Can I suggest you start a new thread as this one is getting slow to load? You can put a post in this one linking to the new thread.

In the new thread please put your full current configuration - a network diagram with IP addresses, routing table, /etc/clearos/network.conf. Also review this thread and see if you've looked at everything suggested.

When you produce console output please copy and paste the text from the console and put it between "code" tags (the piece of paper icon with a <> on it) rather than doing screen dumps.

hi everyone,,, again

i am resuming this project after a lot of work i done for other projects,

Last time i said i would do some configuations with mi Switch, i stablish ip routes for backup server (ClearOS7) in case the main one have a power failure, that is the main goal here, but not the only one

I did it and doesnt work, after this failure, i proved to turn off the main server and set up the same internal ip, but now for the ClearOS server, just for testing purpose,,, and it doesnt work, i lose the acces to the server in local networ, i had to use another ISP to connect and recovery the access (i had acces in the external interface) by turning back to the original local IP, in the meantime nobody had internet, after that i am really sure the problem is not some config on the switch, it is something in ClearOS, the normal config is not working

So the questions are:

1) why if i change the ip in the same network, 192.168.18.13 for 192.168.18.250 after that i cant reach the server ? if i cant with that IP, no one in the LAN gonna doit

2) shoul i setup routes for the entire LAN to the external network ? like i did for the internal

3) Should i do some kind of nat for the internal interface ? how i can do it ?

4) Isnt the normal behavior for the gateway mode in ClearOS to serve internet for all the LAN without any extra configuration ?

thanks and regards.

Are your additional routes correct? Shouldn't they by via the Cisco IP and not the ClearOS LAN IP?

yes all the network is managed by Vlans, and i don´t try the new ip route yet, i was in a hurry because of wanacry alert protocol, and also another stuff with servers, but in a few day i will tell you how i was

regards

Are your additional routes correct? Shouldn't they by via the Cisco IP and not the ClearOS LAN IP?

Just a final thought. Is 192.168.18.0/24 a true LAN or a VLAN. If it is a VLAN then traffic in ClearOS may also have to carry the VLAN tag to get through the switch.

jeje, you are beginning to sound like me, you are getting an issue, a problem you do not begin and then ask for help ! because you have to handle with it

i didn't make the network structure, i we can´t reach to person who did it, but i am the one gonna handle for this, that is why i am not sure about a lot details, but all those, are issues than i must to solve

so thanks for your help, i really I appreciate it. now i going to try to add a new DNS server in the list of server, and i mean in the Switch, some thing like this;

what i have now
192.168.18.250 - Actual Server - settted in The PC´s
207.248.224.71 - ISP DNS1 - settted in The PC´s
207.248.224.72 - ISP DNS2 - not seted in The PC´s

what i gonna do
192.168.18.250 - Actual Server - settted in The PC´s
192.168.18.13 - ClearOS - going to set in The PC´s
207.248.224.71 - ISP DNS1 - not gonna seted in The PC´s
207.248.224.72 - ISP DNS2 - not gonna seted in The PC´s

that should work, but if is not, I have one last resource, i could try to add one more "IP Route", like this;

ip route 0.0.0.0 0.0.0.0 192.168.18.250 (Actual one)
ip route 0.0.0.0 0.0.0.0 192.168.18.13 (ClearOS)

i not sure if that posible, that is why i let it at the end, like i said is the last resource, i not feel good about do a riddle with our Switch, nobody in here is CCNA, and I didn't knew if i should try something with switch or if it was ClearOS the first thing to fix

so wish me luck, I'll let you know how I doit, you were really helpful, and thanks again

best regards

I am beginning to really struggle. I've never used VLAN's or L3 switches and have limited knowledge of VM's. You have quite a complex environment which is becoming more and more apparent. I am pretty much at a loss trying to diagnose this remotely. It sounds like something in your set up is not directing WAN traffic through ClearOS, so possibly your L3 switch. I suspect your DNS is still working, but you should be able to check that by doing a basic nslookup from a LAN client when the LAN client loses internet connectivity when you switch it to ClearOS.

