Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: dj_ramjet99 on April 22, 2002, 08:37:28 AM
-
Hi all,
Quick question, I have a school that is using an ADSL router with an e-smith build (as server/gateway, does squid proxying and mail, plus web site for school is hosted on this box). Works fine for mail, internet access etc.
I am trying to insert a smoothwall firewall between the e-smith and the router ( don't ask why ;) ) but I cannot access the internet no matter how hard I try from the LAN. I can ping the external card of the e-smith and the inside of the router (Nokia m1122)
Am I attempting the impossible with this set-up or am I, as I suspect, just missing a crucial setting somewhere?
Has anyone got this configuration working for themselves?
Would it make more sense to drop in another e-smith with ip-port-forwarding installed as a firewall instead of smoothwall?
-
>I can ping the external card of the e-smith and the inside of the router (Nokia >m1122)
This might be where your problem is. Not knowing your setup i would suggest the following.
Set the e-smith box up as server only (one nic)
Point its gateway and dns settings to smoothwall.
Configure your client machines to use e-smith or smoothwall for dns and proxy.
The problem with trying to go thru e-smith to smoothwall (if that is how you are set up) is that you will be on a different network to smoothwalls green interface. Smootwall doesnt allow this (much the same way that you have to add other networks in e-smith).
This is how i run and it works fine (we run 56K though)
>Would it make more sense to drop in another e-smith with ip-port-forwarding >installed as a firewall instead of smoothwall
I would stick with smoothwall (or probably try IPcop, because they are nicer people) simply because it has port forwarding built in and will give you visual indication of intrusion attempts etc where as e-smith wont.
Regards Duncan
-
smoothwall (or probably try IPcop, because they are nicer people) ????? What sort of remark is that??
I mean we arnt going to discuss what firewall is better just with the fact .... they r nice ...they r not nice!!!!
the Problem with ip-cop ist that they do not update as regular as they first wanted....
also the way ip-cop was aquired ist not very pleasing......
Before i get falmed.... I used ip-cop for about 4 months but ive gone back to smoothwall.... patches 8-10 persauded me to do that!!!
-
Fair enough.
Regards Duncan
-
Good luck with Smootwhall. But number of patches tells you one thing: There is a lot’s of problem with product - that's why needs patches to secure it.
Smootwhall is great product or use to be. but now all goodies are in commercial version.
Never mind support. This problem of yours would be solved in matter of hours on ipcop mailing list, ipcop FAQ or ipcop support website at http://ipcop.hopto.org. As matter of fact they will help you with Smootwall as well (without calling your names. :) ). And yes, I've been using Smootwall, almost from day 1. I discovered bug in VPN implementation of smoothwall and instead of offering solution I was banned from mailing list. Nice eh:) As for "the way that ip-cop was aquired", SW was built using GPL community and it was suppose to stay that way. Mr. Morrell isn't the only one who worked on the SM project. He is the one who made a mess and this individual can't create one simple sentence without calling someone year a**, f**** p*** and so on.
Back to your problem.
Can you ping any ips on internet?
Your Esmith server is on orange net right? If this is true, you have name resolution problem - Specify DNS server of your ISP instead of SM box. I've setup 5 systems using IPCop and Esmith server on orange net - for web and mail serving and had no problem at all.
Good luck,
Tom
-
Smoothwall = $$$ hungry
IP-Cop = security hungry
Get a life scotty.
-
Let me add-
I changed to IPCop last month. They are definitely much nicer. I proposed a question in the smoothwall IRC channel about a possible hack attempt on one of my internal computers where zonealarm had logged some ICMP packets. I asked how to block all ICMP packets from reaching the internal LAN. I was immediately kicked for referring to ZoneAlarm and was banned for several weeks.
The developers with IPCop are very helpful!
I have recently found e-smith and also believe it is a great project. I hope to see some of the IPCop functionality in e-smith someday, particularly IDS and QoS!
As for the original problem that the box's behind e-smith may not be working because they are on a different network, I believe e-smith NAT's the connection. Therefore, connections to SmoothWall would appear to be coming from only one computer with a valid IP.
ADSL
|
Smoothwall - RED - 66.94.0.1
Smoothwall - GREEN/NAT - 192.168.0.1
|
E-smith - Outside - 192.168.0.2
E-smith - Internal - 10.0.0.1
|
client 1 - 10.0.0.5
client 2 - 10.0.0.6 etc.
Goodluck!
-
Mmmm, this is how I had it setup.
In hindsight, either I missed the gateway setting on the smoothwall box, or on the e-smith box, or managed to reverse the NICs on the smoothwall.
Back to the lab ;)
-
As for the original problem that the box's behind e-smith may not be working because they are on a different network, I believe e-smith NAT's the connection. Therefore, connections to SmoothWall would appear to be coming from only one computer with a valid IP
Thats a good point. I tried once to set up my system like your diagram, but couldnt get it to work. I could browse etc when using the e-smith proxy server (which i expected) but couldnt access the internet in any other way. When i turned the proxy off in my browser i then couldnt surf. I didnt spend too much time on it as i found that my example below worked.
The thing that led me to believe that it was problems with the ip addresses was entrys in Smoothwalls (at the time) firewall logs that where clearly denying outbound connections showing my computers ip addresses.
Anyway, my current set up goes something like this
56K
|
Smoothwall - RED - Class c/public
Smoothwall - GREEN/NAT - 10.0.0.2
E-smith - Internal - 10.0.0.1 (Server only)
client 1 - 10.0.0.10
client 2 - 10.0.0.11 etc.
All on the one switch.
Regards Duncan
-
You said unless your clients were configured to use the proxy. I currently have e-smith setup like yours. I want to put all of the clients behind e-smith so that they will be forced to go through e-smith (i'm using SquidGuard to filter content). I had thought that squid was a transparent proxy and there would be no need to configure clients if e-smith was setup to NAT the network? Am I misunderstanding?
I would also like to check on a way to use IPCop without NAT'g as my t1 router NAT's to IPCop which NAT's to e-smith which in turn NAT's to the LAN. I have yet to try this, but am hoping it will work!
-
I should have mentioned that my original test was on a 4.1.2 machine which i dont think had the transproxy function built in.
I havent tried this on a 5.1.2 machine.
Regards Duncan