Problems in CP after update to 2.0.2



  • Hello. I'll try to explain my problem.

    This is my networks

    10.1.0.0/16  Central with some servers
    10.2.0.0/16
    10.3.0.0/16
    10.4.0.0/16

    On 10.1 and 10.3 I have CP enabled to control the internet use, but to allow trafic from/to all my subnets I create ip rules on "allowed ip addresses" (on 10.3 site like: "both 10.1.0.0/16").

    This rules allways have working for me, but since update to 2.0.2, this rules stoped working and I need to enter manually the host server on "allowed hostnames". With this I open internet to that server and I don't want this (without auth).

    I've used gitsync, and problem still is here.

    Is this a bug?
    How can I restrict internet access without affect to my subnets trafffic??

    Thanks.


  • Rebel Alliance Developer Netgate

    Having those IPs in the list for 'both' should allow any IP in those subnets access through the portal without authentication, which may not be what you wanted. You probably just want to list those as 'to' (destination) and not 'both'.

    Either way, post the output of "ipfw show" and a screenshot of the Allowed IP Addresses tab and it might help spot the issue.


  • Rebel Alliance Developer Netgate

    Oh and the output of "ipfw table all list" too.



  • @jimp:

    Having those IPs in the list for 'both' should allow any IP in those subnets access through the portal without authentication, which may not be what you wanted. You probably just want to list those as 'to' (destination) and not 'both'.

    Either way, post the output of "ipfw show" and a screenshot of the Allowed IP Addresses tab and it might help spot the issue.

    Hi jimp, thanks for answer.

    mmm with this config all worked ok for me, users has to authenticate on portal to go to internet, but traffic on subnets is ok, without need to authenticate. But makes sense what you say. I'll change this and to exec the commands.

    I'll come back



  • ipfw show
    ipfw: getsockopt(IP_FW_GET): Protocol not available

    ????

    ipfw table all list
    ipfw: Warn: Failed to get the max tables number via sysctl. Using the compiled in defaults.
    The reason was: No such file or directory
    ipfw: getsockopt(IP_FW_TABLE_GETSIZE): Protocol not available

    ??? maybe i need to reinstall…


  • Rebel Alliance Developer Netgate

    It will show that way if CP is disabled.

    enable CP, reproduce the problem, and then run the commands, and then you can disable CP again.



  • @jimp:

    It will show that way if CP is disabled.

    enable CP, reproduce the problem, and then run the commands, and then you can disable CP again.

    Okidoki!

    ipfw show

    65291    0      0 allow pfsync from any to any
    65292    0      0 allow carp from any to any
    65301  161  7298 allow ip from any to any layer2 mac-type 0x0806
    65302    0      0 allow ip from any to any layer2 mac-type 0x888e
    65303    0      0 allow ip from any to any layer2 mac-type 0x88c7
    65304    0      0 allow ip from any to any layer2 mac-type 0x8863
    65305    0      0 allow ip from any to any layer2 mac-type 0x8864
    65307    5    340 deny ip from any to any layer2 not mac-type 0x0800
    65310 1665 208814 allow ip from any to { 255.255.255.255 or 10.1.0.1 } in
    65311 1495 687305 allow ip from { 255.255.255.255 or 10.1.0.1 } to any out
    65312    0      0 allow icmp from { 255.255.255.255 or 10.1.0.1 } to any out icm                                                                ptypes 0
    65313    0      0 allow icmp from any to { 255.255.255.255 or 10.1.0.1 } in icmp                                                                types 8
    65314  407  43341 allow ip from table(3) to any in
    65315  380  54319 allow ip from any to table(4) out
    65316    0      0 pipe tablearg ip from table(5) to any in
    65317    0      0 pipe tablearg ip from any to table(6) out
    65318    3    176 allow ip from any to table(7) in
    65319    0      0 allow ip from table(8) to any out
    65320    0      0 pipe tablearg ip from any to table(9) in
    65321    0      0 pipe tablearg ip from table(10) to any out
    65322  302  54529 allow ip from table(1) to any in
    65323  406 430771 allow ip from any to table(2) out
    65531 1677 323817 fwd 127.0.0.1,8000 tcp from any to any in
    65532 1605 288120 allow tcp from any to any out
    65533  24  1722 deny ip from any to any
    65534    0      0 allow ip from any to any layer2
    65535    0      0 allow ip from any to any