Somewhere I think you need to sit back and thing about your network and all its configured routing and then work out what should be happening. You need to apply some routing knowledge to your problem. It should have been apparent as soon as you mentioned VLANs that somehow ClearOS would need to know about the VLANs either being configured on each of them or routed to each of them. As you have an advanced network set up, do you not have someone with relatively basic networking troubleshooting knowledge?

About the gateway, each Vlan we have has a 192.168.*.254 ip like a gateway (in all the PC´s), all of them are working fine, and for the Main Gateway from our ISP we have 201.163.39.86

our publics IP are from 201.163.39.81 to 201.163.39.85
Main Gateway is 201.163.39.86
DNS by ISP 207.248.224.71 207.248.224.72

i expect this could be helpfull for you?

and about ClearOS to act as a firewall, ok maybe you are right, i am confusing all of you guys and i am sorry about that but it is only because i wont use ClearOS for replace the Entire infrastructure from Sophos at the same time, (even me wasnt clear about that) at least it is not what we whant by now, it look risky for us, so we need to doit step by step if is posible in that way

i am not that good servers manager, neither an expert in all this issues, so we need to try the server one function at a time, again if is posible in that way

thanks and regards

PD: i am reading about "hidden trusted gateway mode"

I've deleted your duplicate post (the one with the fewer images.

Note if you use PuTTy as a terminal, if you select text with the mouse, it is automatically copied to the clipboard and you can paste it between code tags in the forum. Right-clicking in PuTTy, pastes.

Now back on topic. Your set up looks reasonable. Your client is picking up ClearOS as its DNS server, but I've no idea about its gateway which looks off as it does not match any of your VLANS. Is it correct?

I'd still prefer it if you used public DNS servers, but if those DNS servers belong to the ISP of your Primary WAN you should be OK until your back up line comes into play when your DNS look up times will go right up or fail completely.

I am not totally sure you can reach your primary goal if you don't want ClearOS to act as a firewall which I don't think you stated before yesterday. That would require the hidden trustedgateway mode. There is a little documentation on it in the HowTo's, I think.

this pictures can show you what i get;
when i am going to setup the DNS
and what i get from ipconfig /all from a pc lan

my two nics are ens192 is the Main ISP (100 Mbit), internet service for whole network, and ens224 is a backup internet service (10 Mbit), this one is only for the 3 more important vlan. and i won't use ClearOS like a DHCP server

about use ClearOS like a DHCP server, NO i won't use ClearOS like a DHCP server, for that job i have a cisco switch L3 catalyst-3750

I'm sorry if I'm not as clear as I should but I assumed that ClearOS could do things that Sophos does very simply, and I just asked for the things I was not understanding, which I can now see are more than I thought

thanks and regards

How have you configured your WAN DNS servers? Are they automatic (by DHCP or PPPoE) or manually configured. Note that in a MultiWAN environment it it better to configure your DNS servers manually to a public DNS service (e.g. OpenDNS or GoogleDNS)?

What is the contents of /etc/resolv-peerdns.conf, and /etc/sysconfig/network-scripts/ifcfg-ensXXX where ensXXX are your two WAN interfaces (your posts are inconsistent so I don't know which are WAN).

Is ClearOS your DHCP server? If so, have you configured ClearOS to hand out its own LAN IP as DNS server and gateway? What is the contents of /etc/dnsmasq.d/dhcp.conf?

From a LAN PC, what is the output of "ipconfig /all"?

ok, it work fine, finally, but i had to set up all the vlans in that file route-ens256, because i need all the vlans can reach the server, and now i can configure the server from any vlan, that´s fine, we got one of the goals

example of what i did in the file route-ens256;
192.168.1.0/24 via 192.168.18.13
192.168.2.0/24 via 192.168.18.13
192.168.3.0/24 via 192.168.18.13

but now, the other problem,,,, why i cant use this server like DNS server ?

I configured the DNS in one machine (that one can do ping to the server) apointing to the server (the server can do speedtest with good results), that PC does still have internet service but i does by the old server

if i try "whatismyip" in that PC, it keep giving my the old one, and when i quit all the config´s in the old server, only for that vlan, i lose the service

so, by now i must setup the old server so the vlan can surf,,, did i do something wrong?


