Community Forum

Resolved
0 votes
this post is comming from here
https://www.clearos.com/clearfoundation/social/community/i-need-help-with-a-gateway-configuration

Hi everyone

Nick Howitt ask to me for made a new post because the old one is getting slow to load, so here we go

i need to put ClearOS like a transparent Gateway using 3 nic´s, I need to test ClearOS7 for replace an UTM Sophos 9.4, but all I tried so far is not working

with the UTM we are doing NAT, Firewall, Web filtering and DNS for internet service, that is everything we have to replace, but for now I only need the transparent gateway in ClearOS, just that for now

what we are doing with the main switch which is a Catalyst 3750 Layer 3, is VTP Server, Spanning Tree, DHCP and static Routes

We have no Router, the Router in the SITE is provided by the Main ISP and we don’t have the admin control for it, so we don’t use it, it is working only for have internet, the switch is connected directly in one port, from there we serve the internet for servers’, And from these to the network

the nics we have in the server Sophos and ClearOS have the same network structure;

a) one for the internal, this is going to be the interface for get the web admin for manage the server, we want to use this for the network could reach the server, exactly as it is in Sophos, all the Ip´s in the 23 vlans for production they are pointing to this interface like a primary DNS

b) second interface is for the external and Main ISP interface, with the UTM we do all the nat rules in here, but again, by the moment we only need transparent Gateway in ClearOS

c) the third one is for another ISP and only like a backup internet service, and is only for 3 of the vlans (accounting, server´s and IT), not all of the vlan´s

d) On the Main switch we have 2 more exclusive vlans, one for each ISP, vlans for ISP are not seted in the UTM and they are not in ClearOS, just in the switch, and they are for have directly internet connection with public IP´s

The IP Routes in the switch are;
Ip route 0.0.0.0 0.0.0.0 192.168.18.250 main ISP (Sophos)
ip route 0.0.0.0 0.0.0.0 192.168.18.13 2 backup ISP (ClearOS)

ClearOS status;
1) we have good ping result for all the interfaces from anywhere in the network

2) of course the server is in Gateway Mode

3) DNS in IP setting are; this are not configured in any PC, the Pc point to the UTM and ClearOS like a first and secondary DNS respectively
207.248.224.71 first from main ISP
207.248.224.72 second from main ISP

4) in the path /etc/sysconfig/network-scripts/route-ens256. I set up all the vlans "via" 192.168.18.13 which is the local interface for ClearOS, Nick Howitt asked me to do that because at the beginning I was not able to reach the server from local network only by the ip in the external nic, trying from internet in other places

5) if I set up the internal IP for ClearOS like the only (leaving in blank the secondary) DNS in the PC, " I have internet " but, and I don’t know how, mi public IP is still the public I configure in Sophos, Not the one in ClearOS, and even the sophos firewall rule´s is still working with this config.

6) of course we have different IP for all the nic for the 2 server´s, public´s Ip´s & local´s IP´s

sophos;
local: 192.168.18.250
ISP1: 201.163.39.85
ISP2: DHCP by the ISP

ClearOS7
local: 192.168.18.13
ISP1: 201.163.39.82
ISP2: DHCP by the ISP

at the beginning of the project, the server´s, both were Virtual machines in two physical servers, one VM in each one, the goal for that structure was have a backup for server crashes o power failures, both server was UTM 9.4 but the main physical server is going in to performance issues, that is why since last day 5th I set up the UTM in a PC, and also Sophos is going in to performance issues, that is the main reason for search another brand for server´s, right now ClearOs is still a VM

I do not want to change all the structure in one phase, I need to do it step by step, so I think that is everything, please I really Would appreciate it if someone could help, thanks and regards.


Link to the previous post
https://www.clearos.com/clearfoundation/social/community/i-need-help-with-a-gateway-configuration
Attachments:
In Gateway
Monday, June 12 2017, 10:20 PM
Share this post:
Responses (15)
  • Accepted Answer

    Thursday, June 22 2017, 04:24 PM - #Permalink
    Resolved
    0 votes
    I still have a feeling that your WAN issues are caused by your VLANS. You have VLAN 200 and 201 from your Cisco switch to your VM hypervisor (not sure of the terminology). At a guess the hypervisor has passthrough/bridged interfaces with the ClearOS VM. If that is the case, I'd expect ClearOS needs the same configuration with VLAN tagging on its WAN interface. I don't think your issues are particularly ClearOS related, they are VLAN related.

