Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 28 December 2024, 12:02:13 am

Login with username, password and session length

Visit the official Endian Community Mailinglist  HERE
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Can't go on my website on ORANGE zone from the Internet
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Can't go on my website on ORANGE zone from the Internet  (Read 17183 times)
zeddo
Full Member
***
Offline Offline

Posts: 11


« on: Sunday 31 October 2010, 02:48:12 am »

Hi everybody,

first, sorry for my poor english, i'm french :p

I try to install Endian Firewall 2.3 with 4 cards, RED, GREEN, ORANGE and BLUE.
No problem for the green one, my computers can go on internet.

What i don't understand, it's this : from the green network, you can go on the orange one (normaly a DMZ shouldn't be visible IN the society, is it ?)
When i'm at home (for exemple), i can't go on the website of my society (on a server in the Orange zone).

My config :

RED        : 192.168.5.1/24 (behind the internet router, gateway 192.168.5.254)
GREEN   : 172.16.31.253/19
ORANGE : 192.168.6.1/24 (My WebServer : 192.168.6.4)
BLUE     :  192.168.24.1/24

I tryed to configure  a Destination NAT and Outgoing / Incoming traffic, but doesn't work...

If someone understand my "Frenglish" and can help me^^

Bye
Logged
xsidx
Full Member
***
Offline Offline

Posts: 33


« Reply #1 on: Monday 01 November 2010, 10:07:31 am »

Hi everybody,

first, sorry for my poor english, i'm french :p

I try to install Endian Firewall 2.3 with 4 cards, RED, GREEN, ORANGE and BLUE.
No problem for the green one, my computers can go on internet.

What i don't understand, it's this : from the green network, you can go on the orange one (normaly a DMZ shouldn't be visible IN the society, is it ?)
When i'm at home (for exemple), i can't go on the website of my society (on a server in the Orange zone).

My config :

RED        : 192.168.5.1/24 (behind the internet router, gateway 192.168.5.254)
GREEN   : 172.16.31.253/19
ORANGE : 192.168.6.1/24 (My WebServer : 192.168.6.4)
BLUE     :  192.168.24.1/24

I tryed to configure  a Destination NAT and Outgoing / Incoming traffic, but doesn't work...

If someone understand my "Frenglish" and can help me^^

Bye

I can't really understand your questions, but DMZ is meant to be visible to both your green and the internet, this is where you can put your web server so that is completely accessible from the internet, you might just have to setup more specific routing policies or port settings according to what you are trying to do. I would double check on port forwarding, and make sure that you have your web server correctly set on site port, and your forwarding to it.

One question are you really hosting 8190 users on your Green Network? because a /19 sub-net is pretty big, so if you are I hope you really have some heavy duty server to run all those users at any given moment.


Logged
zeddo
Full Member
***
Offline Offline

Posts: 11


« Reply #2 on: Wednesday 03 November 2010, 12:44:49 am »

Hi,
thanks for your answer.

The DMZ is visible and accessible from the Green zone, but not from the Internet, and i'd like that the DMZ can be visible from the Internet.
As you said it just seems to be a problem of specific rooting policies or port settings, but i don't understand why the parameters i have done don't work.

I juste want to be able to do : INTERNET -> Firewall -> 192.168.6.4:80 and 192.168.6.4:80 -> Firewall -> Internet
If you try this today, you get a blank page with an error message "site is not found" (something like that) in your navigator.

For the number of host, it's the former network administrator who have done this. I'm am in the society since one year only. Today we juste have 472 Users in our local network. There are a lot of production machine (my society build glasses) and just 190 "true users" on computers.
Logged
xsidx
Full Member
***
Offline Offline

Posts: 33


« Reply #3 on: Wednesday 03 November 2010, 06:46:52 pm »

Hi,
thanks for your answer.

The DMZ is visible and accessible from the Green zone, but not from the Internet, and i'd like that the DMZ can be visible from the Internet.
As you said it just seems to be a problem of specific rooting policies or port settings, but i don't understand why the parameters i have done don't work.

I juste want to be able to do : INTERNET -> Firewall -> 192.168.6.4:80 and 192.168.6.4:80 -> Firewall -> Internet
If you try this today, you get a blank page with an error message "site is not found" (something like that) in your navigator.

For the number of host, it's the former network administrator who have done this. I'm am in the society since one year only. Today we juste have 472 Users in our local network. There are a lot of production machine (my society build glasses) and just 190 "true users" on computers.

Make sure you have this set up

Under Firewall>Port Routing/Destination NAT

 #               Incoming IP                  Service                  Policy                      Translate to                      Remark

1               "UPLINK ANY"                  HTTP/80           (Green Arrow)           192.168.6.4:80                Web Server 
                                                                                     ^^^^
                                                                                Means Allow


This should allow incoming traffic to access your server.

I am using exact settings to allow me to remote into my server through endian from outside the site, and it works with no problem.

Aslo you don't need to set anything under incoming routed traffic, port forwarding should be more then enough.

If you can also take a screen shot your port routing in case it doesn't work so I can see every setting you have on it.

As to your DHCP settings on your subnet, you say that you have 472 users and only 192 true users, if by users you mean PC's, then yes your subnet is way overrated for such a small network, you have a scope that allows over 8000 leases available. I think you can take that down to a /23 or /22 subnet, just to keep things a bit nicer when it comes to your DHCP server.

And last, Am probably sure that you have, but you should have a static IP if you want to host that site to the public unless you will be using DDNS, and have it registered under a public/root DNS server.
Internal DNS settings can also be configured under Proxy>DNS>DNS routing! (this is to allow users within your network to just type the address of the page on browser in order to reach it)
Again, am sure you have that done.. but just in case

Let me know how it goes.
Logged
zeddo
Full Member
***
Offline Offline

Posts: 11


« Reply #4 on: Tuesday 14 December 2010, 01:48:36 am »

Hi, and sorry for this late answer,

I tryed the destination NAT configuration you've send me, with no succes Cry

I have look in the same time if something else on my network could be corrupted and make the firewall don't working whith the DMZ. The network in my society is quite strange..

For exemple, when i tried to install and configure Endian Firewall with green zone for the first time, it doesn't work at the begining. I have looking for hours what could be wrong in the configuration, and i found my problem : An entry in the DNS server called "Firewall" whit the IP 172.16.31.253. I had delete this entry thinking the new firewall (called EndianFirewall) would be created, and nothing. I created it manually, nothing more... So i called my firewall "firewall", and the green zone work now perfectly.. strange ins'nt it ?
I had a look on my CISCO component, if i have a MAC filter, but i don't find something like that.

Next monday i'll try to "create" a new DMZ, with a "false web server" with only one webpage. Maybe i'll see with this test if my problem is on the webserver or in the Endian Configuration.

Best regards,
Logged
zeddo
Full Member
***
Offline Offline

Posts: 11


« Reply #5 on: Friday 31 December 2010, 09:15:12 pm »

He everybody,

Problem solve.
There is a bug in the version 2.3. I installed the 2.4 and everything is OK with a simple rule in destination NAT :

#               Incoming IP                  Service                  Policy                      Translate to                      Remark

1               "UPLINK ANY"                  HTTP/80           (Green Arrow)           192.168.6.4:80                Web Server
                                                                                     ^^^^
                                                                                Means Allow

I choose before to stay in 2.3 because i couldn't activate SSH in the 2.4.
But i foud later another bug with SSH in 2.4. I had to put the interface in english, activate the SSH, and then put the interface in french. If you try to activate the SSH when the interface is in French, there is a bug, you can't do it.

Problem solve, thanks every one, and sory again for my poor english
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com