Running Clearos 7 Community Edition.
Network Setup: Link:
eno16780032 LAN Static 10.6.10.31/24 Yes
eno33559296 Hot LAN Static 10.4.120.15/22 Yes
eno50338560 External Static [Public address] Yes
systemctl status firewall.service results:
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running incoming denied rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running user-defined incoming rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running default incoming allowed rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running user-defined port forward rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running Masquerading
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Enabling NAT on WAN interface eno50338560
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running user-defined outgoing block rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running default forwarding rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Execution time: 0.048s
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us systemd[1]: Started ClearOS Firewall Engine.
Client in Hot LAN at address 10.4.120.13 with default gateway set to 10.4.120.15 and no proxy set works fine getting to Internet.
Proxy set to Transparent Enabled, User Authentication disabled, proxy set to 10.4.120.15 at client, client can ping proxy OK.
Wireshark shows RST (reset) packets from proxy duting TCP handshake & proxy fails.
Proxy set to Transparent Disabled, User Authentication disabled, proxy set to 10.4.120.15 at client, client can ping proxy OK.
Wireshark still shows RST (reset) packets from proxy duting TCP handshake & proxy fails.
Proxy set to Transparent Disabled, User Authentication disabled, proxy set to 10.4.120.15 at client, client can ping proxy OK.
Wireshark still shows RST (reset) packets from proxy duting TCP handshake & proxy fails.
It feels like a simple configuration issue but I read the online docs and cannot find the error. Can anyone see the problem?
Thanks
Network Setup: Link:
eno16780032 LAN Static 10.6.10.31/24 Yes
eno33559296 Hot LAN Static 10.4.120.15/22 Yes
eno50338560 External Static [Public address] Yes
systemctl status firewall.service results:
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running incoming denied rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running user-defined incoming rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running default incoming allowed rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running user-defined port forward rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running Masquerading
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Enabling NAT on WAN interface eno50338560
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running user-defined outgoing block rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running default forwarding rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Execution time: 0.048s
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us systemd[1]: Started ClearOS Firewall Engine.
Client in Hot LAN at address 10.4.120.13 with default gateway set to 10.4.120.15 and no proxy set works fine getting to Internet.
Proxy set to Transparent Enabled, User Authentication disabled, proxy set to 10.4.120.15 at client, client can ping proxy OK.
Wireshark shows RST (reset) packets from proxy duting TCP handshake & proxy fails.
Proxy set to Transparent Disabled, User Authentication disabled, proxy set to 10.4.120.15 at client, client can ping proxy OK.
Wireshark still shows RST (reset) packets from proxy duting TCP handshake & proxy fails.
Proxy set to Transparent Disabled, User Authentication disabled, proxy set to 10.4.120.15 at client, client can ping proxy OK.
Wireshark still shows RST (reset) packets from proxy duting TCP handshake & proxy fails.
It feels like a simple configuration issue but I read the online docs and cannot find the error. Can anyone see the problem?
Thanks
Share this post:
Responses (14)
-
Accepted Answer
-
Accepted Answer
As an alternative solution, can you define both NIC's as LAN and add your own firewall rules to isolate the two LAN's? I am not sure what other firewall rules a HotLAN generates, but these can probably be done manually as well. My only concern would be that the proxy may allow you to bypass the firewall between the LAN's. -
Accepted Answer
If you don't want users to need passwords, turn of authentication in the proxy settings.
I'm afraid I can't really help with the proxy setting as it is not an app I use. I don't think the proxy is meant to work with the HotLAN, but I assume you can manually configure it by copying the settings from the normal LAN. Also check the firewall, especially the nat table ("iptables -nvL -t nat"), in case you need anything there. -
Accepted Answer
-
Accepted Answer
Here is the squid.conf file:
cat squid.conf
#
# Authentication
#
include /etc/squid/squid_auth.conf
#
# Access control lists
#
# ClearOS LAN definitions (webconfig_lan and webconfig_to_lan) are generated automatically
include /etc/squid/squid_lans.conf
# ClearOS Web Access Control: access control lists
include /etc/squid/squid_acls.conf
acl SSL_ports port 443
acl SSL_ports port 81
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 81
acl Safe_ports port 82
acl Safe_ports port 83
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
# County subnets permitted
acl guestnet src 10.4.120.0/22
acl password proxy_auth REQUIRED
#
# Access permissions
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# User-defined whitelists
include /etc/squid/squid_whitelists.conf
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
# Access rules
http_access allow localhost
# County subnets permitted
http_access allow guestnet
# Windows update
http_access allow CONNECT wuCONNECT webconfig_lan
http_access allow windowsupdate webconfig_lan
# ClearOS Web Access Control: http_access settings
http_access allow webconfig_to_lan
include /etc/squid/squid_http_access.conf
http_access allow webconfig_lan
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
include /etc/squid/squid_http_port.conf
http_port 10.4.120.15:3128
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 10240 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Error handling
error_directory /var/clearos/web_proxy/errors
# Logging
access_log stdio:/var/log/squid/access.log squid
# X-Forwarding
follow_x_forwarded_for allow localhost
forwarded_for delete
# Shutdown time
shutdown_lifetime 10 seconds
# Sizes
maximum_object_size 512000 KB
reply_body_max_size none
# IPv4 only for now
dns_v4_first on
# eCAP configuration include
include /etc/squid/squid_ecap.conf -
Accepted Answer
File not attached. If not too long it is probably better to paste the contents between code tags.
If you're using Windows, for File Management and editing, have a look at WinSCP and for a remote console, PuTTy. You can copy text from PuTTy just by selecting it with the mouse, and paste into it by right-clicking. -
Accepted Answer
I found the http_port.conf file and it said:
# Created automatically based on network configuration
http_port localhost6:3128
http_port localhost4:3128
http_port 10.6.10.31:3128
I added http_port 10.4.120.15:3128 and changed my browser proxy settings to that port and I now get an error web page that says:
"Web Site Status Access denied" which is progress. I will work on it from that perspective. Apparently the ClearOS interface did not add add the necessary port setting for the ethernet interface.
I will attach my squid.conf file as soon as I can figure out how to download it. There does not seem to be an FTP client installed on ClearOS and I have not found one in the Marketplace. -
Accepted Answer
I found the Squid config files and here are the contents of the squid_lans.conf file:
# Created automatically based on network configuration
acl webconfig_lan src 10.6.10.0/24
acl webconfig_to_lan dst 10.6.10.0/24
Do I have to add entries for the permitted client lans? I have not yet been able to find good examples for this file. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
[root@clearos2 ~]# lspci -k | grep Eth -A 2
0b:00.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev 01)
Subsystem: VMware VMXNET3 Ethernet Controller
Kernel driver in use: vmxnet3
Kernel modules: vmxnet3
13:00.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev 01)
Subsystem: VMware VMXNET3 Ethernet Controller
Kernel driver in use: vmxnet3
Kernel modules: vmxnet3
1b:00.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev 01)
Subsystem: VMware VMXNET3 Ethernet Controller
Kernel driver in use: vmxnet3
Kernel modules: vmxnet3 -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »