Welcome, Guest. Please login or register.
Did you miss your activation email?
Tuesday 19 November 2024, 02:19:40 am

Login with username, password and session length

Visit the official Endian Community Mailinglist  HERE
14258 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Blue zone cant access Green zone
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] 2 Go Down Print
Author Topic: Blue zone cant access Green zone  (Read 64546 times)
881314
Jr. Member
*
Offline Offline

Posts: 6


« on: Tuesday 23 December 2008, 11:07:49 pm »

Hi Guys,

I have installed two NICs both are not Wirless Adapter. One NIC is green zone with IP address 192.168.0.0/24 another one is blue zone with IP address 192.168.10.0/28.

I would like the blue zone accessed to the green zone. I have the added the blue zone allows to access to the green zone and the green zone allows to access to the blue zone from the Intra-Zone Access under Firewall.

However, I still can not access from the blue zone to green. What should I do?

Thanks
Eddy 
Logged
881314
Jr. Member
*
Offline Offline

Posts: 6


« Reply #1 on: Tuesday 06 January 2009, 06:11:48 am »

Could someone give me some advises please.
Logged
Bracks
Jr. Member
*
Offline Offline

Posts: 5


« Reply #2 on: Monday 26 January 2009, 10:39:07 am »

Eddy,

Have you tried allowing say RDP from Blue to Green and trying to open an RDP session from
Blue to a machine in your green network.

I created the rules in the Intra-zone from Blue to Green and Orange. Both work no worries.

Have you allowed all ports and services or only certain protocols...

Im only relatively new to Endian but have played around a fair bit and managed to get
most things happening.

Regards

Mark
Logged
881314
Jr. Member
*
Offline Offline

Posts: 6


« Reply #3 on: Friday 13 February 2009, 06:33:34 am »

Hi Mark

Thanks for your reply.

I have found the solution. For some reason, if I used zone it wouldn't work, but it work with interface.

Thanks
Best Regards,
Eddy
Logged
wesley1234
Jr. Member
*
Offline Offline

Posts: 3


« Reply #4 on: Thursday 21 May 2009, 10:13:47 pm »

Any other words of advice, I'm having the same problem.   I switched to just the interface in the source / dest but still no luck.  Although I'm trying to set certain ports through, I did try opening up everything as a test... blue int - access to any/all green int.  Just to be clear, I'm using the "Inter-Zone traffic" in the Firewall page.  This has been renamed a few times which makes the support docs very confusion - especially anything that google returns.

Even if your way worked, using the interfaces, it seems that for whatever the reason, you can't fine tune it... major disapointment in this release.  ie.  I want to only allow DNS queries from selected IP's on my Blue to goto one IP on my green.

Before someone types it, I'll beat them to it: yes I could/should setup a VPN for this which is built into this software, but I'm having problems with that too.

Cheers
Logged
jeremycald
Full Member
***
Offline Offline

Posts: 41


« Reply #5 on: Friday 29 May 2009, 02:46:16 am »

Ditto on wesley1234.  I am having the same problem.  I was trying to setup an access point on the Blue interface and I can not ping it nor open it's admin interface (port 80) from the green net.  I can ping it from the endian so communication is there.  And computers connected to the Access point can pickup IP addresses from the endian and access the internet.

I checked the logs and it is telling me that the chain FORWARD:DROP     br0 is what is blocking it.  I've been through the various firewall settings (inter, outer, inny, outty ;-) and have not been able to communicate.  The next step I tried just in case was turning off the HTTP proxy.  Still no dice.  I am thinking it may be the following:   http://kb.endian.com/entry/27/  but what I am afraid of is that will open EVERYTHING up and not allow me to eventually control the access. 

I am going to try it tonight after work hours because I have to reboot it of course.

On a side note:  wesley1234 your last point was well taken for both angles.

Enjoy!
Logged
jpgillivan
Full Member
***
Offline Offline

Posts: 31


« Reply #6 on: Friday 29 May 2009, 04:55:31 am »

I don't think you have the interface configured correctly.  What is the actual IP address you are assigned to the NIC.  You cannot end it with 0.  Try changeing your green interface to 192.168.0.1/24 and the blue to 192.168.10.1/24.  (don't forget to adjust an routing rules you may have)

See http://www.computerhope.com/jargon/i/ip.htm for more infomation on IP addressing.  Unless you are trying to supernet the IP's

Are you?

Add'l info:
Definition: The IP address 192.168.0.0 is the start of the Class C private range. By convention, network routers and other gateways use 192.168.0.0 to reference a private network generically. You should not attempt to set 192.168.0.0 as a static IP address for any host, becuase it is reserved for use as a network address.

