Hi
I currently have adsl modem/router at home with fixed external IP. It has 4 LAN ports in the back which I use to hardwire to other parts of the house including my office. It also provides WiFi to our phones and tablets and security cameras and doorbell.
I’d bought clearos home essentials and I have a mini pc with 2 nics. I’d like to introduce clearos into my network as a gateway so that everything goes through it, including the WiFi traffic.
Current network is 192.168.1.0/24 with DHCP provided by the router. I’d like to have DHCP to the clients provided by the gateway once installed.
Would I be right in saying the following:
I would need to unplug all current connections to the LAN ports in the router
I would plug an Ethernet cable into one of the LAN ports in the router and the other end into one of the nics (let’s call it nic1) on my mini pc
I would plug a switch into the other nic (let’s call it nic2) on my mini pc using another Ethernet cable and that would be where I would then plug all the connections that used to go into the router
I would configure then configure IP address (static) of the mini pc machine to be something like 192.168.1.253 (the adsl router is currently 192.168.1.254)
I would set the default gateway of the mini pc to be the IP address of the router (192.168.1.254).
I would configure nic2 as a different network, say 10.1.1.0/24 and configure that to run DHCP server and the gateway to be 192.168.1.253 (this bit I’m not sure about!)
I would turn off WiFi and DHCP on the adsl router
I would need to buy a Wireless access point to plug into the switch on nic2 in order to provide WiFi on the 10.1.1.0 range
If I’m somewhere near correct with the above, would I then be able to see the bandwidth being used by each of the devices on the 10.1.1.0 network including WiFi devices? Would I also be able to grant and revoke access to the internet for specific devices at different times?
I’m really sorry to ask so many questions but appreciate any advice you can give to help with this setup.
Thanks very much in anticipation,
Bryn
I currently have adsl modem/router at home with fixed external IP. It has 4 LAN ports in the back which I use to hardwire to other parts of the house including my office. It also provides WiFi to our phones and tablets and security cameras and doorbell.
I’d bought clearos home essentials and I have a mini pc with 2 nics. I’d like to introduce clearos into my network as a gateway so that everything goes through it, including the WiFi traffic.
Current network is 192.168.1.0/24 with DHCP provided by the router. I’d like to have DHCP to the clients provided by the gateway once installed.
Would I be right in saying the following:
I would need to unplug all current connections to the LAN ports in the router
I would plug an Ethernet cable into one of the LAN ports in the router and the other end into one of the nics (let’s call it nic1) on my mini pc
I would plug a switch into the other nic (let’s call it nic2) on my mini pc using another Ethernet cable and that would be where I would then plug all the connections that used to go into the router
I would configure then configure IP address (static) of the mini pc machine to be something like 192.168.1.253 (the adsl router is currently 192.168.1.254)
I would set the default gateway of the mini pc to be the IP address of the router (192.168.1.254).
I would configure nic2 as a different network, say 10.1.1.0/24 and configure that to run DHCP server and the gateway to be 192.168.1.253 (this bit I’m not sure about!)
I would turn off WiFi and DHCP on the adsl router
I would need to buy a Wireless access point to plug into the switch on nic2 in order to provide WiFi on the 10.1.1.0 range
If I’m somewhere near correct with the above, would I then be able to see the bandwidth being used by each of the devices on the 10.1.1.0 network including WiFi devices? Would I also be able to grant and revoke access to the internet for specific devices at different times?
I’m really sorry to ask so many questions but appreciate any advice you can give to help with this setup.
Thanks very much in anticipation,
Bryn
In Hardware
Share this post:
Responses (42)
-
Accepted Answer
The server is: Compaq Proliant DL380-G2, Pentium III 1133Mhz/32bit, does not support x64 architecture. So I'm not going to spend money for something else than upgrade RAM on it which is only 768Mb (6X128). I need some simple thinks from it, so I want to try with "what I have".
