Topic: Can´t browse my sites after moved SMEserver to DMZ

[lk-data]

Hi.

I got some new IP address´s, before I had only one, but got 8 more there is routet trougt the one I had.

I then setup a firewall/router, and moved the SME server to DMZ zone and changede the IP address with one of the new public IP addresses I got, I also moved my trixbox from Local net to DMZ and changed the IP address to one of the new public addresses.

The issue is that I can´t see any of my sites any more neither from my local net og the Internet. But I can easy access my trizbox website on the same net via browser, so the routing is working fine. (have also tryed to give the trixbox the same IP as the SME server, and then I can access the trixbox from local net and internet too.) 

If im setting my Laptop on the DMZ zone  the I can browse the internet and all the sites on both Trixbox and SMEserver.

Any one there can help me figure out, what is wrong since I can´t see the sites on SMEserver.??

by the way, e-mail is comming trough to the SMEserver.. It´s only the Web sites there is the problem.. And I have changed all the A records and MX records to the right IP address.


I just made a tcpdump on SME server, when I try to browse one of my sites from the localnet.

[root@mail-sme01 ~]# tcpdump -a -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@lk-data-sme01 ~]# clear
[root@lk-data-sme01 ~]# tcpdump -a -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:46:15.215298 arp who-has 85.114.52.50 tell 85.114.52.49
12:46:15.221528 arp reply 85.114.52.50 is-at 00:0c:29:bf:1b:ce
12:46:15.222421 IP pc-00150.lk-data.dk.46366 > 85.114.52.50.http: S 3355253535:3355253535(0) win 8192 <mss 1460,nop,nop,sackOK>
12:46:18.200108 IP pc-00150.lk-data.dk.46366 > 85.114.52.50.http: S 3355253535:3355253535(0) win 8192 <mss 1460,nop,nop,sackOK>
12:46:24.200468 IP pc-00150.lk-data.dk.46366 > 85.114.52.50.http: S 3355253535:3355253535(0) win 8192 <mss 1460,nop,nop,sackOK>


A short drawing of the net setup.

                     Internet
               (81.114.115.224/30)
                          |
                          |
                          |
                          |
              -----------------------
                  Router/Firewall
              -----------------------
               |                      |
               |                      |
               |                      |
               |                      |
          LocalNet              DMZ
   (192.168.1.0/24)    (85.114.52.48/29) 



Berst regards

Lars Kjeldsen.

[electroman00]

What firewall/router are you using.

You will have to Port Forward each service you require to the appropriate DMZ Server i.e. http port 80 to SME IP  port 80

If im setting my Laptop on the DMZ zone  the I can browse the internet and all the sites on both Trixbox and SMEserver.

That indicates that both are wrorking on the DMZ correctly which is good.

You can move the laptop back to the Lan and Setup the Port Forwards and all should work.

Also note on the DMZ you can be in either Server-Only or Gateway Mode.
My preference is Gateway Mode for improved system security while administrating SME.

You will have to Port Forward each service you require to the appropriate DMZ Server

[mmccarn]

You'll have trouble getting to the SME from the LAN if the SME LAN IP is on the same subnet as the LAN.  That is - if your SME LAN IP is 192.168.1.x.

Did you reset your SME WAN/LAN IP using the SME setup menu (login as admin from the console or using putty/ssh) or using some other means?  The SME firewall rules all use the SME db value for 'ExternalIP' and 'LocalIP' - if you changed your IPs manually these values may not be correct.

Finally, you may want to use 'server-only' mode if you plan to keep your SME on the DMZ (hopefully someone more knowledgeable than I about SME security will chime in on this idea).

[lk-data]

Hi mmccarn.

Thanks for the answer, I'm running at the same LOCAL net as I use to. And I have now tried to connect the LAN cable to the LOCAL NET,and I have access that way.

But I still can't get access to the sites from the internet ??

Yes I had logged on using putty/SSH as root, and used "-su admin" and setup the server with the new addresses on the DMZ. And it also recives Mail just fine that way, but nu sites can be browsed. 

I still can't figure out whats wrong on that part ?? As i have tested before, If i Close the SME and give my TRIXBOX server the same IP as SMEserver, then I can browse that webserver just fine, both with IP address and DNS name. But when I change the IP back on both TRIXBOX and SMEServer I can't browse the SMEServer from Internet.

Best regards

Lars Kjeldsen

[mmccarn]

What do you get on your SME from

Code: [Select]

config show ExternalInterface?

What about

Code: [Select]

config show ExternalIP
config show ExternalNetmask
Basically, do the values reported look OK?  It sounds as though the SME server is using the wrong gateway IP (from your earlier printout, it looks like the SME ExternalInterface Gateway should be 85.114.52.49).

If the network settings look OK you may want to open a bug in bugzilla, attach the output of /sbin/e-smith/audittools/newrpms and /sbin/e-smith/audittools/templates, reference this thread and add a post here pointing to the bug in bugzilla. 

For what it's worth, I've been assured in the past that the devs would much rather triage even simple problems in the bug tracker than try to keep up with the forums.

[CharlieBrady]

If the network settings look OK you may want to open a bug in bugzilla,
...
For what it's worth, I've been assured in the past that the devs would much rather triage even simple problems in the bug tracker than try to keep up with the forums.

I'm not sure that's the case here. SME server has not been designed to operate in a DMZ. If OP wishes to deploy in some configuration other than server only (on LAN) or server-gateway (on LAN with one Internet link), then onus is on OP to know what he/she is doing and work out how to do it.

[lk-data]

Hi CharlieBrady.

I can´t see the diffrence, If i place the SMEserver i a DMZ or on LAN, the setup is the same. Because I don't change the sme server at all, the server has a gateway to reach and if that gateway is my ISP or my DMZ, what´s the diffrence from the SMEServer's view?? I like to think I know what im doing, but I can't understand why it's only http traffic there is the problem, and not all other traffic..

Best regards

Lars Kjeldsen