Koozali.org: home of the SME Server
Contribs.org Forums => Koozali SME Server 10.x => Topic started by: robf355 on November 21, 2021, 11:29:42 PM
-
HiI updated sme tonight using the software installer, now I cannot access the network /internet anything
The ethernet adapter link light is off, if I go into the bios and check the network the light comes on, as soon as sme reboots and starts it goes off
the packages updated were
qpsptpd-0.96-20.e17.sme.noarch
smeserver-clamav-2.7.0-10.e17.sme.noarch
e-smith-qmail-2.6.0-13.e17.sme.noarch
e-smith=-email.5.6.0-15.e17.sme.noarch
smeserver-horde-1.0.0-29.e17.sme.noarch
e-smith-radiusd-2.6.0-21.e17.sme.noarch
e-smith-samba-2.6.0-26.e17.sme.noarch
e-smith-packetfilter-2.6.8-8.e17.sme.noarch
e-smith-apache-2.6.0-16.e17.sme.noarch
ifconfig shows the correct ip address and subnet mask
br0: flags=4099<UP,BROADCAST,MULTICAST> MTU 1500
inet 192.168.0.10 netmask 255.255.255.0 broadcast 192.168.0.255
no bytes transmitted or received
ROUTE SHOWS: KERNEL IP ROUTING TABLE
Destination gateway genmask flags metric ref use iface
default pc-00002.kjctec 0.0.0.0 UG 0 0 0 br0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
any ideas, I can't download anything form the net from this machine, strange that the link light is off on the adapter, I've logged in as admin and select configure this computer to check the network adapter selected, all as it should be.
could the packet filter be the problem as that's the only network related thing that was updated
Any help appreciated
edit: update display for easy reading
-
you could do a downgrade of packetfilter and see..might just be a typo but my version, no issues, is
[root@fagehome ~]# rpm -q e-smith-packetfilter
e-smith-packetfilter-2.6.0-8.el7.sme.noarch
-
The packetfilter update was to do with
restrict VPN networks to their interface [SME: 11640]
remove remoteVPNSubnet property added VPNif property
and it was me who verified it..damn if its it...
-
What mode is your server configured? ie server, server-gateway ?
Check in /var/log/iptables to see if there is anything there?
Mine is running in server only mode and I can access the internet fine with today's updates installing fine.
rpm -q e-smith-packetfilter
e-smith-packetfilter-2.6.0-8.el7.sme.noarch
I notice that you are running in bridge mode and you said in you OP that you cannot access the network or internet. Why are you using a bridge interface?
I understand that you had a working configuration and after the latest updates it stopped working, but please provide more information exactly how your system is configured. Have you go a vpn configured? enabled/disabled etc
-
Another thought, if the link light is off on the network card try plugging the cable back in (at both ends)
-
Yes, suspect OP is operating with a VPN setup or is related to posting smecontribs forum re openvpn-bridge
-
server is operating in server only mode
previously had openvpn bridge and routed installed, but following problems (posted in contribs) they were both uninstalled.
rpm -q e-smith-packetfilter
error: Failed dependencies:
e-smith-packetfilter >= 1.13.0.13 is needed by (installed) e-smith-portforwarding-2.6.0-3.el7.sme.noarch
iptables o/p:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ForwardedTCP
-N ForwardedTCP_2236
-N ForwardedUDP
-N ForwardedUDP_2236
-N InboundICMP
-N InboundICMP_2236
-N InboundTCP
-N InboundTCP_2236
-N InboundUDP
-N InboundUDP_2236
-N SMTPProxy
-N SSH_Autoblock
-N SSH_Whitelist
-N SSH_Whitelist_2236
-N denylog
-N local_chk
-N local_chk_2236
-N state_chk
-A INPUT -j state_chk
-A INPUT -j local_chk
-A INPUT -s 224.0.0.0/4 -j denylog
-A INPUT -d 224.0.0.0/4 -j denylog
-A INPUT -p icmp -j InboundICMP
-A INPUT -p icmp -j denylog
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j InboundTCP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j denylog
-A INPUT -i br0 -p udp -j InboundUDP
-A INPUT -i br0 -p udp -j denylog
-A INPUT -j denylog
dmesg:
[ 61.535056] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 61.536867] Bridge firewalling registered
[ 61.558224] tun: Universal TUN/TAP device driver, 1.6
[ 61.558227] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ 61.560137] IPv6: ADDRCONF(NETDEV_UP): tap0: link is not ready
[ 61.560143] device tap0 entered promiscuous mode
[ 61.560851] br0: port 1(tap0) entered blocking state
[ 61.560853] br0: port 1(tap0) entered disabled state
[ 62.605388] IPv6: ADDRCONF(NETDEV_UP): br0: link is not ready
As a test I disabled the ethernet adapter in the bios and then enabled the second adapter, the link light then come on but the output form iptables is the same, it seems that ethernet adapter isn't even activated, preusmably the os thinks it doesn't need it?
