EFW Support

Hi Guys,

I have installed two NICs both are not Wirless Adapter. One NIC is green zone with IP address 192.168.0.0/24 another one is blue zone with IP address 192.168.10.0/28.

I would like the blue zone accessed to the green zone. I have the added the blue zone allows to access to the green zone and the green zone allows to access to the blue zone from the Intra-Zone Access under Firewall.

However, I still can not access from the blue zone to green. What should I do?

Thanks
Eddy 

Could someone give me some advises please.

Eddy,

Have you tried allowing say RDP from Blue to Green and trying to open an RDP session from
Blue to a machine in your green network.

I created the rules in the Intra-zone from Blue to Green and Orange. Both work no worries.

Have you allowed all ports and services or only certain protocols...

Im only relatively new to Endian but have played around a fair bit and managed to get
most things happening.

Regards

Mark

Hi Mark

Thanks for your reply.

I have found the solution. For some reason, if I used zone it wouldn't work, but it work with interface.

Thanks
Best Regards,
Eddy

Any other words of advice, I'm having the same problem.   I switched to just the interface in the source / dest but still no luck.  Although I'm trying to set certain ports through, I did try opening up everything as a test... blue int - access to any/all green int.  Just to be clear, I'm using the "Inter-Zone traffic" in the Firewall page.  This has been renamed a few times which makes the support docs very confusion - especially anything that google returns.

Even if your way worked, using the interfaces, it seems that for whatever the reason, you can't fine tune it... major disapointment in this release.  ie.  I want to only allow DNS queries from selected IP's on my Blue to goto one IP on my green.

Before someone types it, I'll beat them to it: yes I could/should setup a VPN for this which is built into this software, but I'm having problems with that too.

Cheers

Ditto on wesley1234.  I am having the same problem.  I was trying to setup an access point on the Blue interface and I can not ping it nor open it's admin interface (port 80) from the green net.  I can ping it from the endian so communication is there.  And computers connected to the Access point can pickup IP addresses from the endian and access the internet.

I checked the logs and it is telling me that the chain FORWARD:DROP     br0 is what is blocking it.  I've been through the various firewall settings (inter, outer, inny, outty ;-) and have not been able to communicate.  The next step I tried just in case was turning off the HTTP proxy.  Still no dice.  I am thinking it may be the following:   http://kb.endian.com/entry/27/ (http://kb.endian.com/entry/27/)  but what I am afraid of is that will open EVERYTHING up and not allow me to eventually control the access. 

I am going to try it tonight after work hours because I have to reboot it of course.

On a side note:  wesley1234 your last point was well taken for both angles.

Enjoy!

I don't think you have the interface configured correctly.  What is the actual IP address you are assigned to the NIC.  You cannot end it with 0.  Try changeing your green interface to 192.168.0.1/24 and the blue to 192.168.10.1/24.  (don't forget to adjust an routing rules you may have)

See http://www.computerhope.com/jargon/i/ip.htm for more infomation on IP addressing.  Unless you are trying to supernet the IP's

Are you?

Add'l info:
Definition: The IP address 192.168.0.0 is the start of the Class C private range. By convention, network routers and other gateways use 192.168.0.0 to reference a private network generically. You should not attempt to set 192.168.0.0 as a static IP address for any host, becuase it is reserved for use as a network address.

The extent of the 192.168.0.0 network depends on the network mask configured. For example, 192.168.0.0/24 represents the private network with IP address range 192.168.0.0 - 192.168.255.255. Broadband routers more often use the Class C default 192.168.0.0/16 mask with range 192.168.0.0 - 192.168.0.255. Routers on these networks conventionally use IP address 192.168.0.1.

Also, check your proxy configuration "inter-zone traffic settings".

Is this actually backwards? 192.168.0.0/24 has a broadcast address of 192.168.0.255 and 192.168.0.0/16 has a broadcast address of 192.168.255.255

Well I decided to read the manual  ;D and found an interesting point.  The last statement under the Inter-Zone Traffic heading  http://docs.endian.com/2.2/en/efw.firewall.html#efw.firewall.inter_zone_traffic (http://docs.endian.com/2.2/en/efw.firewall.html#efw.firewall.inter_zone_traffic)  states:


It didn't make any difference.

I also tried adding specific rules to the Outgoing rules to allow access between the blue and green interfaces and those didn't make a difference either.

Did you try changing the IP addressing scheme?

http://learn-networking.com/network-design/how-a-broadcast-address-works

Not to sound smart but I think we got the idea of how a broadcast address works.  It's the notation that is backwards.  Plug your numbers into this http://www.subnet-calculator.com/cidr.php (http://www.subnet-calculator.com/cidr.php) and see what you come up with.  The /16 and /24 are backwards.