    Perhaps Dave could comment.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 22 2017, 02:11 PM - #Permalink
    Resolved
    0 votes
    Thanks for help

    Before I quit ClearOS at all, I will step back and resume all the project from other perspective, maybe if I take another look in to our main Switch, I could found something else to prove

    it is not usual for this institute pay for something we could not totally prove before, so, I will take our ClearOS server and put it to work in an other environment, other network structure even other place, I can’t believe we have a so special network for couldn’t use ClearOS

    last question; (in a while) if I take a Backup file from this server in VM, can I install it on a Real Pc? I understand it will be other hardware so I should configure the network as similar as is possible, but with sophos is something I already done before, so, it is possible with ClearOS?

    I will let you know how it was it, thanks and regards.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, June 21 2017, 01:23 AM - #Permalink
    Resolved
    0 votes
    This is a situation in where using paid services from ClearCenter may be useful for a solid solution here. With ClearBOX you can set up a completely redundant solution where the ClearBOX monitors your firewall and then uses scripting to overtake the physical network device of your failing Sophos firewall with a network bypass device. If you don't want to use ClearBOX you can purchase a bypass network card from ClearCenter to do the same thing.

    For example:

    Internet <> External Bypass Segment 1 on ClearOS side A <> External Bypass Segment 1 on ClearOS side B <> Sophos External NIC <> Sophos <> Sophos LAN NIC <> External Bypass Segment 2 on ClearOS side B <> External Bypass Segment 2 on ClearOS side A <> LAN Switch

    Then ClearOS can watch and wait for a failure of Sophos. If it occurs it will trigger the bypass segments replacing the entire layer 1 and layer 2 topology to be:

    Internet <> External Bypass Segment 1 on ClearOS side A <> ClearOS <> External Bypass Segment 2 on ClearOS side A <> LAN Switch

    Essentially you then set up ClearOS with EXACTLY the same IP addresses as the Sophos box. We call this 'Mission Critical Gateway'.

    https://www.clearos.com/products/hardware/clearbox-300-series#flexibility
    The reply is currently minimized Show
  • Accepted Answer

    Monday, June 19 2017, 04:20 PM - #Permalink
    Resolved
    0 votes
    OK Dave

    Gateway is what we had before to change it for "trustedgateway", I will change it back to "Gateway" but in that case we are going to get the same result so far!

    so, what I can do for have internet in my network via ClearOS when we have a failover in sophos?, remember, it wasn’t working, if I turn off the sophos Server we lose internet

    PD: can some one of you please reach me to some Mod which can speach Spanish ? thank´s and regards.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, June 18 2017, 01:05 AM - #Permalink
    Resolved
    0 votes
    If I were you, I would simply set up ClearOS as a gateway even though you would be double NAT. You are currently double NAT and you can set up ClearOS along side the other gateway and do all the testing that you like with ClearOS. By the time you get everything going well you can simply overtake the LAN-side IP address of the Sophos Firewall to replace it.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 10:25 PM - #Permalink
    Resolved
    0 votes
    this is for Dave

    ok , answering your questions;

    About “ the document seems to illustrate that this is a traditional gateway model instead of an internal router model. NAT is being provided by the other firewall/gateway and to not have that on this gateway actually can ruin the security model as well.”

    We don’t care if we lose NAT and Firewall, we only need web surfing in meantime we recovery the primary server, if that is possible !

    About “ perhaps it would be useful to know what services are needed from ClearOS that are not functioning on your existing firewall “

    As far I now, everything is working, is not about is it working fine or not, but the web surfing is getting slow , so far is acepptable, the sophos web config also is getting slow, it was the behavior when it was a VM, now is a litle bit better in a PC(15 days ago), sometimes was, in an absence of a better description, “weird “
    About “if you are using ClearOS as a content filter”


    We are not using ClearOS at all, the first thing I tried didn’t work

    About “transparent inline bridge”

    Ok, we were getting close to transparent meaning, looks fine for me, I am fine with a community edition, I think I get what you suggest with this design, but for give a more accurate example for what we need, I should give you examples of the problems to solve and you can tell me if this going to help

    About “In other situations you may decide that you don't need that structure at all”

    I need to talk with my boss on this, it sounds like a big change, something we do not want to do, but if is necessary and the result become in a better performance for the whole network, it could be!

