Community Forum

Resolved
0 votes
During install I selected public server mode. I am creating a gateway for secure services and I want all traffic to come through ClearOS Server . From what I know I need to select IP forwarding, which I have. Do I need to create a static route as well? However centos/clearos doesn't have the same static route command as other linux. Example I would want the static route to be

any destination
IP of clearos as gateway

So in clearos would this be done by Any via 192.168.X.1 ?

Would what I mentioned work?
Thursday, February 16 2017, 04:33 AM
Share this post:
Responses (4)
  • Accepted Answer

    Friday, February 17 2017, 02:26 PM - #Permalink
    Resolved
    0 votes
    I am not totally sure you can do what you want, or if you can, it may need a bit of tinkering under the hood. If you had 2 NIC's you could use a hidden trustedgateway mode. If it is a standalone server, I believe you can use it as a proxy. Your other LAN devices would have to see ClearOS as their gateway and ClearOS would have the router as its gateway. I don't know if internet traffic in this mode gets scanned by the AV or not. I guess you could test that by getting the configuration working then downloading an EICAR test file to a PC and see if it gets picked up.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, February 17 2017, 04:59 AM - #Permalink
    Resolved
    0 votes
    Believe why up toward is not working. Due to the router which is acting as a switch. You may know with switch I can't simply ping from 192.168.34.67(workstation) to 192.168.34.254(gateway of router) and for 192.168.34.56(device running clear is) to see traffic between.67 and .254. That won't work even with up forward. So do I form some sort of legit man in middle? Or some how force traffic through device with clear is. Again device with clear is not router internet goes through for example. It's just a independent device all traffic needs to pass through.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 16 2017, 10:24 PM - #Permalink
    Resolved
    0 votes
    Hi Nick. Thank you for getting back to me. I should clarify. This is a test project. The idea is a plug in play (to a extent) Security Gateway. This means that the device with ClearOS is connected to the LAN. It has no direct WAN access and goes through a NAT/Router( such as ATT modem) device to get to the internet. The device with ClearOS has no router function. Just a gateway for traffic to pass through and be scanned by the services such as Gateway AntiVirus, Antiphishing,etc,etc. This is why I chose the public server mode. Reason for this project is not to replace NAT/Router, but to still provide ClearOS services to the network. From my reading, this should be possible, right?


    Here is a basic diagram

    modem/router--------->device with clearos(GAV,Antiphishing,etc)
    |
    |
    |
    |
    V
    computer A


    What I have done is enabled IP forwarding from your response here:
    https://www.clearos.com/clearfoundation/social/community/ip-forwarding

    etc/sysctl.conf change net.ipv4.ip_forward = 0 to 1

    this should pass all traffic through the device with ClearOS right? Yes, you are correct no route should be needed. I was just confused. Again I want all traffic to pass through . Should I use one of the modules as well? I'm guessing I should setup a tcpdump with icmp on that device, ping the route/modem device from another computer and see if the traffic passes the clearos device? Or how would you test?

    Thank you in advance!

    Ben
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 16 2017, 12:59 PM - #Permalink
    Resolved
    0 votes
    I'm not sure why you'd need an extra route.

    Do you have multiple WAN IP's and are looking to forward all traffic to one WAN IP? If you do, have a look at the 1-to-1 NAT module. If you don't and you want to forward all traffic from your WAN IP to a LAN IP, I think you can do it through the port forwarding module. If not, the 1-to-1 NAT module may still work with a single WAN IP. Otherwise some manual port forwarding will be needed where you don't specify the port or protocol. A DMZ would work but then I am not sure what purpose ClearOS would have in this case.

    If you are looking to forward a few ports, just look at the port forwarding firewall app. Again, no extra routes are needed.
    The reply is currently minimized Show
Your Reply