I have very little knowledge of trustedgateway mode but I would guess it is a routing problem on the 10.4.0.0/15 which will have no knowledge of where the 10.2.0.0/15 subnet is to send replies. For this you will need a route set up in the gateway device on the 10.4.0.0/15 network to the 10.2.0.0/15 via 10.5.0.31 and ClearOS should be given a fixed IP or you may have to keep changing the route.

Are you trying to SSH from the 10.4.0.0/15 LAN or a machine which NAT's to that subnet (eg hanging off another LAN connected to that subnet)? If so, try adding the following firewall rule at the command line:

iptables -I FORWARD -s 10.4.0.0/15 -d 10.2.0.0/15 p- tcp --dport 22 -j ACCEPT

You will also need a route set up in the gateway device on the 10.4.0.0/15 network to the 10.2.0.0/15 via 10.5.0.31. If this works you can make the firewall permanent by putting it in the custom firewall module, but when you put it there, change "iptables" to "$IPTABLES"

Hi Nick,

Thanks for the reply, basically there is two different issue of the two different way approach - 1) set to "gateway", can't ping/SSH from WAN 10.4.0.0/15 to LAN 10.2.0.0/15 but internet fine; 2) set to "trustedgateway", can ping/SSH from WAN 10.4.0.0/15 to LAN 10.2.0.0/15 but no internet on all systems on LAN.
see below of detail...

Nick Howitt wrote:

I have very little knowledge of trustedgateway mode but I would guess it is a routing problem on the 10.4.0.0/15 which will have no knowledge of where the 10.2.0.0/15 subnet is to send replies. For this you will need a route set up in the gateway device on the 10.4.0.0/15 network to the 10.2.0.0/15 via 10.5.0.31 and ClearOS should be given a fixed IP or you may have to keep changing the route.


If I just switch the ClearOS back to "Gateway Mode" without adding anything on 10.4.0.0/15 gateway, all systems on 10.2.0.0/15 already able to get to internet.
I have added static route on system on 10.4.0.0/15 that need to access to 10.2.0.0/15, this work when in "Trustedgateway Mode" but not in "Gateway Mode"


Are you trying to SSH from the 10.4.0.0/15 LAN or a machine which NAT's to that subnet (eg hanging off another LAN connected to that subnet)? If so, try adding the following firewall rule at the command line:

iptables -I FORWARD -s 10.4.0.0/15 -d 10.2.0.0/15 p- tcp --dport 22 -j ACCEPT

You will also need a route set up in the gateway device on the 10.4.0.0/15 network to the 10.2.0.0/15 via 10.5.0.31. If this works you can make the firewall permanent by putting it in the custom firewall module, but when you put it there, change "iptables" to "$IPTABLES"


This actually doesn't needed if it is in "Trustedgateway Mode", it can directly ping or SSH into any address on 10.2.0.0/15 but issue is there is no internet access on any of the systems on 10.2.0.0/15. But if on "Gateway Mode", can't ping or SSH any of system on 10.2.0.0/15 from WAN 10.4.0.0/15

So have you tried my solutions?
1 - In trustedgateway mode add a route to your internet gateway
2 - In gateway mode add a route to the internet gateway and a firewall rule to ClearOS

Nick Howitt wrote:

So have you tried my solutions?
1 - In trustedgateway mode add a route to your internet gateway
there is a static route on gateway of 10.4.0.0/15 - 10.2.0.0/15 via 10.5.0.31
2 - In gateway mode add a route to the internet gateway and a firewall rule to ClearOS

not work, neither ping/SSH

Can I suggest you try out a bit of traffic sniffing with tcpdump on the ClearOS WAN port to at least check the packets arrive from your 10.4.0.0/15 LAN at the ClearOS WAN interface? If they don't then the routing in the 10.4.0.0/15 gateway has not been set up correctly. if the traffic does arrive at the ClearOS WAN then we'll have to look at the firewalling there.

There is one way which will work but you probably don't want to do and that is set up OpenVPN in ClearOS then on any device requiring access to the ClearOS LAN have them connect to ClearOS by OpenVPN. A bit messy as the issue should just be a question of sorting the firewalling and routing.

I'm not familiar how to do traffic sniffing, but I'm thinking that when I just switching between "gateway"(blocked WAN --> LAN) and "trustedgateway"(blocked LAN --> WAN) without changing anything else, traffic can pass thru between WAN and LAN vice versa, is that mean the the route is working correctly on the internet gateway?

Sorry, VPN is not a option for our setup.

Nick Howitt wrote:

Can I suggest you try out a bit of traffic sniffing with tcpdump on the ClearOS WAN port to at least check the packets arrive from your 10.4.0.0/15 LAN at the ClearOS WAN interface? If they don't then the routing in the 10.4.0.0/15 gateway has not been set up correctly. if the traffic does arrive at the ClearOS WAN then we'll have to look at the firewalling there.

There is one way which will work but you probably don't want to do and that is set up OpenVPN in ClearOS then on any device requiring access to the ClearOS LAN have them connect to ClearOS by OpenVPN. A bit messy as the issue should just be a question of sorting the firewalling and routing.

Bruce Shiu wrote:

I'm not familiar how to do traffic sniffing, but I'm thinking that when I just switching between "gateway"(blocked WAN --> LAN) and "trustedgateway"(blocked LAN --> WAN) without changing anything else, traffic can pass thru between WAN and LAN vice versa, is that mean the the route is working correctly on the internet gateway?

Not necessarily because internet traffic is not returning to the ClearOS LAN.

Remember I have no experience of the trustedgateway solution so I am trying to piece together what is going on. Google for "tcpdump example". A couple of links are here and here. Perhaps you want something like:

tcpdump -i your_clearos_wan_interface -n net 10.4.0.0/15 and net 10.2.0.0/15 and port 22

Tcpdump is a complex tool and I have to use a lot of trial and error to get it to work. Try testing the above by doing an SSH from the ClearOS LAN to anywhere on the 10.4.0.0/15 LAN. You should at least see outbound traffic. If it is to a valid destination with a running SSH server you should see a reply. If you don't, you have a routing problem in your gateway or a firewalling problem on your target device. If you see some traffic, even if it is one way, try SSH'ing to the ClearOS LAN. If you see nothing you have a routing problem on your gateway. If you see no outbound or return traffic when SSH'ing from the ClearOS LAN then you probably have a problem with the tcpdump command.

Note when testing to Windoze devices, their firewall often only allows local LAN traffic through. 10.2.0.0/15 is not considered local to 10.4.0.0/15 and vice-versa.

[edit]
tcpdump command above altered.
[/edit]

The answer I gave you is wrong for NAT'd traffic (so gateway mode). You'd just need to monitor ssh traffic between the source and target machines because it gets NAT'd in ClearOS, so something like:

tcpdump -i any -n "(host your_source_IP or host your_target_ip) and port 22"

or for pings change "port 22" to "icmp". you should see two outbound entries as it passes through the LAN and WAN interfaces and two as it comes back, but the LAN IP can be changing as it gets NAT'd to the ClearOS WAN IP in gateway mode.