Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: billym on January 19, 2007, 10:49:53 PM
-
This is my scenario:
gateway1 = SME server (xx.xx.xx.1)(DHCP Server)
gateway2 = Hardware Firewall /VPN(xx.xx.xx.2) - required for vendor access
Vendor needs access from there network to lan PC's but is unable to ping them.
Tried adding route via the local network gui but still did not resolve there access to us.
How would I configure this on SME 7?
Any help would be greatly appreciated.
-
Is this what you're describing?
Internet
|
SME - local x.y.z.1
\
+--Local Network (x.y.z.0 mask 255.255.255.0 gw x.y.z.1)
/
Secondary Router - local x.y.z.2
|
Vendor Network via VPN (a.b.c.0 mask 255.255.255.0)
If so, you can get to the Vendor net from your local workstations by changing the route on the workstations. For Windows XP this would look like this:C:\> route add a.b.c.0 mask 255.255.255.0 x.y.z.2 -p(The "-p" causes the custom route to (p)ersistently survive a reboot)
If the objective is to give the vendor access to a server or two on your network I'd execute the above route commands on those servers and leave the SME alone - this provides some mild protection to the computers on your network that the vendor does not need to access (and vice versa).
If all users on the network need access to the vendor's net, and if you have a large network, you could could try issuing the corresponding route command on the SME box. Once you find the exact SME route command that gets things working you need to "template" it so that it will survive SME reboots, upgrades, &c.
The "local networks" setting in the GUI is used to change the default security behavior for traffic to & from a given network and doesn't any routes. You'll need to add "a.b.c.0" to the "local networks" only if the Vendor is supposed to be able to access the SME services as though he is in your office.
Here's a guess at what the SME route syntax would be:route add -net a.b.c.0 mask 255.255.255.0 gw x.y.z.2It's possible that adding a custom route like this in a SME server also requires customizations to the iptables rules (I don't know).
Last thought: Does the VPN use open standards? If so, you may be able to connect the SME box directly to the vendor's VPN using a SME VPN contrib and eliminate the .2 router entirely...