Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Norrie on May 23, 2001, 06:11:36 PM

Title: HELP! - e-smith behind firewall
Post by: Norrie on May 23, 2001, 06:11:36 PM

Hi everyone,

Sorry but this is a re-post from the general questions forum.  I'm still stuck...

I'm trying to configure e-smith as a server / gateway behind a Smoothwall firewall but I'm having a little trouble. Here's my setup:

Internet
|
ISDN
smoothwall
eth0 (192.168.1.254) - ne2k-pci
|
eth1 (192168.1.1) - ne2k-isa
e-smith
eth0 (192.168.0.254) smc etherez isa
|
LAN1 (192.168.0.xxx) ne2k-isa
clients ('doze boxes)

From my 'doze box I can logon to e-smith using PuTTY and run lynx to gain access to the smoothwall box to enable dial on demand ISDN. Pinging any address / name (still in PuTTY) from e-smith triggers smoothwall dialing and a connection ok. I can't ping or browse directly from my 'doze machine although pinging by name from my 'doze machine results in the name being converted to an address ok but no reply.  for example:

   ping google.com

results in something like

   pinging 216.239.33.100...etc.
   request timed out

(I think)

I've RTFM and tried several times to add the address of the smoothwall box in the e-smith console configuration following the instructions:


"5.14. Further Miscellaneous Parameters
There are a few, final connectivity-related parameters that must be entered into your e-smith server and gateway.
Master DNS server: The first option is for a master (or primary) DNS server. You should only configure this value if your e-smith
server is behind a firewall and cannot perform direct queries to Internet DNS servers. Most installations should leave this setting
blank. You do not need to configure your e-smith server to use your ISP’s DNS servers.
Note: Your e-smith server and gateway contains a fully functional caching DNS server and in almost all cases you will not need to
enter the address here for a DNS server. However, some corporate firewalls restrict DNS queries from internal DNS servers. If that
is the case, you will need to supply the address for an external DNS server.
External proxy server: The next screen allows you to configure your e-smith server and gateway so that the computers on your
network will use a proxy server outside of your own network . Some Internet Service Providers may require this. Additionally, if your
e-smith server is behind another firewall, it may need to use the external proxy server. If you have questions about whether to use a
proxy server, we recommend you read Appendix C on using a proxy server. In most environments you can probably leave this blank."

I enter the address of the smothwall box and after a short time e-smith asks if I would like to reboot so the changes can take effect. I say yes but the symptoms above are still apparent. If I re-enter the e-smith configuration console, the address I entered has dissappeared.

Can anyone please suggest a solution?

Many thanks

Norrie.

Title: Re: HELP! - e-smith behind firewall
Post by: Nathan Fowler on May 23, 2001, 08:47:31 PM

What does /etc/sysconfig/network say?

Look at your GATEWAYDEV and GATEWAY.

Your GATEWAY= should be the IP Address of your smoothwall firewall box, not the IP of your ISDN gateway. (I'm assuming that your smoothwall is really a gateway/firewall and you have defined a gateway IP on that device to your ISDN gateway)

The GATEWAYDEV should be ethX where X is the number of your external network card (IE:  Card NOT assigned to your internal LAN clients; NOT your "'doze" box)

Title: Re: HELP! - e-smith behind firewall
Post by: Kees Blokland on May 24, 2001, 12:20:27 AM

..and all you windows boxes have their default gateway set to the ip address of e-smith  192.168.0.254, right?

if you still have the default gateway on the windos boxes pointing to the smoothwall, things get confused..

(made that mistake myself last weekend, trying to combat bt's 16 hour blackout..)

Title: Re: HELP! - e-smith behind firewall
Post by: Graeme Robinson on May 24, 2001, 04:09:46 AM

Hard to give a straight answer to this - there are so many 'could be's that spring to mind.

Forget about proxying and dhcp for the moment - manually configure the windoze box to point to the e-smith server as the gateway and give it an address on the 192.168.1.0 range and do your tests from it again.  If it still fails to get return internet packets it looks like a routing problem - have a look at your e-smith routing table (ssh in as root and enter the route command

It'll look something like this:
[root@e-smith /root]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 *               255.255.255.255 UH    0      0        0 eth0
172.32.18.28    *               255.255.255.255 UH    0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         172.32.18.28    0.0.0.0         UG    0      0        0 eth1

The default route should point to Smoothwall on eth1 and the internal range (line 3) should point to eth0 (or vice versa wrt to ethernet interfaces).

Compare routing on your windoze box (if NT command is 'ipconfig route', if win9x enter 'winconfig' from command line)

That will look something like this:
C:\>route print
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 00 e8 d8 6d 46 ...... Realtek RTL8029(AS) Ethernet Adapt
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.165       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.0.165   192.168.0.165       1
    192.168.1.165  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.1.255  255.255.255.255    192.168.0.165   192.168.0.165       1
        224.0.0.0        224.0.0.0    192.168.0.165   192.168.0.165       1
  255.255.255.255  255.255.255.255    192.168.0.165   192.168.0.165       1
Default Gateway:       192.168.0.1

This should get you going.

Title: Re: HELP! - e-smith behind firewall
Post by: Norrie on May 24, 2001, 03:10:51 PM

Nathan, Kees, Graeme,

Thanks for your replies.  I'll check it all out tonight.

Regards

Norrie

Title: Re: HELP! - e-smith behind firewall
Post by: DUNCAN on June 10, 2001, 06:02:37 PM

Just out of curiosity why are you running your lan thru the e-smith box to get to the smoothwall box?

I am running smoothwall as a firewall and e-smith as a server.

e-smith has one nic and is running in server mode only. Its gateway is pointed at smoothwall.

My lan machines are pointed at smoothwall for internet and proxy use and at the e-smith server for email use.

Title: Re: HELP! - e-smith behind firewall
Post by: Norrie on June 13, 2001, 01:59:47 PM

Hi again,

Sorry for not keeping you all up to date but I've been busy trying (without sucsess) to get ISDN working again.

Duncan.  I want to give 'net access to my kids via squidguard on e-smith.  I'd also like to run junkbuster too but it's too hard for me to do on Smoothwall.  I get frequent errors form Smoothwall if I enable the proxy.  I've just installed e-smith last night and manually configured my NICs.

Regards

Norrie