EFW Support

Hello All,

I´m trying to use Endian 2.5.1 with one NIC just for a HTTP Proxy/Filter behind a firewall. Green address is 10.2.0.250/24 and gateway is 10.2.0.254/24.

Install finishs Ok and I can acess GUI and run wizard. In the wizard I choose GATEWAY mode:

Install DOCs says:

"If you require a configuration where you will not need a Red (WAN) interface, you can select Gateway as the connection type and this will allow you to deploy the Endian in a semi-transparent configuration. This option will allow you to deploy the Endian into a network using the Green (LAN) interface as your primary network connection and using an existing gateway that lives within the Green network"

After Wizard is finished and services is restarted, I lost GUI access. Browsers just timeout before asking for credentials.

If I login with SSH, network and default gateway is correct (route -n) and I can ping to/from the box for remote sub-networks wich tells me networking/routing is Ok.

I do not want to put 2nd NIC just for a fake RED uplink/gateway in another logical IP network as this will have a management overhead.

Anybody had this issue before? Is it resolved?

Thanks in advance.

Kind regards,

Did you checked the forum ? You'll find your answer by searching keywords "gateway" or "NAT" or "zone"...


There is no issue with the gateway mode option...

Check System access firewall settings. Maybe you lock out your firewall from your GREEN LAN.
Almost all configs are located in /var/efw. Check System access on /var/efw/xtaccess/config file
Edit to your needs and reboot.
If still you can't get to GUI, use https://FIREWALLIP:10443

Gateway uplinks works OK, it isn't a problem/known bug.

Hi kashifmax and mrkroket

Thanks for helping. Yes I checked forum and a brazilian forum and found nothing.

I also looked into /var/efw/xtaccess/config and it is fine.

I found a workaround. Hope can help some one else:

In the wizard, affter install, if I put the same green IP as gateway IP system access works and then I can login. After that I go to network configuration again and change gateway to the correct IP address.

Kind regards,

JZardo

I'm getting the exact same problem trying to setup Endian2.5.1 with one NIC in VMware (ESXi)

the work-around mentioned doesnt seem to work for me..

I can open the console and ping out by IP address, but i get no name resolution and the green interface doesnt reply to ping from my desktop

Same issue here, by putting in the same address for the gateway it does let me get into the web config again, but as soon as I change the gateway address to the correct one I lose access again.  I've disabled the outgoing and inter-zone firewalls and it didn't help.

Any other ideas?  Obviously this is a problem as a quick search finds several threads with the same problem and no answers.

Hi all,

Same issue here. When conf with just one NIC and the gw for RED zone is on the same network of GREEN zone i can't login into GUI.
Help !!!!

solved ?????? where is the solution?

up!

i really NEED squash this bug! just hang up un a network with ip 192.168.2.x:
like other situations, after first configuration, set ip address of default gateway same as green ip and after set the correct one i lose green access!

I found on VMware creating a virtual machine and then having only one interface to use just the PROXY caused an issue where it couldn't be configured from anywhere UNLESS you were on the same subnet for the interface.

It appears that this is due to the DEFAULT GATEWAY not being set, so I worked out this way of always getting it to work.
Using VICLIENT to see the console and enter into the shell
Press 0 to get into the shell (press return after each command). After login it will ask for root password default is 'endian'

login
ifconfig br0 192.168.1.100/24
route add default gw 192.168.1.254
exit

CHANGE 192.168.1.100 and 192.168.1.254 to YOUR specific IP and GATEWAY
This will bring you back to the console screen in VICLIENT with the settings configured.
Due to not committing these changes if you reboot or restart it will go back to default 192.168.0.15.

Once you exit above use a web browser to configure and use GATEWAY mode on the RED interface.
All changes will be committed by using the web interface.

Hope this helps.
Blitzspear

I am having this problem, I think. My setup is as follows:

Standard router
- WAN to cable modem
- LAN IP 192.168.1.1

Windows 2012 server (w/ single NIC)
- LAN IP static 192.168.1.7
- DHCP server (gateway = 192.168.1.1; DNSs 192.168.1.7)

Virtual machine w/ Endian Firewall Community 2.5.1
- LAN IP static 192.168.1.9 (green zone)
- Gateway mode

I experience the same "loss of GUI" symptom after I initially install the product, login to the GUI, and setup the green as above. I set the mode to gateway and point it to 192.168.1.1. After I confirm changes and reboot, I have no GUI access. But I can still ping to 192.168.1.9 (endian) from any other computer. I can also ping OUT from 192.168.1.9 to external servers like google.com.

My goal is to have endian as the "middle man," i.e. that my DHCP server (192.168.1.7) tells all the DHCP clients that endian (192.168.1.9) is the gateway. So they all go to that first. Then endian will relay traffic to the router (192.168.1.1) but only AFTER doing web filtering which is the hole purpose of using endian.

But losing GUI access kind of makes any further tweaking impossible with my limited knowledge. Any ideas or suggestions?