I checked /etc/sysconfig/network-scripts/enp0s25
It has the setting ONBOOT=no
Any ideas as to how I rectify this, I'm not at all conversant with the templates or db config so any pointers as to what to look for (if that is the issue) would be very welcome
-
I suspect that you have an issue with which network interface is active. In your original post your o/p for ifconfig mentions 'br0' and in your last post you mention 'enp2s0'. They are different.
If you have disabled the openvpn bridge you shouldn't be using 'br0' you should be using the raw interface 'enp2s0'
Log on as admin and configure your network to use enp2s0.
You may have to read the wiki for openvpn bridge and follow how to disable the bridge network.
-
If you have two adapters, and it seems you do from comment above, make sure you are plugged into the right one and have it selected in the console config screen, I have made that mistake in the past when moving from server-gateway to server only and been a little hastey in my cable reomovals and plugins.. :-)
-
Thanks for the suggestions, I finally fixed it (Thank god)
checked the openvpn-bridge wiki, it mentioned:
You may also want to remove some other dependencies if you don't use them anymore
yum remove smeserver-phpki phpki smeserver-bridge-interface perl-Net-OpenVPN-Manage perl-Net-Telnet
Notes1. disabled both sever network cards and re booted - this may not have been necessary
2. restarted and attempted to reconfigure the server form admin screen, refused as no network card found.
3. rebooted tried to uninstall as above, yum refused, said "Another app is currently holding the yum lock"
killed the yum instance, then retried - uninstall sucessful
Nov 22 08:33:24 Erased: perl-Net-OpenVPN-Manage-0.02-2.el7.sme.noarch
Nov 22 08:33:24 Erased: perl-Net-Telnet-3.03-19.el7.noarch
Nov 22 08:33:25 Erased: smeserver-bridge-interface-0.2-7.el7.sme.noarch
5. just in case:
signal-event post-upgrade; signal-event reboot5. rebooted, then reconfigure, all ok
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.10 netmask 255.255.255.0 broadcast 192.168.0.255
ether 00:19:99:c3:ce:9b txqueuelen 1000 (Ethernet)
RX packets 5577 bytes 1876912 (1.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6724 bytes 5129912 (4.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 18 memory 0xfe600000-fe620000
Thanks for the help
:-D
-
mate, grinners :-) and you have gained some knowledge along the way
-
It was most likely the bridge interface contrib doing the damage.
-
will need to investigate the bridge contrib.
trying to reproduce your steps to see if we can reproduce.
try to correct if i forget some steps
SME server only
install smeserver-openvpn-bridge + smeserver-phpki-ng
configure certs for server and one client
put servers certificates in place
configure the port forwarding on your router
open vpn hang on start (can you specify if on reboot or initial install, how you saw that)
uninstall smeserver-openvpn-bridge
yum update then signal-event post-upgrade signal-event reboot
no network, only access by keyboard and screen.
