Community Forum

Resolved
0 votes
Running Clearos 7 Community Edition.

Network Setup: Link:
eno16780032 LAN Static 10.6.10.31/24 Yes
eno33559296 Hot LAN Static 10.4.120.15/22 Yes
eno50338560 External Static [Public address] Yes

systemctl status firewall.service results:
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running incoming denied rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running user-defined incoming rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running default incoming allowed rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running user-defined port forward rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running Masquerading
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Enabling NAT on WAN interface eno50338560
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running user-defined outgoing block rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Running default forwarding rules
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us firewall6[19699]: Execution time: 0.048s
Dec 05 08:52:29 clearos2.covdnssrv.co.volusia.fl.us systemd[1]: Started ClearOS Firewall Engine.

Client in Hot LAN at address 10.4.120.13 with default gateway set to 10.4.120.15 and no proxy set works fine getting to Internet.

Proxy set to Transparent Enabled, User Authentication disabled, proxy set to 10.4.120.15 at client, client can ping proxy OK.
Wireshark shows RST (reset) packets from proxy duting TCP handshake & proxy fails.

Proxy set to Transparent Disabled, User Authentication disabled, proxy set to 10.4.120.15 at client, client can ping proxy OK.
Wireshark still shows RST (reset) packets from proxy duting TCP handshake & proxy fails.

Proxy set to Transparent Disabled, User Authentication disabled, proxy set to 10.4.120.15 at client, client can ping proxy OK.
Wireshark still shows RST (reset) packets from proxy duting TCP handshake & proxy fails.

It feels like a simple configuration issue but I read the online docs and cannot find the error. Can anyone see the problem?

Thanks
Tuesday, December 05 2017, 06:48 PM
Share this post:
Responses (14)
  • Accepted Answer

    Friday, December 08 2017, 03:11 PM - #Permalink
    Resolved
    0 votes
    I fixed the problem. It was with a combination of ACLs and http allowed statements. :)
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, December 07 2017, 08:37 AM - #Permalink
    Resolved
    0 votes
    As an alternative solution, can you define both NIC's as LAN and add your own firewall rules to isolate the two LAN's? I am not sure what other firewall rules a HotLAN generates, but these can probably be done manually as well. My only concern would be that the proxy may allow you to bypass the firewall between the LAN's.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 08:44 PM - #Permalink
    Resolved
    0 votes
    If you don't want users to need passwords, turn of authentication in the proxy settings.

    I'm afraid I can't really help with the proxy setting as it is not an app I use. I don't think the proxy is meant to work with the HotLAN, but I assume you can manually configure it by copying the settings from the normal LAN. Also check the firewall, especially the nat table ("iptables -nvL -t nat"), in case you need anything there.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 08:08 PM - #Permalink
    Resolved
    0 votes
    I don't actually want the users to authenticate. When I tried commenting out the line "acl password proxy_auth REQUIRED" Squid would not start.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 08:06 PM - #Permalink
    Resolved
    0 votes
    Here is the squid.conf file:

    cat squid.conf
    #
    # Authentication
    #
    include /etc/squid/squid_auth.conf

    #
    # Access control lists
    #

    # ClearOS LAN definitions (webconfig_lan and webconfig_to_lan) are generated automatically
    include /etc/squid/squid_lans.conf

    # ClearOS Web Access Control: access control lists
    include /etc/squid/squid_acls.conf

    acl SSL_ports port 443
    acl SSL_ports port 81

    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 81
    acl Safe_ports port 82
    acl Safe_ports port 83

    acl windowsupdate dstdomain windowsupdate.microsoft.com
    acl windowsupdate dstdomain .update.microsoft.com
    acl windowsupdate dstdomain download.windowsupdate.com
    acl windowsupdate dstdomain redir.metaservices.microsoft.com
    acl windowsupdate dstdomain images.metaservices.microsoft.com
    acl windowsupdate dstdomain c.microsoft.com
    acl windowsupdate dstdomain www.download.windowsupdate.com
    acl windowsupdate dstdomain wustat.windows.com
    acl windowsupdate dstdomain crl.microsoft.com
    acl windowsupdate dstdomain sls.microsoft.com
    acl windowsupdate dstdomain productactivation.one.microsoft.com
    acl windowsupdate dstdomain ntservicepack.microsoft.com

    acl CONNECT method CONNECT
    acl wuCONNECT dstdomain www.update.microsoft.com
    acl wuCONNECT dstdomain sls.microsoft.com