    About Active Directory

    We do not have one, but it is a goal in the future, is this one more problem? and I don’t know what it is a GPO!

    About ” If you are wanting to use gateway management for the solution, it would be best to have a device as each of your remote locations so that the filtration on layer 2 can be accomplished better.”

    On this you totally lose me, I don’t understand what to answer on this! I am sorry.

    About “Again...what services are you trying to run here?”

    Let me answer with examples of the usually troubles I need to solve, in order of importance;

    1) if we get some power failure in the primary Power supply and the Sophos server goes crash, can we keep the internet service? And if is possible, it will not be noticed for users?

    I assume I can get it by ClearOS because that VM is in other Power supply (but same SITE), in other UPS, in this point is a fact it doesn’t matter if we don’t have any kind of security or NAT or whatever else, is only in meantime we recover sophos, which it means 30 minutes or less, you don’t know it but it happens a lot in here,,,,,,,,,, and is hell on earth

    For me that situation means transparent, no other service but still web surfing, we have almost 230 user calling at the same time asking for internet, and they don’t need the NAT or the other services, with sophos this function like a Disaster containment for us, but we can’t pay for 2 sophos servers

    2) with this new structure, is it will be the same speed of the internet service? and I mean for the user’s perception

    One problem I need to solve is the performance in the DNS, those are config in 207.248.224.71 201.248.224.72 on servers and 192.168.18.250 in pc, I am getting a lot of “host not found” messages or "network is unreachable" messages and also the sophos web interface is getting slow (for this, I don’t know if the first have a relation with the second), all this in sophos which we are sure is a sophos server problem, Not the ISP, we already tested this

    in this structure you are Proposing I assume there is more processing, and resulting in more time for web surfing result, I am telling you this because now is going to be 2 servers instead of one on the way to internet, isn't it?

    3) in some point, can we do a quick change for have the other services?

    Maybe six months or a year after we get this one works, I will reassume other project for another ClearOS server, and that is to have a NAT and Firewall, I need to keep this one for keep doing testing and then (and only then) install a pro edition for all setups we have in sophos (and some other function which sophos don’t have) for finally, totally replace sophos, we can use 2 ClearOS server, if one of them is a community version, then we can pay the other in Pro version

    That is why to have both servers in working at the same time was a goal for me in the beginning, but only because I believed that was possible, remember I am more used to Sophos and I thought it should be the same kind of job with ClearOS, now for me is Clear it is not

    If we can get at least the number one, it will be a success for me, Sorry to be so extensive in my post, but I think it is necessary to be as clear as possible

    thanks and regards.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 10:08 PM - #Permalink
    Resolved
    0 votes
    ok, nick i will try with physical connecting


    I am not strong at VLANS but I'd have thought you'd want to create a virtual WAN interface with the same VLAN 200 or 201 tag as the VLAN it is connecting to. You could just try it on your backup line if you wanted to and see if it gives you connectivity.


    Do you meant to create a virtual WAN interface on ClearOS, or in the operating sistem for the physical server for the VM´s ? the last is exactly what i have, if is the first, I did it before wrote this and doesnt work !

    doesn't matter now about the attachments, but that is what I tried and didn't work, anyway there you go

    network.conf
    # Network mode
    MODE="trustedgateway"

    # Network interface roles
    EXTIF="ens192 ens224"
    LANIF="ens256"
    DMZIF=""
    HOTIF=""

    # Domain and Internet Hostname
    DEFAULT_DOMAIN="pereyra.edu.mx"
    INTERNET_HOSTNAME="ClearOS7.pereyra.edu.mx"

    # Extra LANS
    EXTRALANS=""

    # ISP Maximum Speeds
    ENS224_MAX_DOWNSTREAM=0
    ENS224_MAX_UPSTREAM=0
    ENS256_MAX_DOWNSTREAM=0
    ENS256_MAX_UPSTREAM=0
    ENS192_MAX_DOWNSTREAM=100000
    ENS192_MAX_UPSTREAM=100000
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 08:11 PM - #Permalink
    Resolved
    0 votes
    Luis Alberto Apodaca wrote:
    Yes I am missing some info because I am also new with it, that particular config in switch ports is important for us, is really useful for do testing in a lot of situations, remember we do almost all our job with Virtual machines, but if you think i should try with a directly connected physical port in our switch 3750 for the interface, I could try, but is something i didnt try before

    what do you think ?