    clear

    ipfw show

    65291    0      0 allow pfsync from any to any
    65292    0      0 allow carp from any to any
    65301  220  10012 allow ip from any to any layer2 mac-type 0x0806
    65302    0      0 allow ip from any to any layer2 mac-type 0x888e
    65303    0      0 allow ip from any to any layer2 mac-type 0x88c7
    65304    0      0 allow ip from any to any layer2 mac-type 0x8863
    65305    0      0 allow ip from any to any layer2 mac-type 0x8864
    65307    6    408 deny ip from any to any layer2 not mac-type 0x0800
    65310 1716 212566 allow ip from any to { 255.255.255.255 or 10.1.0.1 } in
    65311 1594 695797 allow ip from { 255.255.255.255 or 10.1.0.1 } to any out
    65312    0      0 allow icmp from { 255.255.255.255 or 10.1.0.1 } to any out icmptypes 0
    65313    0      0 allow icmp from any to { 255.255.255.255 or 10.1.0.1 } in icmptypes 8
    65314  528  78883 allow ip from table(3) to any in
    65315  500  66927 allow ip from any to table(4) out
    65316    0      0 pipe tablearg ip from table(5) to any in
    65317    0      0 pipe tablearg ip from any to table(6) out
    65318  17    828 allow ip from any to table(7) in
    65319    6    264 allow ip from table(8) to any out
    65320    0      0 pipe tablearg ip from any to table(9) in
    65321    0      0 pipe tablearg ip from table(10) to any out
    65322  460  74395 allow ip from table(1) to any in
    65323  627 682329 allow ip from any to table(2) out
    65531 1746 327682 fwd 127.0.0.1,8000 tcp from any to any in
    65532 1659 293691 allow tcp from any to any out
    65533  29  2062 deny ip from any to any
    65534    0      0 allow ip from any to any layer2
    65535    0      0 allow ip from any to any

    ipfw table all list

    –-table(1)---
    10.1.0.11/32 mac 00:16:35:67:e3:40 0 610 112786
    10.1.0.89/32 mac 00:1d:09:0d:6d:68 0 150 16522
    ---table(2)---
    10.1.0.11/32 mac 00:16:35:67:e3:40 0 790 800053
    10.1.0.89/32 mac 00:1d:09:0d:6d:68 0 260 354300
    ---table(3)---
    10.1.0.20/32 0 39 10934
    10.1.0.60/32 0 0 0
    10.1.0.79/32 0 0 0
    10.1.0.221/32 0 18 1116
    10.1.0.222/32 0 0 0
    10.1.0.230/32 0 0 0
    10.1.0.234/32 0 0 0
    10.1.10.1/32 0 39 2972
    10.1.10.2/32 0 3 321
    10.1.10.9/32 0 0 0
    10.1.10.11/32 0 654 181556
    10.1.10.12/32 0 0 0
    10.1.10.15/32 0 2 82
    10.1.10.17/32 0 12 920
    10.1.10.101/32 0 0 0
    10.1.10.102/32 0 0 0
    10.1.10.103/32 0 0 0
    10.1.10.104/32 0 0 0
    ---table(4)---
    10.1.0.20/32 0 41 5836
    10.1.0.60/32 0 0 0
    10.1.0.79/32 0 0 0
    10.1.0.221/32 0 18 1116
    10.1.0.222/32 0 0 0
    10.1.0.230/32 0 0 0
    10.1.0.234/32 0 0 0
    10.1.10.1/32 0 39 5355
    10.1.10.2/32 0 0 0
    10.1.10.9/32 0 0 0
    10.1.10.11/32 0 576 68815
    10.1.10.12/32 0 0 0
    10.1.10.15/32 0 2 80
    10.1.10.17/32 0 10 926
    10.1.10.101/32 0 0 0
    10.1.10.102/32 0 0 0
    10.1.10.103/32 0 0 0
    10.1.10.104/32 0 0 0
    ---table(7)---
    10.1.0.20/32 0 0 0
    10.1.0.60/32 0 0 0
    10.1.0.79/32 0 0 0
    10.1.10.1/32 0 0 0
    10.1.10.2/32 0 0 0
    10.1.10.11/32 0 0 0
    10.1.10.12/32 0 0 0
    10.1.10.15/32 0 0 0
    10.1.10.17/32 0 0 0
    10.2.0.0/16 0 0 0
    10.3.0.0/16 0 8 368
    10.4.0.0/16 0 10 472
    172.20.0.14/32 0 0 0
    172.20.0.240/32 0 0 0
    192.168.1.0/24 0 3 216
    ---table(8)---
    10.1.0.20/32 0 0 0
    10.1.0.60/32 0 0 0
    10.1.0.79/32 0 0 0
    10.1.10.1/32 0 0 0
    10.1.10.2/32 0 0 0
    10.1.10.11/32 0 0 0
    10.1.10.12/32 0 0 0
    10.1.10.15/32 0 0 0
    10.1.10.17/32 0 0 0
    10.2.0.0/16 0 0 0
    10.3.0.0/16 0 3 132
    10.4.0.0/16 0 3 132
    172.20.0.14/32 0 0 0
    172.20.0.240/32 0 0 0
    192.168.1.0/24 0 0 0



  • see anything???

    I'll try on 2.0.1…


Locked