Please remember the prime goal

i want to receive the internet service in transparent mode, i wont any security or firewall rules, just have internet service and then, and only then, set the old firewall for do the security not Handle the Internet (i know that's gonna be by me)

thaks and best regards.

No you cannot do it with the webconfig. Nano will do it but is not the easiest. If you can get hold of WinSCP and install it on a PC on your 192.168.18.x subnet, you'll find it much easier. It is a graphical file manager and comes with a text editor. At the same time, for a remote console use PuTTy. Both tools are free. If your LAN machines are Linux, use Midnight Commander as a file manager and ssh for a remote console.

My comment about /etc/clearos/network.conf refers to the instructions in the link in your previous post. Link

ok, thanks for your answer but, i dont get it !, please remember my english is not that good as yours, also i am not that good with Linux console

i dont understand why you are mention "etc/clearos/network.conf" it is not the place were i am in the console !, as you can see in the picture, i cant find the file i have to modify, so the question is: is that normal ? and should i create it with nano? I thought it is going to be already there !

and i keep my previous question , can i do all this with the webconfig ?

thanks and regard

From your link, you need to create the file /etc/sysconfig/network-scripts/route-ens256. You need to route the other VLAN traffic via the switch IP address.

I don't see the point to the change to /etc/clearos/network.conf. It does nothing to the firewall. The only thing I know it to do is make those subnets available through OpenVPN.

you were right about user credential app, i can go to the dashboard now, thank´s for that

and for all instructions for setup "routes" , can i do all that by the webadmin ? if it is a "Source-based Routes" it doesnt work

in this manual
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_bestpractices_managing_static_routes

i can´t find the mencioned file, every i have is this (Pic)

thank´s and regards

Luis Alberto Apodaca wrote:

in the same vlan i have ping and i can reach the webadmin, but i just realized i cant go to the dashboard it can only show me the app for change the password and i can not be able to go any other place in the server .......

That sounds like you are logging into the webconfig with User credentials. If you log in as root then you should see the full web config.

If your other VLANS are on different subnets, you'll have to set up routes to them in ClearOS. You can either manipulate the routing table using "route add..." or "ip route add ...." which may be needed after each firewall or network restart, or you can use the method in this HowTo.

It looks like you are nearly there.

in the same vlan i have ping and i can reach the webadmin, but i just realized i cant go to the dashboard it can only show me the app for change the password and i can not be able to go any other place in the server, i dont know if this is some from the same issue or is another.

when i am in other vlans it should have a conection because i am Passing through a layer 3 cisco switch with an access-list, I am able to do ping from any Vlan to any server, and it actually the access-list works fine with sophos (the server i need replace) or any other server, but not with ClearOS i dont have ping or webadmin page

that´s from the any machine to the server, for from the server to a machine i have this result (picture below)

so, is there 2 problems or is the same? i am lost !

thanks in advance and best regards.

That is fine and a good result. It was checking to see if another device had the same IP address. No reply means you are OK.

Can you answer Duncan's earlier question:

When trying to ping the server from another machine on the LAN what is the output of ipconfig /all (Windows) or ifconfig -a (Linux)

i dont know if that is a correct result or is just doing nothing, the picture can´it show the blinking cursor, but it is there, just blinking

is there something else i should do ?

Hi Duncan,

I think his WAN is OK; it is just the LAN.

Can you try the following from the console:

arping  -I ens256 192.168.18.13

Ctl+C to finish. You should not get any replies. Note that -I is an upper case "i" and not a lower case "L".

I will certainly try, but I have never run COS in a VM!

Can you try these commands on the COS server

ping 8.8.8.8

ping google.com

traceroute 8.8.8.8

On a Windows client can you show the network settings

actually yes, mi Server it should be a vm, that´s why im trying in a Hypervisor ESXii 6.0 / Vsphere Client , and the vm especification´s are

HD: 100 GB
Ram: 10 GB
CPU: 2 (4 cores)
Ethernet :3 Nic

if you can help me with the linux console for solve the config issue, i could be great !

thank´s in advance

Is your final deployment of ClearOS going to be a physial server? If not then we will have to try and get VM working

not a VM !!!,,, ok, i'm sure i can, but work with a Physical Server it is not the idea, i will do it just for a necessary test !

i can only say it will take a long time, because i don´t have a pc right now, and i have a lot of work, please be patient with me

thank´s in advance and best regards

Sure - is there anyway you can install on a physical server (not VM)?