I'll go on trying different distros, and clearOS versions, because long time ago -before a SCSI disk failure- having ClearOS on it, which version don't remember, everything was working perfect.
So now I must find which one wes that, or seting up a distro to cover MY needs, not it's needs.
As of all those keep on trying....... -
Accepted Answer
Modem Mode continued... I would suggest replacing the Plusnet router with one that can do Modem Mode. People suggest an HG612 off ebay or a Draytek 130
https://community.plus.net/t5/My-Router/Using-Hub-One-as-a-modem-only/td-p/1606699 -
Accepted Answer
Wayland Sothcott wrote:
You said your Prolient server is only 32 bit. I am surprised by that and I would double check the model to see if it was 64 bit. 64 bit x86 CPUs became common in 2005 and they have all been 64 bit since 2008.
You've obviously not looked at the picture of his proposed network where he identifies the model of the server! If you had, and checked the spec, you'd know that it's a P3 1.13GHz machine ...
and re: post about modem mode .. his OP indicates that he has ADSL - the equivalent for one of those routers is Bridge Mode - which may not be supported by the router provided by his ISP. -
Accepted Answer
-
Accepted Answer
You said your Prolient server is only 32 bit. I am surprised by that and I would double check the model to see if it was 64 bit. 64 bit x86 CPUs became common in 2005 and they have all been 64 bit since 2008. Getting a 64 bit server would open up a much larger and newer range of options. Newer means more support. -
Accepted Answer
Mr Wayland Sothcott, as I wrote in older posts, the problem almost solved exept the part filtering. Trying to enter by ssh and modify-add dansguardian-av blacklists, had no luck as it could not start up. So the problem is in configuration of the blacklists and phraselists that cannot be added manual, at last for me.
All that you describe are VERY USEFULL, these are some modes that had never thought.
Also, the truth is -as I've posted- that cannot really protect the today children from pornography, because there are plenty of other methods for access. But is a good protection against FULL ACCESS to these sites, and from other stuff.
Anyway, I started it as an easy way to setup a server for multiple needs, but became so difficult and time consuming that thinking about stop giving more time.
Now I'm gonna try some thinks when I have free time, by installing different versions of ClearOS or even ClarkConnect, and upgrading to newer version after installation of dansguardian blacklists.
I'lll be back time to time if having good results.
Anyway thank you very much, and I don't forget your suggestions. -
Accepted Answer
MODEM MODE
I would check your ISP wireless router to see if it has MODEM MODE. This gets rid of it's LAN side and puts the public IP as DHCP on what was the LAN side. When this is plugged into the Internet side of ClearOS it picks up the public IP via DHCP which is what you really want. Also the WiFi and firewall on the router gets switched off. ClearOS should be the only thing plugged into the ISP router. Virgin routers have this and I think Sky and other ISPs.
As for Internet security and children your first job should be to talk to them. The 2nd thing might be to have everything wired and no WiFi. No computers in bed rooms, no smart phones. Finally, what is it you're protecting them from? -
Accepted Answer
7.x should work as well as 6.x. The version of squid is newer. The only real issue could be that 6.x has a 32-bit version. Note ClearOS 6.x has not had an update since the summer of '19 and so is vulnerable to things like Spectre and Mitre. Centos6 went end of life last year should also not really be used. Content filtration on 6.x and 7.x should be just about identical.
This is a bad plug. If you are that concerned about the kids, give them all ClearPHONEs on a family plan. You can set their phones up so you can control the Gateway Management on their phones. It is not a cheap solution, and I have not tried this aspect of the ClearPHONE. -
Accepted Answer
I'm afraid that you're right. Children can find ways for that stuff if they try, so it's a bit useless the whole project.
Anyway, I must give up as any changes in configuration files of dansguardian as in lists, hungs up the service IF it supposed that works after modifying or adding blacklists.
I'm very dissapointed with ClearOS, at last with this edition because in the past an older one I think the 6.3 was working "from the box". Thinking just for personal satisfaction to give a try in an older edition by stoping updates to check if it will work.