Here is the wikipedia reference on class notation B=/16 C=/24
http://en.wikipedia.org/wiki/IP_classes#Class_ranges (http://en.wikipedia.org/wiki/IP_classes#Class_ranges)

Yes you are correct.  The data was a cut and paste from a web site.  Sorry I didn't proof read first. 

But, correct me if I am wrong, using a mask of 16 on IP 192.168.0.0 includes the IP range 192.168.10.0, does it not?

192.168.0.0/16 = host range of 192.168.0.0 - 192.168.255.255  (subnet 255.255.0.0)

If memory serves me correctly this one part of super netting that has always kinda thrown me for a loop.

Anyway those are not your ip addresses.  Did you create a routing rule under NETWORK > ROUTING?

I tried looking in the manual but I think I have an outdated manual becuase some of the features and screenshots are different.

Yes.


Exactly. The /16 allows you to supernet (CIDR is the actual term) various networks through a router.  It keeps the routing tables smaller.  Instead of keeping track of 256 networks 192.168.0.0/24-192.168.255.0/24 you keep track or one "supernet" 192.168.0.0/16.  Because if a router is just movints bits from one router to another it doesn't need to know that each network is seperate. 

This wikipedia page explains it well and simple. Pay attention to the IP/CIDR column and contrast it with the class column. http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#Prefix_aggregation (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#Prefix_aggregation)


Do I actually have to create a route?  ??? I thought that endian automatically took care of that.   I thought that was for routing through external routers (and doing things such as supernetting).  I'm tring to figure out if the terms allow it.  I'll give it a try and report back. Nope.


Make life easy on yourself. http://docs.endian.com/2.2/en/efw.index.html (http://docs.endian.com/2.2/en/efw.index.html)

Yipee!!! it worked :)  Now the next step is to try to see if we can control it.  Will report back.

After applying the update it worked and worked well.  . . . .  too well. It appears that it now applies the PortForward rules to the Blue interface as if it was another Red interface.  As well the Inter-Zone rules have only ALLOW effect, DENY has no effect.

This would be OK except that I would like to allow the Blue interface to also print to one of my printers on the Green interface and that will not work.

I may just have to go with the VPN in the end.

Source: Blue Destination: IPaddress of printer or <green> Port 9000 allow. Simple.

Hello,

i run into the same trouble with the inter-zone firewall within efw 2.2 community.
But surprising: it seems that any change to the rules works only after re-booting the efw!  ::)
just try it... does it work?

alex.

Believe it or not, I think you are right.  However I would like to do a bit more testing before I say that is the save all. I'll update soon.

Hi, I think I have a similar problem with v.2.3;

Green IP: 192.168.0.1
Blue IP: 192.168.1.1

Green PC´s can ping and conenct to Blue ones
Blue PC´s can surf the internet
Blue PC´s CANNOT access or ping Green ones...

In Inter-Zone firewall configuration I have:

1     BLUE     <ANY>     <ANY>      ALLOW      

also tryed BLUE to GREEN or Blue Interface to Green Interface... Rebooting etc. but nothing with success.

This post is pretty old now, I cannot imagine this being a BUG for so much time.... Please help.

Thanks.

    
"Blue zone cant access Green zone" - This is normal.

Blue is intended to be used for a wireless network and is UNTRUSTED.
Green is the TRUSTED network.

To allow access from Blue to Green you need to use Zone Pinholes

Thank you for the answer.

I know, actually I´m using an IPcop in this configuration, green for the lan and blue for some wifi stuff and some ´external´ computers that need to access some green ip´s. It is working with ´Blue Access´ and ´DMZ Pinholes´ but in endian that is controlled by the ´Inter-Zone firewall´.

I´ve created the rule above and some other tests without getting the computer at the blue side to see anything on the green, even disabling the entire inter-zone firewall didn´t change anything...  I have tryed this script ( kb.endian.com/entry/27 ) too equal without success.

Any idea what´s going wrong ?

Hi,

i got the same problem on my Endian 2.4.
I can't get traffic from Blue/Orange to Green.
I also tried this script hpwr mentioned without any success.

Does anyone got a solution for this problem?

Hello!

I had the same problem with endian 2.5.1, so I wanted to do was to give access from the blue zone to a port of a PC in the green zone. In my case, the problem was that I activated a Routing Policy for all pc's in the blue area, (all pc's will use the uplink2 for everything), so the pc's in the blue never going to reach the green. I solved the problem by disabling that policy routing.

Later I added specific routes for the lan and then added the policy I mentioned earlier.

For those who want to give full access (bad idea) from blue to green (ping, etc), just add the rule in the inter-zone module:(source) blue - (destination) green - (service) any - (policy) Allow
In my case it was unnecessary to disable the proxy, or restart the computer or do something else.

Can corroborate this in efw 2.5.1 testing with a newly installed system. In my case I used virtualbox.

Sorry for my English but I'm usually much better reading than writing  ;)

Greetings.