Profile Details

Toggle Sidebar
Recent updates
  • Zarafa is not compatible with Samba Directory but it is compatible with Windows Network (Samba).

    Start with this:

    yum remove app-samba-directory app-samba-directory-core

  • What filtering applications are you using? If you are using the proxy server with the content filter, for example, the speed can be dependent on your disk's ability to write things to the cache. I've seen some configurations where squid/proxy was used on RAID 5 that was in the middle of creating the initial mirror and speed was super slow on a lot of things. If you have RAID check out its status from command line with:

    cat /proc/mdstat

    You can even do that as a progress bar:

    watch cat /proc/mdstat

    There are other things you can do to optimize performance here:

    https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_optimizing_performance_for_proxy_and_content_filter

  • Changing the IP address for the external provider should be trivial. If you have access to the console screen then you should also be able to access it from the Web-based Configuration tool, Webconfig. For example, this should work if you are connected on the Internal lan:

    https://10.7.1.1:81

    From here you would log into the box with the same credentials that you use for the graphical console.

    I am a bit confused by your eth2 and eth3 setup. Here you have them designated as 'External', same as your ISP connection. ClearOS has support for MultiWAN so it is entirely possible that you have 3 ISPs and that 1 is using a public IP address and the other two are behind NAT. That would explain the 'External' designation. Double-check it just to be sure.

    As for DNS, most providers only allow DNS queries from their own subnets. So if you are changing a provider and the existing DNS entry is one of theirs then you may have an invalid configuration. If you are using a neutral DNS provider, like 8.8.8.8, then you don't need to worry about it.

  • Consumer based routers make the assumption that they should be your gateway. In cases where the ISP is providing you with a gateway then you are limited in using their 'wireless' and you probably want to use another wireless device. But in the case that you can put ClearOS directly on the ISP equipment then you can protect your wireless users without incurring another 'NAT'.

    To do this, plug ClearOS directly into your ISP's router. at this point you are either going to get a public IP address or an RFC1918 address (192.168.x.x, 172.16.x.x - 172.31.x.x, 10.x.x.x). If you get an RFC1918 address then you are going to end up double-NATting with ClearOS. The good news is that you can avoid triple NATting or double NATting even if you are using a consumer based router for your wireless behind ClearOS. Of course the most simple thing to do is to just plug your router's internet feed into the back of your ClearOS server but this is what you can do instead.

    With a laptop or other device plugged into your router that isn't connected, accomplish these tasks:

    - Set the internet setting to DHCP
    - Don't plug anything into the internet side of the router
    - Turn off DHCP on the router.
    - Setup the LAN side of the router to use a static IP address that would exist on your ClearOS network. For example, if ClearOS is 10.50.100.1/255.255.255.0 on the LAN side, set the router to be 10.50.100.25/255.255.255.0
    - Plug one of the 4 LAN ports from your ClearOS LAN interface into the Wireless router.

    Voila, now your consumer-based router is a 4-port ethernet switch with wireless access point. Using routers as wireless access points is often more cost-effective than purchasing wireless access points. Why? well, same wireless plus 4 port switch. So what do you do with the extra jack on the router that would go to the Internet? Nothing, ever, don't need it, don't use it.

  • Dave Loper
    Dave Loper replied to a discussion, Manual Phrase Lists

    The content filter and the spam filter are different things. The Content Filter app in the marketplace will filter web traffic conducted through the web proxy firewall. This won't touch emails however. The mail anti-spam engine uses several technologies to filter mail. One of them is spam-assassin. You can modify your /etc/mail/spamassassin/local.cf file in spam assassin to manually override some of your heuristics. Once it is detected, your normal spam settings will kick into play and flag it or drop it depending on its spamminess.

    https://serverfault.com/questions/562584/how-to-edit-bad-word-filter-in-spamassassin

  • Dave Loper
    Dave Loper replied to a discussion, Port Forwarding issues

    Here is a guide that tells the differences in port fowarding, virtual addresses, and 1:1 NAT. Many other firewalls require you to set up multiple technologies to get one outcome (like port forwarding.) ClearOS takes care of all that in one go. It makes it simple and intuitive for first-time users of firewalls but can be confusing to seasoned firewall admins who have been forced for decades to do each individual step manually. In addition PPTP requires the forwarding of GRE packets and the port forwarding service rule is aware of this nuance so use it instead of simply telling it to forward 1723.

    https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_virtual_interfaces_dmz_port_forwarding_and_1-1_nat#port_forwarding

  • Dave Loper
    Dave Loper replied to a discussion, OpenVPN and Multi-WAN problem.

    Depending on what your external facing network is doing, you may need to use the 'float' parameter. This is especially true if your ISP is changing your IP address at all or if multiwan DNS changes it on you.

  • Thanks Marcel,

    I've added you and Alonso. Thanks for filling out the form. We should get more detail soon.

  • Nick is right in bringing up MultiWAN. If your DNS service does not allow for queries from your other ISP's connection (and most don't) then you may need to use a neutral DNS provider like Google (8.8.8.8, 8.8.4.4) or Level3 (with their permission at 4.2.2.1 and 4.2.2.2).

    The problem with multiwan is that if you statically set your AD DNS to use your upstream ISP for DNS resolution or if you set ClearOS to do the same and your communication to that DNS goes over the competing ISP's connection then you will get blocked.

  • Interesting approach. I'll have to try this out at home and see what I can do.