Problems with interzone firewall

[Guest]

[jbieler]

Hi,

i get some strange effects with interzone firewall. It seems that this firewall dropps all packages.
My environmet :
efw. 2.4.0 Comunity
kernel 2.6.27.19-72.e25
Green. 192.168.1.0/24
Blue 192.168.2.0/24

As wireless systems I use Notebooks which are connected via VPN, these systems are not the problem. The problem is that I have to use some Pinholes ininterzone FW to access upnp servers and media content with mobile devices. SoIneed access from  Blue to green on some Ports.
I tried different things like usingIP-Adresses, MAC Adresses,Interfaces  and Zones  in this rules nothing works. I also disabled the whole interzone FW like manual said, but all Packetsare dropped.

From my point of view it looks like a bug. Anyone got the same Problems

Regards

[ybjones72]

I am having the same issue.

Green: 192.168.1.1/24
Orange: 192.168.25.1/24
Blue: 192.168.2.1/24

I can ping the Orange or Blue interface address from the Green zone but I cannot ping any hosts in the Orange or Blue zone from the Green zone. I have the interzone firewall turned on with the Green->Orange allow all and the Green->Blue allow all enabled. Even if I turn the interzone firewall off, I still cannot ping any hosts in the Blue or Orange from the Green. I can SSH into the Endian box and ping hosts in either just fine.

Need to get this resolved but I am at a loss.

-Yancey

[arminf]

hm.. i have no issues between blue and green

interzone firewall

blue to green allow 5900, cifs/smb, 8000 TCP+UDP
Source Mac address
Dest. IP address

Endian 2.4

Ping is ICMP

[ybjones72]

The default setting when turning on the inter-zone firewall is supposed to allow all from Green to Orange. However this does not work. When turning the inter-zone firewall OFF then all traffic is allowed from both directions. This does not work either. This is a problem that more than one person is experiencing.

I have tried adding static routes to no avail.

What is weird, I can ping one system in the orange zone...
   192.168.25.1 Orange NIC IP Address, pingable from Green
   192.168.25.2 Orange zone Wireless AP, NOT pingable from Green
   192.168.25.3 Orange Zone Wireless Bridge, NOT pingable from Green
   192.168.25.82 Orange Zone Web server, pingable from Green

I can ping the Web server but not the wireless units. I can ping everything from the Orange zone. Their default gateways are set to 192.168.25.1, just like the Web server.


Maybe I jumped the gun with 2.4 because there are other issues that are happening as well.

[DFen]

Hi,

i get some strange effects with interzone firewall. It seems that this firewall dropps all packages.
My environmet :
efw. 2.4.0 Comunity
kernel 2.6.27.19-72.e25
Green. 192.168.1.0/24
Blue 192.168.2.0/24

As wireless systems I use Notebooks which are connected via VPN, these systems are not the problem. The problem is that I have to use some Pinholes ininterzone FW to access upnp servers and media content with mobile devices. SoIneed access from  Blue to green on some Ports.
I tried different things like usingIP-Adresses, MAC Adresses,Interfaces  and Zones  in this rules nothing works. I also disabled the whole interzone FW like manual said, but all Packetsare dropped.

From my point of view it looks like a bug. Anyone got the same Problems

Regards

Some things to check/try - ssh on to endian box (or from console)

Make sure ip_forward id ON
 cat /proc/sys/net/ipv4/ip_forward
1

If the result is 0, try
echo 1 > /proc/sys/net/ipv4/ip_forward

And check
 cat /etc/sysctl.conf | grep ip_forward
should show
 net.ipv4.ip_forward = 1

Also
ip ro sho
Should contain:
192.168.25.0/24 dev br1  proto kernel  scope link  src 192.168.25.1


I do not presently have quite the same set-up so if this does not help feel free to post more info on your firewall and route table.

[ybjones72]

Everything looks right.

========================================
root@frsgw:~ # cat /proc/sys/net/ipv4/ip_forward
1

root@frsgw:~ # cat /etc/sysctl.conf | grep ip_forward
net.ipv4.ip_forward = 1

root@frsgw:~ # ip ro sho
X.X.X.X/30 dev eth0  proto kernel  scope link  src X.X.X.X
192.168.2.0/24 dev br2  proto kernel  scope link  src 192.168.2.1
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
192.168.25.0/24 dev br1  proto kernel  scope link  src 192.168.25.1
default via X.X.X.X dev eth0
========================================

I can ping anything on the 192.168.25.0/24 network from the Endian box with no problems. It's just some IPs on the 25 side are not reachable from the 192.168.1.0/24 network.

Thanks.

[DFen]

When you ping from green your source ip is in the range 192.168.1.0/24

When you ping from endian your source ip is 192.168.25.1 - i.e. in the same subnet as your target.

Do your wireless devices have default route set to 192.168.25.1
or at least a route to 192.168.2.0/24 via 192.168.25.1

You may be able to check this using ping -I 192.168.1.1 192.168.25.3