    I am not strong at VLANS but I'd have thought you'd want to create a virtual WAN interface with the same VLAN 200 or 201 tag as the VLAN it is connecting to. You could just try it on your backup line if you wanted to and see if it gives you connectivity.

    Obviously, physical connections are easier to debug. It is up to you if you want to try it.

    PD: this platform is killing me, is almost impossible for me do a post without do a maze, can some one please tell me how to attach a txt file, and delete one of my own post? thanks !!
    Yes, it is not the best in the world. Mods like me can delete posts - I don't think you can. You can edit them, so you could delete your text and put a comment "please delete". If I notice it I would delete it. You should be able to attach a file as I've indicated in my attachment. Rather than attach a text file, it is probably better to paste its contents between "code" tags (the piece po paper icon with a <> on it) directly into your reply.
    Attachments:
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 03:26 PM - #Permalink
    Resolved
    0 votes
    I agree Nick, the document seems to illustrate that this is a traditional gateway model instead of an internal router model. NAT is being provided by the other firewall/gateway and to not have that on this gateway actually can ruin the security model as well.

    Luis, perhaps it would be useful to know what services are needed from ClearOS that are not functioning on your existing firewall. For example, if you are using ClearOS as a content filter, there may not be a need for ClearOS to be inline at all. And since you can only have one gateway defined, the idea of 'transparent' is coming more clear to me.

    This is what you currently have:
    [Internet]__[VLAN 200]__[Firewall]__[VLAN 18]__[Client machines]
    [Internet]__[VLAN 201]____/

    This is what you would like to have (maybe):
    [Internet]__[VLAN 200]__[Firewall]__[ClearOS]__[VLAN 18]__[Client machines]
    [Internet]__[VLAN 201]____/

    In this model you would set up ClearOS as a transparent bridge between the firewall and the switch. It would use 2 NICs typically and those NICs would be configured in a bridge passing all traffic. You would set the network.conf 'MODE' to be trustedgateway (even though it doesn't appear in the interface, it is a hidden feature because it is beta.) And you would create a series of ebtables rules in the custom firewall to capture and release various ports to be filtered, logged, or monitored under ClearOS. As is described here:

    https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_clearbox_as_a_transparent_inline_bridge

    Please note that this method has only been tested as a filter for the content filter engine and has not been tested with other filtering technologies recently introduces such as the gateway.management, application filter, protocol filter and others. I'm not sure what the behavior is with the intrusion prevention module either.

    In other situations you may decide that you don't need that structure at all. For example, if you want ClearOS to work as a content filter and you need https filtration then you would simply set it up as a proxy on VLAN 18 and enforce egress traffic through the content filter. You may use a combination of tools such as a PAC file and WPAD to help your clients find the proxy server. If you have AD, you may even use GPO to accomplish this.

    If you are wanting to use gateway.management for the solution, it would be best to have a device as each of your remote locations so that the filtration on layer 2 can be accomplished better.

    Again...what services are you trying to run here?
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 02:42 PM - #Permalink
    Resolved
    0 votes
    sorry for Nick I forgot to answer to him

    Yes I am missing some info because I am also new with it, that particular config in switch ports is important for us, is really useful for do testing in a lot of situations, remember we do almost all our job with Virtual machines, but if you think i should try with a directly conected physical port in our switch 3750 for the interface, I could try, but is something i didnt try before

    what do you think ?

    thanks and regards

    PD: this platform is killing me, is almost impossible for me do a post without do a maze, can some one please tell me how to attach a txt file, and delete one of my own post ? thanks !!
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 02:25 PM - #Permalink
    Resolved
    0 votes
    Sorry for be confusing for you Dave, my English is not that good as yours, I can’t be clear as I think we need, and transparent gateway is a term we being using since a long time ago here in office for describe just that a gateway with no other function, anyway

    Yes, we need to try a "trusted gateway" so thanks for help with it, just for be clear on this, what parameter in /etc/clearos/network.conf should I change?