Otherwise I'm going to setup a CentOS 6.x with manual installation of squid, dansguardian or other content filter, and webmin for having gui control.
Thanks everybody for advices and help. -
Accepted Answer
Nick Howitt wrote:
Note that this will not stop apps which use DoH/Secure DNS, so Safari at least on an iPad (and perhaps all iOS, not just Safari),
To be brutally frank though, it's pretty pointless trying to block anything from 13+ year olds anyway as they'll be intelligent enough to turn their phones into hotspot mode and connect via 3/4G if they really want to. The only real benefit of any content filtering is to block unwanted stuff from the home network that gets in via webpage redirects. -
Accepted Answer
Thanks both for your advices. The online gaming is a big problem, as my kids are 17,15,13 and 11 y.o. So there are plenty of different needs.
Also ClearOS is my favorite distro, and I'd like to working on fixing it. And it is easy enough for installation with many ways, and has a lot of progs that I can use in my home network.
I'll not give up yet, now I'm trying to configure dansguardian-av banned url/domain lists, and after that I suppose it can do the job.
Very difficult for me to read in English (translation is not solution) the online documentation for updating the lists, and going on slowly.
Anyway, I'll do my best, because I'm not a pro but self-learning.
Thanks again, and if you know any online help for updating dansguardian engine in ClearOS, it's welcome. -
Accepted Answer
The Family Shield won't double NAT and is a pure DNS filtering service. You don't need to register, unless you want to adjust any settings. If you do, register and also, if you have a dynamic IP, install and configure ddclient to update OpenDNS with your IP, directly or via DNS-O-Matic.
Note that this will not stop apps which use DoH/Secure DNS, so Safari at least on an iPad (and perhaps all iOS, not just Safari), Firefox (unless you do a specific DNS set up on your DNS server), AVG (which then ripples through onto all apps as it hijacks you DNS lookups for the whole device if you have DoH enabled in it) and who knows which other apps. DoH is a real PITA for DNS filtering solutions. -
Accepted Answer
There is potentially a much simpler (free) solution to your problem ..
https://www.opendns.com/home-internet-security/
Setup a consumer account, configure the Family Shield, set the ClearOS DNS service to point to the OpenDNS servers, and the content blocking is all taken care of for you.
Of course, using this option will also stop you accessing adult material unless you bypass the setup by connecting to the WiFi on the WAN side of the COS box (and thereby bypassing the OpenDNS lookups specified by the COS box).
Be aware though, that you also run the risk of double NAT - no idea how old your kids are, but if they are playing online games (eg XBox/Playstation), you might run into problems. -
Accepted Answer
I'm afraid I don't know the details of how the content filter works. I know we sell content filter updates.
Unfortunately you can't run ClearOS 7 or I'd have suggested trying Gateway Management. Some of what GM does is leverage OpenDNS's filtering and you could do that by changing your upstream resolvers to OpenDNS, but then various products seem to want to bypass that by doing their own DNS lookups by https (DoH) to their own servers. AVG does that. So does Firefox and, I think, iOS (iPad, iPhone). I know GM in the paid version stops Firefox from doing it. It may do the same in the free version. I don't know what other tricks there are. I also don't know which other apps now do DoH. -
Accepted Answer
Here again with GOOD NEWS and BAD NEWS.
Installed ClearOS 6.7 wich got updated to 6.10.
First the good:
For testing the all project without loosing home internet connection, set:
-On Eth1 of main Modem-Router with Internet Access (192.168.1.1) the home LAN through an Unmanaged Switch.
-On Eth2 the ClearOS-Server's Eth0 (the server's external), and on server's Eth1 (LAN) a second old modem/router as AP.
