Topic: SME 6 beta 3 and Local networks

[Dean Mumby]

Hi Guys

I am having a problem trying to add a local network to a sme 6 b3 , This machine is installed as server and gateway and obtains its external ip using dhcp. This works fine and it connects to the internet using a satelite connection. The Problem is that this external ip is a private ip address on the satelite providers network , so I have no way of connecting remotely. I decided to install pptp-linux so that I could connect the server to my own server which is still running sme 5.6 using the vpn. This works perfectly and all services are available to to the sme 6 server as a client. What I need though is to be able to conect back to the sme 6 server from the vpn server to remotely support the client. I advised the client to create a local network using my local ip network range as the correct params. This fails everytime. In sme 5.6 it says to leave the gateway ip empty and it will work out how to connect to the network . In sme 6 this fails with a message that "it does not look like an ip address" , If some one could try adding a local network that you dont directly have a connection to I would appreciate it. Alternatively if someone knows the command line equivalent to try add the network that should work as well assuming its a bug in the panel.

Regards
Dean

[Boris]

Take a look at this thread:

http://forums.contribs.org/index.php?topic=18730.msg73851#msg73851

[Dean Mumby]

Well all I can say s I have no intention of opening things up to the extent mentioned in that thread. The problem is that even once having established the vpn connection from the 6b3 server and having ppp0 up and running adding the local network 192.168.3.0/255.255.255.0 with router adddress being the dhcp assigned ip of 192.168.3.109 or the server ip of 192.168.3.1 simply does not work. I tried aliasing eth0:1 to the 192.168.3.0 network and adding the local network then and still no luck.

So I geuss my question is with the following config :

eth0 192.168.0.1/255.255.255.0
eth1 10.x.x.x /255.255.255.0 ( assigned by dhcp)
ppp0 192.168.3.109/255.255.255.255 (assigned by vpn server)

what would I need to enter into the local networks panel to allow the vpn server 192.168.3.1 access to the serevr through the vpn

Regards
Dean

[Boris]

If your LAN interface eth0 has IP 192.168.0.1, your VPN server should issue IPs to client from the end of DHCP range (192.168.0.249, 192.168.0.248 etc..) If you never configured this server to be DHCP server, it may not have the correct settings for PPTP to "steal" from DHCP range.

Client's LAN (on the other side) should not have the same network (192.168.0.0/24) or routing will not work.

I don't think this is a bug.
It looks more like misconfiguration so far.

[Dean mumby]

VPN Server : sme 5.6 eth0 192.168.3.1
dhcp enabled ip range 192.168.3.100 -192.168.3.110.
ADSL connection and dynamic dns via zoneedit

VPN Client : sme 6b3 eth0 192.168.0.1
hdcp enabled ip range 192.168.0.100 - 192.168.0.150
satelite connection eth1 dynamic ip assigned by dhcp on private network (normaly 10.x.x.x) no external tcp access to machine.
pptp-linux installed and configured.

Client connects using vpn and obtains ip address 192.168.3.109 , client can access all services on server (pop,smtp,ssh etc)

Server can ping client ( no services available) nmap reveals no open ports.

From my understanding there is no configuration problem here.

Mitel indicated that they removed the option to add any local network not directly connected to eth0 , this prevents me adding a local network 192.168.3.0/255.255.255.0 to the vpn client to allow the server to use the tunnel to remote administer. This is also not possible even once the ppp link is up and a local ip of 192.168.3.109 has been obtained as the local network panel (script) is only looking on eth0 , I would consider that a bug as there are any number of methods to establish a connection to another lan. I would imagine that this new feature would break all efforts that have been made in he past to get ipsec vpns working , maybe some one could comment on that . It seems we have been left with a LESS functional product.

there must be a way to disable the modification mitel made to allow this .

Another thing that concerns me is that even though ssh is enabled for public access once the vpn link is up it does not offer this service on ppp0 which I would imagine would still be considered public . There must be an eventto update the services with the new ip address and network ?

I guess i will keep trying

Dean

[Michael P. Soulier]

Dean mumby wrote:

> Mitel indicated that they removed the option to add any local
> network not directly connected to eth0 , this prevents me
> adding a local network 192.168.3.0/255.255.255.0 to the vpn
> client to allow the server to use the tunnel to remote
> administer.

I am a little unclear as to what you're trying to do. Your vpn client should be able to access the server private network. Why do you need an additional trusted network added?

Can your vpn client not see the server's private network?

Mike

[Dean mumby]

Yes the VPN Client ( a sme 6b3 server) can connect to and access all services on the VPN Server ( a sme5.6 server) the problem is I need to have access from the Server to the Client as It is on a private network with no public access. I want to use the tunnel to access FROM the Server to the Client.

This is possible using sme 5.6 by adding a local network on the Client for the Servers netowork address.

Regards
Dean

[Boris]

take a look in the file /home/e-smith/networks
you can try (as a test) manualy put your line where, bypassing verification of server-manager.

Warning:
Make sure you fully understand how the routing works before you do it.

Good Luck.

P.S.
Now I am sure it’s not the bug, but rather design {feature|deficiency|security|flaw|advantage}

[Bob King]

If you edit the file /home/e-smith/networks the syntax should be something like below. The delineation characters are pipes. Aslso be aware of the case.

10.0.0.0=network|Mask|255.255.255.0|Router|default

The above defines a network with 256 hosts (10.0.0.0-10.0.0.256)

To limit the network to 1 host use 255.255.255.255 as the Mask.

Good Luck
Bob

Boris wrote:

> take a look in the file /home/e-smith/networks
> you can try (as a test) manualy put your line where,
> bypassing verification of server-manager.
>
> Warning:
> Make sure you fully understand how the routing works before
> you do it.
>
> Good Luck.
>
> P.S.
> Now I am sure it’s not the bug, but rather design
> {feature|deficiency|security|flaw|advantage}

[Dean Mumby]

Thanks for the suggestions I will try and report back here on my progress.

Regards
Dean

[Michael P. Soulier]

Boris wrote:

> P.S.
> Now I am sure it’s not the bug, but rather design
> {feature|deficiency|security|flaw|advantage}

Design intent, actually. We don't encourage people to leave their front doors wide open.

Cheers,
Mike

[Boris]

>> We don't encourage people to leave their front doors wide open.

I totaly understand, but in this case it creates inconvenience for the legitimate owner to use "lock picking techniques" to add their "other" Internet locations to the list of the "trusted" networks. A bit of limitation for some situations. Fortunately where is a way around it by adding location (network or host) to DB directly and running relevant signal-event to rebuild all the files using local networks list.

[Dean Mumby]

Thanks Boris your advice of editing the networks file worked. I found I needd to run /sbin/e-smith/signal-event remoteaccess-update to activate the changes once the vpn link was up.

You mentioned that this could be added to the db how would this happen
I have created a file /in tmeplates custom so that I can recreate easily if somehting goes wrong.

regards
Dean