The extent of the 192.168.0.0 network depends on the network mask configured. For example, 192.168.0.0/24 represents the private network with IP address range 192.168.0.0 - 192.168.255.255. Broadband routers more often use the Class C default 192.168.0.0/16 mask with range 192.168.0.0 - 192.168.0.255. Routers on these networks conventionally use IP address 192.168.0.1.
Logged
jpgillivan
Full Member
***
Offline Offline

Posts: 31


« Reply #7 on: Friday 29 May 2009, 04:57:00 am »

Also, check your proxy configuration "inter-zone traffic settings".
Logged
jeremycald
Full Member
***
Offline Offline

Posts: 41


« Reply #8 on: Friday 29 May 2009, 06:28:02 am »

The extent of the 192.168.0.0 network depends on the network mask configured. For example, 192.168.0.0/24 represents the private network with IP address range 192.168.0.0 - 192.168.255.255. Broadband routers more often use the Class C default 192.168.0.0/16 mask with range 192.168.0.0 - 192.168.0.255. Routers on these networks conventionally use IP address 192.168.0.1.

Is this actually backwards? 192.168.0.0/24 has a broadcast address of 192.168.0.255 and 192.168.0.0/16 has a broadcast address of 192.168.255.255
Logged
jeremycald
Full Member
***
Offline Offline

Posts: 41


« Reply #9 on: Friday 29 May 2009, 06:32:22 am »

Well I decided to read the manual  Grin and found an interesting point.  The last statement under the Inter-Zone Traffic heading  http://docs.endian.com/2.2/en/efw.firewall.html#efw.firewall.inter_zone_traffic  states:

Quote
The inter-zone firewall can be disabled/enabled as a whole using the Enable Inter-Zone firewall toggle. When disabled, all traffic is allowed between all zones other than the RED zone (not recommended).

It didn't make any difference.

I also tried adding specific rules to the Outgoing rules to allow access between the blue and green interfaces and those didn't make a difference either.
Logged
jpgillivan
Full Member
***
Offline Offline

Posts: 31


« Reply #10 on: Friday 29 May 2009, 06:40:17 am »

Did you try changing the IP addressing scheme?
Logged
jpgillivan
Full Member
***
Offline Offline

Posts: 31


« Reply #11 on: Friday 29 May 2009, 06:41:28 am »

http://learn-networking.com/network-design/how-a-broadcast-address-works
Logged
jeremycald
Full Member
***
Offline Offline

Posts: 41


« Reply #12 on: Friday 29 May 2009, 06:48:11 am »


Not to sound smart but I think we got the idea of how a broadcast address works.  It's the notation that is backwards.  Plug your numbers into this http://www.subnet-calculator.com/cidr.php and see what you come up with.  The /16 and /24 are backwards.

Here is the wikipedia reference on class notation B=/16 C=/24
http://en.wikipedia.org/wiki/IP_classes#Class_ranges
Logged
jpgillivan
Full Member
***
Offline Offline

Posts: 31


« Reply #13 on: Friday 29 May 2009, 07:18:01 am »

Yes you are correct.  The data was a cut and paste from a web site.  Sorry I didn't proof read first. 

But, correct me if I am wrong, using a mask of 16 on IP 192.168.0.0 includes the IP range 192.168.10.0, does it not?

192.168.0.0/16 = host range of 192.168.0.0 - 192.168.255.255  (subnet 255.255.0.0)

If memory serves me correctly this one part of super netting that has always kinda thrown me for a loop.

Anyway those are not your ip addresses.  Did you create a routing rule under NETWORK > ROUTING?

I tried looking in the manual but I think I have an outdated manual becuase some of the features and screenshots are different.

Logged
jeremycald
Full Member
***
Offline Offline

Posts: 41


« Reply #14 on: Friday 29 May 2009, 07:36:50 am »

Yes you are correct.  The data was a cut and paste from a web site.  Sorry I didn't proof read first. 

But, correct me if I am wrong, using a mask of 16 on IP 192.168.0.0 includes the IP range 192.168.10.0, does it not?

192.168.0.0/16 = host range of 192.168.0.0 - 192.168.255.255  (subnet 255.255.0.0)

Yes.

Quote
If memory serves me correctly this one part of super netting that has always kinda thrown me for a loop.

Exactly. The /16 allows you to supernet (CIDR is the actual term) various networks through a router.  It keeps the routing tables smaller.  Instead of keeping track of 256 networks 192.168.0.0/24-192.168.255.0/24 you keep track or one "supernet" 192.168.0.0/16.  Because if a router is just movints bits from one router to another it doesn't need to know that each network is seperate. 

This wikipedia page explains it well and simple. Pay attention to the IP/CIDR column and contrast it with the class column. http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#Prefix_aggregation

Quote
Anyway those are not your ip addresses.  Did you create a routing rule under NETWORK > ROUTING?

Do I actually have to create a route?  Huh I thought that endian automatically took care of that.   I thought that was for routing through external routers (and doing things such as supernetting).  I'm tring to figure out if the terms allow it.  I'll give it a try and report back. Nope.

Quote
I tried looking in the manual but I think I have an outdated manual becuase some of the features and screenshots are different.

Make life easy on yourself. http://docs.endian.com/2.2/en/efw.index.html
Logged
Pages: [1] 2 Go Up Print 
« previous next »
Jump to:  

Page created in 0.156 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com