Welcome, Guest. Please login or register.
Did you miss your activation email?
Tuesday 19 November 2024, 11:42:34 pm

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14258 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Problems with interzone firewall
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Problems with interzone firewall  (Read 18653 times)
jbieler
Jr. Member
*
Offline Offline

Posts: 1


« on: Wednesday 30 June 2010, 11:08:27 pm »

Hi,

i get some strange effects with interzone firewall. It seems that this firewall dropps all packages.
My environmet :
efw. 2.4.0 Comunity
kernel 2.6.27.19-72.e25
Green. 192.168.1.0/24
Blue 192.168.2.0/24

As wireless systems I use Notebooks which are connected via VPN, these systems are not the problem. The problem is that I have to use some Pinholes ininterzone FW to access upnp servers and media content with mobile devices. SoIneed access from  Blue to green on some Ports.
I tried different things like usingIP-Adresses, MAC Adresses,Interfaces  and Zones  in this rules nothing works. I also disabled the whole interzone FW like manual said, but all Packetsare dropped.

From my point of view it looks like a bug. Anyone got the same Problems

Regards
Logged
ybjones72
Full Member
***
Offline Offline

Posts: 18


« Reply #1 on: Tuesday 06 July 2010, 05:08:22 am »

I am having the same issue.

Green: 192.168.1.1/24
Orange: 192.168.25.1/24
Blue: 192.168.2.1/24

I can ping the Orange or Blue interface address from the Green zone but I cannot ping any hosts in the Orange or Blue zone from the Green zone. I have the interzone firewall turned on with the Green->Orange allow all and the Green->Blue allow all enabled. Even if I turn the interzone firewall off, I still cannot ping any hosts in the Blue or Orange from the Green. I can SSH into the Endian box and ping hosts in either just fine.

Need to get this resolved but I am at a loss.

-Yancey
Logged
arminf
Full Member
***
Offline Offline

Posts: 56


« Reply #2 on: Tuesday 06 July 2010, 06:15:09 am »

hm.. i have no issues between blue and green

interzone firewall

blue to green allow 5900, cifs/smb, 8000 TCP+UDP
Source Mac address
Dest. IP address

Endian 2.4

Ping is ICMP
Logged
ybjones72
Full Member
***
Offline Offline

Posts: 18


« Reply #3 on: Friday 09 July 2010, 11:32:58 pm »

The default setting when turning on the inter-zone firewall is supposed to allow all from Green to Orange. However this does not work. When turning the inter-zone firewall OFF then all traffic is allowed from both directions. This does not work either. This is a problem that more than one person is experiencing.

I have tried adding static routes to no avail.

What is weird, I can ping one system in the orange zone...
   192.168.25.1 Orange NIC IP Address, pingable from Green
   192.168.25.2 Orange zone Wireless AP, NOT pingable from Green
   192.168.25.3 Orange Zone Wireless Bridge, NOT pingable from Green
   192.168.25.82 Orange Zone Web server, pingable from Green

I can ping the Web server but not the wireless units. I can ping everything from the Orange zone. Their default gateways are set to 192.168.25.1, just like the Web server.


Maybe I jumped the gun with 2.4 because there are other issues that are happening as well.
Logged
DFen
Full Member
***
Offline Offline

Posts: 46


« Reply #4 on: Monday 12 July 2010, 02:31:54 am »

Hi,

i get some strange effects with interzone firewall. It seems that this firewall dropps all packages.
My environmet :
efw. 2.4.0 Comunity
kernel 2.6.27.19-72.e25
Green. 192.168.1.0/24
Blue 192.168.2.0/24

As wireless systems I use Notebooks which are connected via VPN, these systems are not the problem. The problem is that I have to use some Pinholes ininterzone FW to access upnp servers and media content with mobile devices. SoIneed access from  Blue to green on some Ports.
I tried different things like usingIP-Adresses, MAC Adresses,Interfaces  and Zones  in this rules nothing works. I also disabled the whole interzone FW like manual said, but all Packetsare dropped.

From my point of view it looks like a bug. Anyone got the same Problems

Regards

Some things to check/try - ssh on to endian box (or from console)

Make sure ip_forward id ON
 cat /proc/sys/net/ipv4/ip_forward
1

If the result is 0, try
echo 1 > /proc/sys/net/ipv4/ip_forward

And check
 cat /etc/sysctl.conf | grep ip_forward
should show
 net.ipv4.ip_forward = 1

Also
ip ro sho
Should contain:
192.168.25.0/24 dev br1  proto kernel  scope link  src 192.168.25.1


I do not presently have quite the same set-up so if this does not help feel free to post more info on your firewall and route table.
Logged
ybjones72
Full Member
***
Offline Offline

Posts: 18


« Reply #5 on: Wednesday 21 July 2010, 02:20:33 am »

Everything looks right.

========================================
root@frsgw:~ # cat /proc/sys/net/ipv4/ip_forward
1

root@frsgw:~ # cat /etc/sysctl.conf | grep ip_forward
net.ipv4.ip_forward = 1

root@frsgw:~ # ip ro sho
X.X.X.X/30 dev eth0  proto kernel  scope link  src X.X.X.X
192.168.2.0/24 dev br2  proto kernel  scope link  src 192.168.2.1
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
192.168.25.0/24 dev br1  proto kernel  scope link  src 192.168.25.1
default via X.X.X.X dev eth0
========================================

I can ping anything on the 192.168.25.0/24 network from the Endian box with no problems. It's just some IPs on the 25 side are not reachable from the 192.168.1.0/24 network.

Thanks.
Logged
DFen
Full Member
***
Offline Offline

Posts: 46


« Reply #6 on: Wednesday 21 July 2010, 04:01:16 am »

When you ping from green your source ip is in the range 192.168.1.0/24

When you ping from endian your source ip is 192.168.25.1 - i.e. in the same subnet as your target.

Do your wireless devices have default route set to 192.168.25.1
or at least a route to 192.168.2.0/24 via 192.168.25.1

You may be able to check this using ping -I 192.168.1.1 192.168.25.3
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 21 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com