-Set ClearOS to act as gateway in non-transparent/user-authentication mode, with the two NIC's:
-Hostname: xxxxxxxx.lan
-Domain (don't really have one): network.xxxxxxxx.lan
-At IP tab: Eth0: External 192.168.1.111 / 255.255.255.0 / Gateway 192.168.1.1 (is the main modem/router's internal static IP) DHCP=off.
Eth1: LAN 192.168.2.1 / 255.255.255.0 / DHCP=on.
DNS servers: 192.168.1.1, 8.8.8.8.
-At DNS tab:
DNS: 192.168.2.1
-2nd modem/router as AP with IP 192.168.2.2 / 255.255.255.0 / DHCP=of, set NO DNS.
All WORKED, having internet access with browser PROXY been set to 192.168.2.1 port 8080.
Now the bad:
By seraching with google the word "porn", listed A LOT of sites, SOME OF THEM could be opened, and SOME COULD NOT, displaying the server's known message!!!!!
Connected by ssh, added at "/pornography/weighted" the "<porn><0>" and restarting dansguardian-av gave NO CHANGE.
So, I suppose the main problem now is how to upgrade the lists??????
Any suggestion please, so that after all this job put it on home-LAN for children protection?????
Thanks again for listening with so patience and of course for all help. -
Accepted Answer
You know that a small "-" in code, blowed up a NASA's space program. I'm thinking this and continue trying.
Well, by time the only option is PXE, because server supports boot only floppy 1.44Mb and CD-ROM which is off, no USB for boot.
Tried just before 5' to install 6.7 and while downloading packages, gave an error for perl package, so I left the installation by time and try again later.
You see my server is old, also I want to do thinks with everything I have, not going on this allways update for Software and Hardware. My needs are very few and I preffer to give old hardware some changes to stay alive.
Anyway, I'll try to install if not 6.7 then 6.3 edition, and make the upgrade after.
Coming back ..........I'm sure about that, either for good news neither for ........... -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
So, after update to 6.10, lost connection at all. No laptop, no AP, cannot see anything even thought no network changes.
I am going to try a clean installation of 6.10 to verify that there's no possible package update conflicts.
Thought that had finished but I have a lot of job to do.
My biggest difficalty is that server's cdrom does not work propperly and have to do all by a PXE server running somewhere.
I'm going on this today, finally hope to GOOD LUCK!!! -
Accepted Answer
As far as ClearOS is concerned, all distros on a single machine should appear the same as all it really sees is the MAC address and IP address of the client. Is there a BIOS update available for the laptop?
Also, please upgrade 6.3 to 6.10. It should happen automatically over a couple of nights but you should be able to force it manually. From the command line, try:
If it throws any errors, please post backyum update app-base
yum update -
Accepted Answer
NOW, I'm gonna get crazy. Setup everything with COS 6.3, and before installing any more software as content filtering, tried to check all.
SO, finally every device in LAN either wired nor by Router/AccessPoint worked fine........EXEPT my Debian laptop.
I can connect to above AP but no internet, even if I set manual connection settings .
Tried by booting from USB to SUSE-Live, MXLinux, Debian-Live but no luck. Then booted from BunsenLabs ......SUCCESS!!!!!!
Now I'm going crazy.....
Start searching everything because probably something blocks laptop NIC to go on internet. We'll see.....think I have a lot of pain with this. -
Accepted Answer
Thank you very much. That's what I want to do, all LAN devices getting address from DHCP on ClearOS server.
About your questions, if I understant you mean server's disks. Server is a proliant with 6X72.8 SCSI disks in RAID-5, so there's a usable space of about 200Gb.
The internet speed is not high, I tested a speed about 15Mbps, and unfortunetely because I live in a village, there's no way to upgrade, at last not yet.
Well I'm getting on setup and hope all go on the right way with no problems, I'll inform you about. -
Accepted Answer
-
Accepted Answer
Thanks a lot. The reason for all this, is that I want ClearOS on server to do all job, SPECIALLY Web Content Filtering for children protection, sharing some files to LAN only, and acting as cache for making browsing faster. I'm not an expert, so I have difiicalties for giving the propper settings in hardware so that LAN's do not bypass ClearOS.