    What I did is; " MODE= gateway " I changed for " MODE=trustedgateway “

    But now in webconfig, in ip configuration I can’t see the mode, is in blank and when i try to edit I only have the options we know but not trusted gateway, should I leave it in that way?

    If I change the parameter for "trusted gateway" with a blank in the middle, the webconfig send an error "mode is invalid" so I assume MODE=trustedgateway is correct, isn't it?

    speedtest and whatismyip still gave me the public ip for sophos not the one in ClearOS, and I only have in mi PC the primary DNS, the local ip for ClearOS which is 192.168.18.13

    should I see other change in the web config? or how I can confirm I already have the correct mode ? I let you a txt file with network.conf config.

    thanks and regards
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 11:53 AM - #Permalink
    Resolved
    0 votes
    Hi Dave,
    In his other thread, as far as I got was that we were trying to get ClearOS to have a WAN IP replacing the Sophos. In that configuration ClearOS had no WAN connectivity. Looking at the diagram in the first thread I am now wondering is if it is because his WAN is also in VLANS (200 and 201). This is new information and I am now wondering if we need to set up virtual NIC's on the WAN corresponding to the VLANS. Unfortunately VLANS are not my forte.
    Nick
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 01:37 AM - #Permalink
    Resolved
    0 votes
    Again, I'm not sure what is 'transparent' or needing to be 'transparent' in your topology. To me, a transparent gateway is one that sits invisible to the rest of the network and is not noticed when it is removed. This suggests a bridge of some sort but your diagram seems to suggest multiple networks with ClearOS in the middle. If so, then ClearOS is a router.

    If you want NAT between these networks then gateway is the mode to use. If you do NOT want NAT then trusted gateway might work. To make this change, change the parameter in /etc/clearos/network.conf and restart the firewall.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, June 14 2017, 02:54 PM - #Permalink
    Resolved
    -1 votes
    thanks Dave.

    I understand DMZ concept, and I already read about the types of server before pick one mode, right now I have a gateway mode because I don’t know where to setup the transparent mode, what I think is what you call “trustedgateway” (isn’t it?)

    One of my concern is that I can’t set up multiples servers for test multiples functions, I have not enough hardware in our server for have many VM, Therefore I need to be able to turn the gateway in something more, like completely Firewall, do NAT, or RADIUS because in some point ClearOS it is going to be the unique server for all those functions and whatever it comes to happen or I will need, remember one goal in this project is to replace an UTM Sophos 9.4

    That is why I need to do all the function one by one, if I have not completely understood one of the function, I wont to go for another, maybe I am more cautious than I should (please let me know if I am), but we are not able to pay for pro edition until we are sure about the performance is what we need

    About your comment for if I can help you for do “trusted gateway” please be my guest any time, I only need you to tell me how to do it? I did’t try by myself because I not that sure if I am able to get it without do a crash in something, but anyway right now I did setup the shell access, I am not an expert but I think I can be more helpful now

    Thanks and regards.


    PD: what about the drawing with the topology In last post, it was useful ?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 13 2017, 10:31 PM - #Permalink
    Resolved
    0 votes
    ClearOS with multiple NICs will primarily be targeted for a role as a gateway that provides NAT. However, there are two other considerations that may apply here but you need to understand them both.

    DMZ: ClearOS can function like a DMZ separating the traffic as a firewall from a network that has NAT behind it and a network that uses public or pseudo-public addresses (meaning behaves as though it doesn't need NAT.

    Trusted Gateway: ClearOS has an unsupported feature in the mode list. Other than Gateway, Trusted Standalone, and Standalone mode there is a mode that is hidden called 'trustedgateway'. This mode is largely unsupported for the simple fact that there is a small user pool that uses this mode. However, if you would like to use this mode and are willing to help us troubleshoot a variety of application configurations, then this might be the mode for you. What happens in this mode is that ClearOS acts like a router with trust on both sides and no NAT or firewall.

    Outside of this there is what we call a transparent gateway which is really just a bridge with certain intercepts. Typically this will use the Trusted Gateway mode and will set up interfaces on a bridge since both sides will be using the same addressing scheme. Since your description seems to describe multiple networks on the different interfaces, this would not be transparent but rather a router of sorts, yeah?
    The reply is currently minimized Show
Your Reply