New Install from Smoothwall

chpalmer

Remember rules read from top to bottom.

If you have a rule that would somehow block that traffic before the rule to allow it you would be blocked…

Also I think the gateway field on your DMZ interface should be its lan address or blank...  I could be wrong.

chpalmer

Heres my office setup just for comparison…

Even though you are pointing all incoming at that interface I dont believe it should be that much different...

Im running 2.0

Good luck guys!

stephenw10

Hmm, OK.
I think we need more information here.
You are running 1.2.3, yes?
Could you describe your network, interfaces, servers, services and what you are trying to achieve.

Not completely sure what I'm looking at in your last picture:
Firewall logs
Wan firewall rules
Port forwarding rules

Yes?
If so then the firewall log is showing the firewall, correctly, blocking traffic to 192.168.1.10:9925.
Your wan firewall rules are allowing traffic to 192.168.2.10:9925. I.e. your port forwarding is forwarding to the wrong subnet!  :-
You need to refresh something. Perhaps reset the state table (under diagnostics) or just reboot.

Steve

genius

@stephenw10:

Hmm, OK.
I think we need more information here.
You are running 1.2.3, yes?
Could you describe your network, interfaces, servers, services and what you are trying to achieve.

Not completely sure what I'm looking at in your last picture:
Firewall logs
Wan firewall rules
Port forwarding rules

Yes?
If so then the firewall log is showing the firewall, correctly, blocking traffic to 192.168.1.10:9925.
Your wan firewall rules are allowing traffic to 192.168.2.10:9925. I.e. your port forwarding is forwarding to the wrong subnet!  :-
You need to refresh something. Perhaps reset the state table (under diagnostics) or just reboot.

Steve

Attached is a snapshot of my LAN just to give you an idea of what I have on it.  Just to be clear, my network is a learning network.  It has a bunch of Linux servers doing various things but strictly for learning.  Also I did catch that subnet error and fixed it but that didn't fix the problem.

On the LAN side I have it hooked to a Cisco 2900 VLAN1.  Also on the LAN side is the LAN side of a wireless router.  The router does nothing but grab wireless clients.  I also have an Amahi server (192.168.1.10) which runs SSHD, OpenVPN, ALS VPN, Postfix and Dovecot.  The email is in IMAP/S and listens on 9923.  It also has a Postfix which is listening on 9925.  Been meaning to change that to 25 but I never got around to it.  It also has a Tivo and Xbox and various other computers.

On the OPT1 is the same CISCO but VLAN2, 192.168.2.0.  This is where I have a CENTOS server running (192.168.2.10) which is configured EXACTLY the same as the services I have on the Amahi server.  I want that to be my dedicated Email server and sit in the DMZ.

I cloned the firewall rules which are forwarding ports 25 to 192.168.1.10:9925 and 9993 to 192.168.1.10:9993 to 192.168.2.10.  But only one pair is enabled.

Right now, I have DHCP enabled on the DMZ.  Centos is set up for DMZ and asks the DHCP for the DNS info.

The main issue I have is from the Centos server, I can ping 192.168.2.1 and it gets an address.  But I can't ping past it.

When I forward 9993 and 9925 into the DMZ, the connections go in but it doesn't let anything out.

genius

Here's a cut/paste from the routes table…

IPv4
Destination Gateway Flags Refs Use Mtu Netif Expire
default         69.255.102.1         UGS 0 312358 1500 xl0
69.255.102.0/23 link#1                 UC 0 0 1500 xl0
69.255.102.1 00:01:5c:23:d5:01 UHLW 2 690 1500 xl0 1200
My WAN IP         127.0.0.1                 UGHS 0 0 16384 lo0
127.0.0.1         127.0.0.1                 UH 1 2407 16384 lo0
192.168.1.0/24 link#3                 UC 0 0 1500 fxp0
192.168.1.8         00:11:d9:0a:6b:46 UHLW 1 1170 1500 fxp0 1185
192.168.1.10 00:11:43:d8:ec:21 UHLW 1 1427 1500 fxp0 1193
192.168.1.31 a4:ed:4e:be:f0:f8 UHLW 1 32 1500 fxp0 421
192.168.1.35 44:2a:60:bf:30:8b UHLW 1 124 1500 fxp0 1118
192.168.1.41 00:1f:e2:3a:a3:5b UHLW 1 1278 1500 fxp0 124
192.168.2.0/24 link#2                 UC         0 0 1500 xl1

stephenw10

Why are you port forwarding external DNS (53) to DMZ? This could be a problem preventing dns working correctly from inside the DMZ.

Anyway it looks like your learning network is working!  ;)

Steve

genius

@stephenw10:

Why are you port forwarding external DNS (53) to DMZ? This could be a problem preventing dns working correctly from inside the DMZ.

Anyway it looks like your learning network is working!  ;)

Steve

Oh yea–I need to ditch that one.  That was one of my desperate attempts to get internet on the DMZ.  ThAt tge time, I was gumbling with an unfamiliar interface and thought I was creating an outbound rule.  Thanks for the catch!  Wouldn't that be great if that was the problem???  LOL!

THANKS FOR YOU TIME!

genius

Oh yea–1.2.3.

stephenw10

@genius:

Oh yea–1.2.3.

Better late than never!  :P

I think the root of the problem here is that you have tried to do too many things at once, one of those things hasn't gone well but it's hard to pin down. You should go one step at a time, testing as you go.
E.g. if it's outbound internet access that isn't working then that's pretty fundamental but very easy to test.

I realise it's very tempting to just try to directly replicate the functionality of your Smoothwall setup in one go, that's what I did coming from IPCop but I guess I was just lucky.  ::)

Steve

genius

Probably right.  Yesterday I discovered the Tivo could connect to its service but could not download Netflix videos.  I also discovered the Xbox 360 couoldn't connect to Live because of an invalid MTU.  I did everything the forums told me indluding turning the Upnp but no dice.

Wife got ticked.  Had to throw slap the Smoothwall drive back in.  I may give this one a break and check out Monowall or Untangle.  Thanks again though!