    # County subnets permitted
    acl guestnet src 10.4.120.0/22

    acl password proxy_auth REQUIRED

    #
    # Access permissions
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager

    # User-defined whitelists
    include /etc/squid/squid_whitelists.conf

    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    # Deny CONNECT to other than secure SSL ports
    #http_access deny CONNECT !SSL_ports

    # Access rules
    http_access allow localhost

    # County subnets permitted
    http_access allow guestnet

    # Windows update
    http_access allow CONNECT wuCONNECT webconfig_lan
    http_access allow windowsupdate webconfig_lan


    # ClearOS Web Access Control: http_access settings
    http_access allow webconfig_to_lan
    include /etc/squid/squid_http_access.conf
    http_access allow webconfig_lan

    # And finally deny all other access to this proxy
    http_access deny all

    # Squid normally listens to port 3128
    include /etc/squid/squid_http_port.conf
    http_port 10.4.120.15:3128

    # Uncomment and adjust the following to add a disk cache directory.
    cache_dir ufs /var/spool/squid 10240 16 256

    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid

    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320

    # Error handling
    error_directory /var/clearos/web_proxy/errors

    # Logging
    access_log stdio:/var/log/squid/access.log squid

    # X-Forwarding
    follow_x_forwarded_for allow localhost
    forwarded_for delete

    # Shutdown time
    shutdown_lifetime 10 seconds

    # Sizes
    maximum_object_size 512000 KB
    reply_body_max_size none

    # IPv4 only for now
    dns_v4_first on

    # eCAP configuration include
    include /etc/squid/squid_ecap.conf
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 02:22 PM - #Permalink
    Resolved
    0 votes
    File not attached. If not too long it is probably better to paste the contents between code tags.

    If you're using Windows, for File Management and editing, have a look at WinSCP and for a remote console, PuTTy. You can copy text from PuTTy just by selecting it with the mouse, and paste into it by right-clicking.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 01:14 PM - #Permalink
    Resolved
    0 votes
    squid.conf file attached.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 01:11 PM - #Permalink
    Resolved
    0 votes
    I found the http_port.conf file and it said:
    # Created automatically based on network configuration
    http_port localhost6:3128
    http_port localhost4:3128
    http_port 10.6.10.31:3128

    I added http_port 10.4.120.15:3128 and changed my browser proxy settings to that port and I now get an error web page that says:

    "Web Site Status Access denied" which is progress. I will work on it from that perspective. Apparently the ClearOS interface did not add add the necessary port setting for the ethernet interface.

    I will attach my squid.conf file as soon as I can figure out how to download it. There does not seem to be an FTP client installed on ClearOS and I have not found one in the Marketplace.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 12:32 PM - #Permalink
    Resolved
    0 votes
    I found the Squid config files and here are the contents of the squid_lans.conf file:

    # Created automatically based on network configuration
    acl webconfig_lan src 10.6.10.0/24
    acl webconfig_to_lan dst 10.6.10.0/24

    Do I have to add entries for the permitted client lans? I have not yet been able to find good examples for this file.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 12:07 PM - #Permalink
    Resolved
    0 votes
    Yes, it is.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 11:13 AM - #Permalink
    Resolved
    0 votes
    Does anyone know if the Web Proxy Server (2.3.4-1) is actually Squid?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, December 05 2017, 09:20 PM - #Permalink
    Resolved
    0 votes
    Oh bother. You have a VM. I'm afraid that is not a set up I am familiar with or able to diagnose.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, December 05 2017, 09:12 PM - #Permalink
    Resolved
    0 votes
    [root@clearos2 ~]# lspci -k | grep Eth -A 2
    0b:00.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev 01)
    Subsystem: VMware VMXNET3 Ethernet Controller
    Kernel driver in use: vmxnet3
    Kernel modules: vmxnet3
    13:00.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev 01)
    Subsystem: VMware VMXNET3 Ethernet Controller
    Kernel driver in use: vmxnet3
    Kernel modules: vmxnet3
    1b:00.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev 01)
    Subsystem: VMware VMXNET3 Ethernet Controller
    Kernel driver in use: vmxnet3
    Kernel modules: vmxnet3
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, December 05 2017, 08:16 PM - #Permalink
    Resolved
    0 votes
    With a sideways jump, can you give the output to "lspci -k | grep Eth -A 2".
    The reply is currently minimized Show
Your Reply