Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 25 November 2024, 08:53:56 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  DHCP Server: How to configure Dynamic IP not seeing GREEN zone
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: DHCP Server: How to configure Dynamic IP not seeing GREEN zone  (Read 28597 times)
emitojleyes
Full Member
***
Offline Offline

Posts: 18


« on: Thursday 04 September 2014, 08:18:08 am »

Hi everyone. I need to configure ENDIAN 2.5 Firewall or DHCP Server so all dynamic addresses leases only have RED ZONE (Internet) access, and block ALL attempts to see or access any host in GREEN ZONE. Any ideas to achieve this?
Thanks in advance.
Logged
juddyjacob
Full Member
***
Offline Offline

Posts: 64


« Reply #1 on: Friday 05 September 2014, 01:48:15 pm »

I think what you really want to do is setup two zones, like green and blue. To me is sounds like you are trying to segment a single network, which can be done with crafty sub-netting with a CIDR/32, but likewise also can be done to a degree with separate zones. If your concern is to have some equipment that can communicate with the outside, but also have equipment that you don't want anything else to request connections to, the zones and inter-zone firewall will work just fine. However if you are truly searching for public access only, than you would have to statically assign the appropriate IP addresses and sub-net masks to achieve this. A single host netmask would be 255.255.255.255. You will have to do some subnet calculating and research for the specifics. Pretty sure you will have to also assign the local IP of your Endian box several IP addresses to be used as gateway IP's.

But I am struggling to see a real purposeful use for this in a private network. It makes more sense to just have separate zones. Green, your local LAN (private equipment), and then perhaps Blue (Wireless or Guest equipment). From here you can manage the inter-zone firewall to say

Green may talk with Green
Green may talk with Blue
Blue may talk to Blue

Both zones will have the ability for separate local sub-nets, as well as any mask you would like to provide. But something like this will allow your zones to communicate or restrict access to the separate networks or zones accordingly, while also providing your management LAN the ability to still manage your restricted use zone

Hope this helps....
Logged
emitojleyes
Full Member
***
Offline Offline

Posts: 18


« Reply #2 on: Saturday 06 September 2014, 02:54:16 am »

Thanks very much for all your description. It is pretty clear, although there are things still don't understand... but that's aonther issue...
Let me tell you briefly my scenario:
- Endian is running on Virtual Machine.
- On Guest machine, two physical ethernet network cards
- Endian IP configuration:
      RED zone: Ethernet DHCP
      GREEN zone: Endian IP Address 10.97.81.206/24; IP Subnet: 10.97.81.0

According to what you explain me, i'd like you to help me define this BLUE zone, having in count the configuration mentioned above.
I would really really apprecciate you continue to help me at this!!

 Best regards,
Logged
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #3 on: Monday 08 September 2014, 04:58:57 pm »

Hi everyone. I need to configure ENDIAN 2.5 Firewall or DHCP Server so all dynamic addresses leases only have RED ZONE (Internet) access, and block ALL attempts to see or access any host in GREEN ZONE. Any ideas to achieve this?
Thanks in advance.

I don't understand (my english is not so good...): do you want that clients in green zone can't see other client in green zone?
if so, you can't, because it isn't a firewall feature, you have to configure it in clients
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
emitojleyes
Full Member
***
Offline Offline

Posts: 18


« Reply #4 on: Monday 08 September 2014, 09:44:50 pm »

Something like this.
I need to configure DHCP Server, so temporary users with a notebook for example, get a Dynamic IP and be able to access to Internet, but NOT to access any LAN resource.
I think i understand that the only way is by configuring a BLUE zone. Now my question is HOW? i'm using Virtual Box Virtual Machine, with two physical Network interfaces...

Thanks very much in advance for any help you could give me at this.

Best regards,
Logged
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #5 on: Wednesday 10 September 2014, 04:50:17 pm »

yes, you need blue and you need add one more interface
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
juddyjacob
Full Member
***
Offline Offline

Posts: 64


« Reply #6 on: Thursday 11 September 2014, 03:20:08 pm »

With only two interfaces you really cant, in your scenario you need at least 3 interfaces. You need one for RED, your internet access, One for GREEN, your private lan, and one for BLUE, your guests. If you have an additional slot just add a nic card. You might be able to just plug and play, but don't get to discouraged if you cant. Just run a consistent ping on your firewall IP and keep trying your interfaces. 2.5.1 and up sometimes jumble the bridges when you install additional interfaces.  I have even seen it drop br0 completely and start from br1.  If you can console with the vm you can edit "/var/efw/ethernet/br0", this is your LAN bridge to GREEN. The built in editor is nano, so you would type something like this

"nano /var/efw/ethernet/bro"

you will see in your scenario either eth0 or eth1 as the bridge interface.  You can change it if you don't want to move the cable itself.

likewise there is a tool called ethtool you can use when trying to find out which interface is  or not. you would change to the /var/efw/ethernet directory and type "ethtool eth0" or "ethtool eth1" It will give you a good idea of what has a established link and port speeds negotiated, sometimes also helpful in determining the internet port if you have a gigabit lan switch, as the majority of ISP equipment will be 100mb/s and not 1000mb/s.
Logged
emitojleyes
Full Member
***
Offline Offline

Posts: 18


« Reply #7 on: Tuesday 16 September 2014, 10:47:39 pm »

Thanks very much for this info.
However, in Virtual Environment, could it be possible to re-use the same physical network interface, for both green and blue, or red and blue?
Has anyone done something similar?
Thanks very much, again.
Logged
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #8 on: Sunday 21 September 2014, 06:47:54 pm »

it could be possible in virtual environment, you create 2 virtual network cards using the same physical one
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
emitojleyes
Full Member
***
Offline Offline

Posts: 18


« Reply #9 on: Sunday 21 September 2014, 10:47:22 pm »

Thanks very much for your answer. Have you had to cofigure in this way, in the past? which Network interface you suggest to re-use? the one using green ZONE? or red zone?
Any other detail, also will be very appreciated.

Best regards,
Logged
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #10 on: Sunday 21 September 2014, 11:35:54 pm »

use red physical with red virtual, and the other physical card with green, blue, etc.

but you can't use dhcp or you create caos....
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
emitojleyes
Full Member
***
Offline Offline

Posts: 18


« Reply #11 on: Monday 22 September 2014, 10:27:19 am »

Ohh... the idea was to enable DHCP for blue, so guests PCs, Notebooks, etc., just plug ethernet cable and can access internet,... and NOT access to GREEN...
Isn't it possible? another alternative in VM environment?
THanks a lot for helping at this.
Best regards,
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.125 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com