So I'll do:
1. Modem-Router which is connecting to internet via ISP provider: Static IP 192.168.1.1/255.255.255.0/DNS 192.168.1.1, 8.8.8.8
2. ClearOS server Eth0 (external): Static 192.168.1.10/255.255.255.0/DNS 192.168.1.1, 8.8.8.8/ DHCP=off
3. ClearOS server Eth1 (LAN):Static 10.10.1.1/255.255.255.0/ DHCP=on.
4. Router/AccessPoint: Static 10.10.1.2/255.255.255.0/Gateway 10.10.1.1/DNS 10.10.1.1, DHCP=of
All other LAN devices to be set by using 10.10.1.1 DNS, and if I do all with static addresses then Gateway 10.10.1.1.
Am I correct? -
Accepted Answer
Ouch. 6.10 went out of life in the summer of 2019 so has had no security updates since then.
For the external DNS (the one you get in the IP Settings screen), set it to 192.168.1.1 if you want to use your modem/router or 8.8.8.8 and 8.8.4.4 if you want to use Google directly. I am not sure there is much point using your router as it will just use its upstream servers that it is configured with and just adds one more level of caching.
In the ClearOS DHCP server, set the DNS server to 10.10.1.1. (the ClearOS LAN interface). Do the same for the AP. Do not use 127.0.0.1 or it won't work. You can use the modem directly but it will then bypass ClearOS which does not seem so sensible.
The AP/router should be in AP mode. If it does not have an AP mode, give its LAN a static IP in the ClearOS LAN range (but outside its DHCP scope). 10.10.1.2 should be fine. Then disable its DHCP server and connect one of its LAN ports to the ClearOS LAN. As the AP is in AP mode, the DNS settings will only affect the AP and not the devices connected to it which should be getting their settings by DHCP straight from ClearOS. -
Accepted Answer
OK, first I need 32bit OS for proliant server, because it's to old. So the only solution is 6.x version.
Then I cannot understant how to setup DNS on ClearOS server. Should I set it to modem-router IP 192.168.1.1, to server's EXT IP which is 192.168.1.2, or 127.0.0.1.
I'm very confused with this. Also what should be the DNS for Acces Point? Should it be 127.0.0.1, 10.10.1.1 or 192.168.1.1? -
Accepted Answer
-
Accepted Answer
Generally better to start a new thread than bump a 3 year old one.
The set up you want is pretty simple. I am not sure why you have ClearOS 6.x as it went End of Life nearly 2 years ago. Current is 7.x.
If you have can, see if you can get your modem/router into bridge mode to ClearOS gets the public WAN IP. The main thing you will have to do is configure all your devices to use the proxy on port 8080 or set up WPAD and have all your LAN devices auto-detect the proxy settings.
How fast is your line speed? The proxy/content filter is very resource intensive and the ClearOS preferred solution is Gateway Management. The proxy is probably best run without the disk cache enabled unless you disk speed is ~20x greater than your line speed. It is the default setting in 7.x and is configurable through the webconfig in 7.x. In 6.x the default is enabled and it is not configurable through the webconfig. Check the app documentation for how to enable/disable it. -
Accepted Answer
Please, trying to do almost the same in my home network, so I'm sending a photo how I make the setup. I want the ClearOS server to act in Gateway mode/non-transparent, no user authenticaton/web proxy/content filtering.
Are my settings correct, and if no what should I change so that all local traffic pass through ClearOS?
Thank youAttachments:
-
-
Accepted Answer
I think the closest you can get to it is the Network Visualiser report but It may not give you what you want. I've never really looked at that side of monitoring. I can't remember which utility it uses underneath. I'll post back if I remember. Perhaps it will have some command line reporting underneath. -
Accepted Answer
Hi Nick
Just wanted to let you know I got my Google WiFi device through and now I've got everything connected up lovely. It's working great through ClearOS as the gateway. Even my sons who do gaming on their PC and Xbox haven't noticed any difference in speed. I thought they would to be honest, but they haven't so that cool.
