the things I'm trying to do. I'll just have to decide whether I can find a better way within the SME framework, or use something else (which I'd rather not do if I can help it, since I do like  SME very much).

Daniele

[Michael Soulier]

Michael Soulier wrote:
>
> > /sbin/e-smith/config setprop local access public
>
> For the record, that instructs the server to treat all
> networks as local. In other words, it is completely open.

Hmm. I think I was very tired when I posted that. That's not right at all.

In fact, the local record should have nothing to do with any of this, so if it's suddenly working, it must be something else that you did.

Mike

[Michael Soulier]

Daniele Procida wrote:
>
> I don't know of any freeware, shareware, or moderately-priced
> VPN client software for earlier versions of the Mac OS. In

I was thinking of a box in front of the client. Some broadband routers now support IPSec.

> I know you consider VPN to be a transparent solution. But
> what's transparent to someone who's experienced with the
> Internet and networking is not necessarily transparent to
> someone who has trouble with the very concept of a network.
> At the very least I will have to install and configure
> software on dozens of clients' computers.

Not if an upstream box is doing the work. In any event, it's obviously your choice.

Mike

[Nick Critten]

Hi Danielle,

Someone correct me if I'm wrong, But could this be achieved by having 2 SME servers... One with your data on it that you have now, but set it up in server only mode,

Then have another SME server (Or indeed any other free Firewall solution such as the excellent smoothwall) as your gateway and port forward 548 to your server.

For security reasons you could even put your server on the DMZ of the gateway.

Would this do what you're looking for?

Nick

[Dick Morrell]

That is the perfect solution. As the author of SmoothWall I would say that wouldnt I, but... whether you run SW or IPCop or the more excellent MonoWall product (go look it up on the web it rocks) you are far better off.

You should never really ever run your firewall box as anything other than a firewall. It's just asking for trouble as soon as you start running vulnerable services. For the price of a P100 box with 64mb RAM that you can get out of a dumpster you can have piece of mind.

Just build one and portforward necessary ports as you see fit. At home I have a MonoWall server on a P200 with 64mb portforwarding 80 to my DMZ and mail and https to my internal network to an SME 6.03 with ASSP and SpamAssassin mods on it.

Secure