Thanks.

this is the log after reconfiguration & relative gui FAIL

i regain temporarily gui adding ifconfig br0 192.168.0.10/24

i see ifplugd failed  but i don't know how to manage it


Jul 9 11:40:28 sudo nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/sbin/ifplugstatus
Jul 9 11:40:47 sudo root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/monit status
Jul 9 11:40:49 sudo nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/sbin/ifplugstatus
Jul 9 11:40:56 sudo nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/sbin/ifplugstatus
Jul 9 11:41:06 sudo nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/sbin/ifplugstatus
Jul 9 11:41:06 sudo nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/sbin/ifplugstatus
Jul 9 11:41:19 sudo nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/sbin/ifplugstatus
Jul 9 11:41:19 sudo nobody : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/etc/rc.d/rc.netwizard.reload
Jul 9 11:41:21 uplink[main] Stopping Uplink 'main'
Jul 9 11:41:21 uplink[main] Uplink 'main' status: 'OFFLINE'
Jul 9 11:41:21 uplink[main] Successfully shut down link 'main'
Jul 9 11:41:22 kernel [ 1866.426221] br0: port 1(eth0) entering disabled state
Jul 9 11:41:22 kernel [ 1866.430619] br0: port 1(eth0) entering disabled state
Jul 9 11:41:22 kernel [ 1866.976642] eth0: Using EEPROM-set media 100baseTx-FDX.
Jul 9 11:41:23 kernel [ 1867.255692] br0: port 1(eth0) entering learning state
Jul 9 11:41:24 ifplugd(br0)[12403] ifplugd 0.28 initializing.
Jul 9 11:41:24 ifplugd(br0)[12403] Using interface br0/00:15:5D:01:90:00 with driver  (version: 2.3)
Jul 9 11:41:24 ifplugd(br0)[12403] Using detection mode: SIOCETHTOOL
Jul 9 11:41:24 ifplugd(br0)[12403] Initialization complete, link beat detected.
Jul 9 11:41:24 ifplugd(br0)[12403] Executing '/etc/ifplugd/ifplugd.action br0 up'.
Jul 9 11:41:24 ntpd[4108] Listen normally on 15 br0 192.168.0.252 UDP 123
Jul 9 11:41:24 ntpd[4108] Deleting interface #14 br0, 192.168.0.10#123, interface stats: received=0, sent=0, dropped=0, active_time=847 secs
Jul 9 11:41:24 ntpd[4108] peers refreshed
Jul 9 11:41:24 ntpd[4108] new interface(s) found: waking up resolver
Jul 9 11:41:24 ifplugd(br0)[12403] client: Notify uplinks daemon: [FAILED]
Jul 9 11:41:24 ifplugd(br0)[12403] Program execution failed, return value is 1.
Jul 9 11:41:27 kernel [ 1871.255018] br0: port 1(eth0) entering forwarding state
Jul 9 11:41:30 dnsmasq[9840] no servers found in /etc/dnsmasq/resolv.conf, will retry
Jul 9 11:41:30 dnsmasq[9840] exiting on receipt of SIGTERM
Jul 9 11:41:31 dnsmasq[12923] started, version 2.47 cachesize 2048
Jul 9 11:41:31 dnsmasq[12923] compile time options: IPv6 GNU-getopt no-DBus no-I18N TFTP
Jul 9 11:41:31 dnsmasq[12923] no servers found in /etc/dnsmasq/resolv.conf, will retry
Jul 9 11:41:31 dnsmasq[12923] read /etc/hosts - 5 addresses
Jul 9 11:41:31 dnsmasq[12923] read /etc/openvpn/dnsmasq.hosts.conf - 0 addresses
Jul 9 11:41:34 uplink[main] Starting Uplink 'main'
Jul 9 11:41:34 uplink[main] Notify uplinks daemon about status change of uplink 'main'. Status id OK
Jul 9 11:41:34 uplink[main] Uplink 'main' status: ''
Jul 9 11:41:34 syslog-ng[10163] Termination requested via signal, terminating; 
Jul 9 11:41:34 syslog-ng[10163] syslog-ng shutting down; version='2.0.10'
Jul 9 11:41:35 syslog-ng[13323] syslog-ng starting up; version='2.0.10'
Jul 9 11:41:44 dnsmasq[12923] read /etc/hosts - 5 addresses
Jul 9 11:41:44 dnsmasq[12923] overflow: 2 log entries lost
Jul 9 11:41:44 dnsmasq[12923] using nameserver 8.8.8.8#53
Jul 9 11:41:44 dnsmasq[12923] using nameserver 192.168.0.50#53
Jul 9 11:41:46 ntpd[4108] Listen normally on 16 br0 192.168.0.10 UDP 123
Jul 9 11:41:46 ntpd[4108] Deleting interface #15 br0, 192.168.0.252#123, interface stats: received=0, sent=0, dropped=0, active_time=22 secs
Jul 9 11:41:46 ntpd[4108] peers refreshed
Jul 9 11:41:46 ntpd[4108] new interface(s) found: waking up resolve