Hi Duncan

can we please reasume this ?

Hi Nick

Thought did cross my mind - I have never used COS in a VM either

I am wondering if this is a VM configuration issue, but I don't really do VM's.

Routing on the server looks ok. I presume ens256 is the interface you are pointing client systems to as the gateway (192.168.18.13)

What is the gateway that clients are given? Do you have any Linux clients? If not can you set a Windows client to use 192.168.18.13 as the gateway

so ip 192.168.18.XX
subnet mask 255.255.255.0
gateway 192.168.18.13

then on the client

tracert 8.8.8.8

sorry for the delay but we are on vacations until day 24, we are a school in México it been holy days for us

thanks for help, and would you help me with the console commands for solve this, in pictures i can show you what i think is a disaster with gateway´s and mask´s, i am not good with linux console, please help

thanks in advance and regards

Duncan Colhoun wrote:

Now that you are in the shell can you do

ifconfig -a

and

route -n

Now that you are in the shell can you do

ifconfig -a

and

route -n

Luis Alberto Apodaca wrote:

sorry, i just found the way to the shell after i send to you the last quote, i let you a pic with the result of the test

no thing , they have not ping response, everyone lost internet when we made the change, they have no response to the gateway, i am pretty sure that because i cant reach the internal lan !

i don't want to use the server like a DHCP server, because i do that function on my cisco Switch layer 3 catalyst 3750

do you think i should watch the config in the switch we have, if that the case, why it is working with sophos and not with ClearOS, we are only changing the ip for it , and its the same !

and finally, how or where can i found the shell in the server for do a test like you request ?

/sbin/sysctl net.ipv4.ip_forward

Duncan Colhoun wrote:

Hi

What is the output of this if run on the COS server?

/sbin/sysctl net.ipv4.ip_forward

When trying to ping the server from another machine on the LAN what is the output of ipconfig /all (Windows) or ifconfig -a (Linux)

Do clients get ip from DHCP on ClearOS?

no thing , they have not ping response, everyone lost internet when we made the change, they have no response to the gateway, i am pretty sure that because i cant reach the internal lan !

i don't want to use the server like a DHCP server, because i do that function on my cisco Switch layer 3 catalyst 3750

do you think i should watch the config in the switch we have, if that the case, why it is working with sophos and not with ClearOS, we are only changing the ip for it , and its the same !

and finally, how or where can i found the shell in the server for do a test like you request ?

/sbin/sysctl net.ipv4.ip_forward

Duncan Colhoun wrote:

Hi

What is the output of this if run on the COS server?

/sbin/sysctl net.ipv4.ip_forward

When trying to ping the server from another machine on the LAN what is the output of ipconfig /all (Windows) or ifconfig -a (Linux)

Do clients get ip from DHCP on ClearOS?

Hi

What is the output of this if run on the COS server?

/sbin/sysctl net.ipv4.ip_forward

When trying to ping the server from another machine on the LAN what is the output of ipconfig /all (Windows) or ifconfig -a (Linux) on the client

Do clients get ip from DHCP on ClearOS?

hi, and thanks for your answer

here i let you a bunch of pictures in those you can see what exactly i have in the net config.

all the nic for ISP have a correct config and they can surf internet, the main one nic (for me) it is the internal, that´s how i want to handle the server, if is posible, and also i have no ping result for this nic

but the big problem is when i change the ip addres in the internal for set the IP for the gateway, no thing happen, the only result is we haven't internet, right now is 192.168.18.13, with no gateway and i cant reach it by ping

for the server it should be 192.168.18.250, that particular one is the IP which should be configured in the entire LAN all mi devices in the LAN have that ip

i can´t set it up right now because the sophos server i want to quit using is still running (we are in labour hour´s), so i need to made the change´s, if there one i should, i will doit after noon

so if you can see something wrong please let me know and i will made the changes !

thanks in advance and best regards.

What is shown above the IP settings?

You should have DNS and Settings .

Under settings you should be able to set gateway mode. Gateway means COS will route data from internal LAN address to external addresses