The only thing I'm missing now which I'd really like if it's possible to do is to have a bandwidth breakdown report broken down by each device on the network. I have the Bandwidth report that shows it by NIC on the gateway server, but is it possible to get one that is broken down deeper so I can see which devices are using the bandwidth?
Thanks for all your help on this, you've been a massive help.
Kind regards
Bryn -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Looking at the PlusNet forum for "hub one bridge mode", it looks like it can't be put into bridge mode. The suggestions are to possibly get hold of a VDSL modem or modem/router. You can then turn your Hub One into a WAP. You may find some old Openreach ones on the cheap where people have replaced them with better wireless routers. -
Accepted Answer
-
Accepted Answer
Moving the modem subnet is not so important, but the issue with the 192.168.0.0/24 and 192.168.1.0/24 is that with VPN's it is important to have different subnets at each end of the VPN an those two are the most common ones in domestic routers. If you have the same subnet at both ends you can make a connection but no traffic will pass. In your case it is not so important because it only really becomes an issue if you use something like OpenVPN to VPN into your server then want to try to mange the modem remotely. There are other routing issues you'd have to sort before you could manage the modem anyway. It is more key if you have an IPsec VPN and the remote end is on the same subnet as the modem. Then you will not be able to communicate with one or the other (the modem, I think).
There is a secondary issue, also very unlikely with your set up but much more likely with one of those subnets on your LAN. If you use something like a router as a WAP it will often be pre-configured with a LAN IP of 192.168.0.1 or 192.168.1.1. If you connect it to your LAN and forget to change it first, it can randomly (or permanently) bring your LAN down with a duplicate IP and it is a pain to diagnose. Also if you forget to disable the DHCP server in the WAP depending on which device responds further a device can get its IP from either the WAP or ClearOS and it will look valid, but it could easily get duplicated as neither WAP not ClearOS know the IP's the other device has handed out.
Ultimately it is not so important in your configuration.
What is your modem/router? -
Accepted Answer
Thanks again Nick. Yep, you're right, the DHCP range does start at .100 so I'll update my diagram (not that I really need the diagram). Also, yep, good idea to put printer on reservation or static outside of DHCP range. I couldn't quite remember how WAP's worked so as you've said, I'll configure that separately.
I've tested putting switch in to enp2s0 and my mac into the switch and all is working nicely so very pleased. What is the reason for moving the modem/router onto a 192.168.2 network please?
I've had a look at the advanced settings on my modem/router and can't see a bridging mode at the moment but will take another look tomorrow. -
Accepted Answer
More or less. I suggest you move the Router subnet to something different.
If you run the default ClearOS DHCP server it will start at .100 but you can change it. I like to leave a few low numbers for truly static IP's - the ones you have to configure in the device itself. ClearOS also leaves .80-.99 free for the PPTP VPN server, if you ever plan on using it (try to avoid for security reasons, OpenVPN is better), but it is configurable. You can use the DHCP server to serve IP's out if it's normal range by using Static Leases which can be anywhere, inside or outside the DHCP range.
It is very unlikely your WAP will have a DHCP client so will need to be configured in *its own settings* with a static IP, so I'd give it a .2 or .254 address. Remember its LAN ports are also usable as a switch and don't use its WAN port. It will have a DHCP server if it is a re-purposed router and it must be turned off.
If your device on .2 is something like a printer, I'd try to give it a static lease in ClearOS outside DHCP scope but it does not matter too much. You really don't want it to change its address randomly.
Longer term, when it is running, you want to switch your ADSL Modem/Router to bridge mode and the ClearOS WAN to PPPoE. Although all the modem LAN IP settings will disappear you should still be able to access the modem by its LAN IP
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »