Community Forum

John M
John M
Offline
Resolved
0 votes
Hello all,

This will be my first post here, and I'm a newbie to networking in general. I have successfully set up a ClearOS machine as a Gateway with three nics, two of which are for internal LANs and one for the external. Before I go into my issue, I suppose it makes sense to explain why I am doing what I am doing.

One LAN is meant for general home use. Because of my wife's occupation, it must remain stable at all times (meaning no screwery from yours truly). I have this LAN up and running with a dhcp server (network is 192.168.2.1/24) and all machines are able to connect to the internet and to each other as you would expect. The second LAN is meant for my home lab (network is 192.168.3.1/24, no dhcp server). My intention was to use a separate nic in the ClearOs machine for this purpose. This also works flawlessly for connecting to the internet.

I can ping the interfaces from any machine, for example I can ping 192.168.2.1 from the 192.168.3.0/24 network and vise versa. I am able to access the webUI from all machines. I cannot ping machines between my subnets however. This is sort of crucial, as I would like to be able to remote desktop into the lab machine from my personal laptop.

I'm lost as to whether or not my issue is firewall related or routing related. From what I have read in general, if I understand it correctly, there should be no need for additional configuration to allow traffic to pass between the two lans.

Any help is appreciated. Suggestions are also appreciated. I am open to the idea that there is a better and more efficient way to go about this.

John
Tuesday, December 05 2017, 01:07 AM
Share this post:
Responses (6)
  • Accepted Answer

    John M
    John M
    Offline
    Tuesday, December 05 2017, 05:51 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    No it won't stop the reply. It is similar to the ClearOS/iptables firewall in that any reply to traffic is allowed in (more or less). What is not allowed in is unsolicited traffic. In iptables terms incoming state=NEW is blocked but incoming state=RELATED or ESTABLISHED is allowed. In layman's terms It means you can contact anyone and they can reply but they cannot contact you.


    That makes perfect sense. I'll make changes in windows and see if that corrects the issue.

    Thanks!
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, December 05 2017, 03:52 PM - #Permalink
    Resolved
    0 votes
    No it won't stop the reply. It is similar to the ClearOS/iptables firewall in that any reply to traffic is allowed in (more or less). What is not allowed in is unsolicited traffic. In iptables terms incoming state=NEW is blocked but incoming state=RELATED or ESTABLISHED is allowed. In layman's terms It means you can contact anyone and they can reply but they cannot contact you.
    The reply is currently minimized Show
  • Accepted Answer

    John M
    John M
    Offline
    Tuesday, December 05 2017, 03:47 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    John M wrote:As far as windows firewall is concerned, I assumed that since the reply from the interface on the second subnet made it through, any other reply from that subnet would get through.
    Isn't the windows interface just responding to requests from its own LAN subnet. When you say made it through, made it through where?


    I have 2 lan interfaces in the clearos box. One is 192.168.2.1/24 and the other is 192.168.3.1/24. From my laptop, which is on the 192.168.2.0/24 network, I can successfully ping the 192.168.3.1 interface on the clearos box, but not the machine connected to that subnet, which has a static ip in that subnet (192.168.3.5/24). If windows firewall was blocking the ping response, shouldn't that prevent the 192.268.3.1 interface ping reply as well?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, December 05 2017, 02:52 PM - #Permalink
    Resolved
    0 votes
    John M wrote:As far as windows firewall is concerned, I assumed that since the reply from the interface on the second subnet made it through, any other reply from that subnet would get through.
    Isn't the windows interface just responding to requests from its own LAN subnet. When you say made it through, made it through where?
    The reply is currently minimized Show
  • Accepted Answer

    John M
    John M
    Offline
    Tuesday, December 05 2017, 01:50 PM - #Permalink
    Resolved
    0 votes
    Nick,

    Thanks for the response. Both interfaces are configured as lan. As far as windows firewall is concerned, I assumed that since the reply from the interface on the second subnet made it through, any other reply from that subnet would get through. I'll make changes to windows firewall though just to see if this clears up the issue. Then I suppose rdp will be an issue if that is indeed my problem.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, December 05 2017, 11:27 AM - #Permalink
    Resolved
    0 votes
    Hi John and welcome to ClearOS.

    A couple of things come to mind. Firstly make sure both LAN NIC's have the Role LAN and not HotLAN (Webconfig > Network > Settings > IP Settings). The second thing is a Windows issue. I believe the firewall blocks any pings not from the local LAN. My system has a disabled Domain rule (File and Printer Sharing (Echo Request - ICMPv4-In)) which you can can edit, perhaps changing the Profile and enable it, but you'll still have problems possibly with RDP. Perhaps easier is to add a new rule on your lab machine and allow all traffic in from the your subnet.
    The reply is currently minimized Show
Your Reply