-
Hi
this is the sequence I followed , after every signal event update I did a manual reboot - shutdown now -r
yum --enablerepo=smecontribs install smeserver-openvpn-bridge
yum --enablerepo=smecontribs,epel install smeserver-phpkithen there was a mention in the wiji about enabling the epel repository
db yum_repositories set epel repository Name 'Epel - EL7' BaseURL 'http://download.fedoraproject.org/pub/epel/7/$basearch' MirrorList 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-7&arch=$basearch' EnableGroups no GPGCheck yes GPGKey http://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL Exclude perl-Razor-Agent,pwauth Visible no status disabled
signal-event yum-modify
the as per a query I logged, to install phpking:
yum --enablerepo=smecontribs,smetest,epel install smeserver-phpki-ng
signal-event post-upgrade; signal-event reboot
then I also needed openvpnrouted, installed and changed the port
yum install smeserver-openvpn-routed --enablerepo=smecontribs
config setprop openvpn-bridge UDPPort 1195
Generated the certificates from the manager page and then
cp -a /etc/openvpn/bridge/{priv,pub} /etc/openvpn/routed/
signal-event openvpn-routed-update
This is when I checked the server manager page and it said the service was trying/waiting to start
I checked the logs:
less /var/service/openvpn-routed/log/
less /var/service/openvpn-routed/log/supervise/status all empty
following some responses to my query about the service not starting
this will show status of service
# systemctl status openvpn-bridge
dont use openvpn so cant do any triage, have it installed to a VM but thats about it so far, no certs etc setup
I decided to (as per post) uninstall and try it on a VM instead - as I couldn't afford to have the main server down
yum remove smeserver-openvpn-routed
yum remove smeserver-openvpn-bridgehope this helps
-
Not sure you can run bridged AND routed at the same time.
But bridged will probably be the one that causes the issue
JP will comment but he's a busy boy the next few weeks so be patient while he saves lives.
-
Not sure you can run bridged AND routed at the same time.
But bridged will probably be the one that causes the issue
JP will comment but he's a busy boy the next few weeks so be patient while he saves lives.
you can run the 3 openvpn contribs on the same server. i do !
bridge and s2s are the less intrusive as they do not require bridging which is the delicate operation.
-
Cool.
So openvpn bridge is not the same as smeserver bridge, and they're not rrally dependent. Hence uninstalling the openvpn contribs won't remove it.
Nonetheless I imagine it's still where the issue lies.
Did you really want a bridged network device? Or just after openvpn and installed by mistake?
-
I had bridged and routed on 9.2. I actually used the routed for tablet to server connection when at customers. The bridge section was installed because it keeps the certificates up to date. Though I also had the bridge service started on 9.2 so I could use Windows to connect to my cifs shares on the odd occasion when away from the office.
I didn't ever try and install the actual openvpn from a non sme package. Both mine were from contribs as far as I was aware.
To be honest the 9.2 versions worked really well both with iPhone and android
-
smeserver-bridge is also needed for softethernet and for different needs.
so while openvpn-bridge needs it they are two things.
routed is needed for ios things because bridge is mot supported.
bridge is to be prefered for laptop and android.
try wireguard for the tablet. you will love it.
-
try wireguard for the tablet. you will love it.
Yep, a tick for this..
-
try wireguard for the tablet. you will love it.
Installed - so easy to setup, is it as secure as open vpn?
-
Installed - so easy to setup, is it as secure as open vpn?
Possibly. There are a lot of sites where you can compare between Ipsec v2, OpenVPN, and Wireguard (forget Ipsec v1/L2TP/PPP)
Each has benefits and drawbacks.
OpenVPN and Ipsec have been around a long time, and are well known and tested. They can both use certificates which can enhance your security considerably, but are not so easy to set up.
It will depend on your needs.
For home use defintitely try Wireguard as it is simple to install and use. But you need an app so consider your privacy there.
For more business orientated work you may want to look at OpenVPN or IPsec. They might not be quite as 'quick', but they are the industry standards and used by governments and business globally.
OpenVPN needs an app for a mobile - but clearly privacy is involved - and certificates.
Ipsec can be used on mobiles natively so that is a bit less overhead and better privacy. It can be used with just passwords, or with RSA signatures, or certificates.
Wireguard and OpenVPN have Koozali implementations. I have had an ipsec implementation for years which I need to finish upgrading for v10 and plus better mobile support. yet another job :-(
I'd have a good read around so you really understand the differences, pros and cons.
YMMV... :-)