www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

ZS not forwarding IP address problem

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
domu



Joined: 15 Mar 2012
Posts: 18

PostPosted: Mon Jul 24, 2017 7:09 pm    Post subject: ZS not forwarding IP address problem Reply with quote

I can't figure out how to set up ZS to forward original IP address.

For example, I have Asterisk server behind ZS. There are some
hacking attempts coming from outside, but in logs offending IP
address is always address of our ZS gateway.

Similar situation with L2L VPN, rsync mirroring server allows to
connect one particular IP from the subnet at our another branch,
but again, it fails because server receives ZS IP instead.

When using other routers (RV082) everything works as expected
out of the box.

What am I missing ?
Back to top
View user's profile Send private message
domu



Joined: 15 Mar 2012
Posts: 18

PostPosted: Sat Jul 29, 2017 2:58 am    Post subject: Reply with quote

Anybody, please ?
Back to top
View user's profile Send private message
reaperz



Joined: 13 Apr 2012
Posts: 98

PostPosted: Mon Jul 31, 2017 8:32 am    Post subject: Reply with quote

I am also using ZS for L2L VPN and I don't have such problems.

Are you by chance using wrong-way NAT?

Go to "Router -> NAT" in menu

Under "NAT Enabled Interfaces" there should only be one interface - that is your external (WAN) interface, that has external IP-address from your ISP. No other interfaces should be under right tab!
Back to top
View user's profile Send private message
domu



Joined: 15 Mar 2012
Posts: 18

PostPosted: Mon Jul 31, 2017 5:26 pm    Post subject: Reply with quote

Thank you for your answer.

In the router section there are selected three PPPoE. as we utilize
Network Balancer feature of ZS router, so I guess that should not
cause that kind of problem. Especially that RV081 had similar
feature, and never experienced such issue.
Back to top
View user's profile Send private message
domu



Joined: 15 Mar 2012
Posts: 18

PostPosted: Fri Sep 29, 2017 12:56 am    Post subject: Reply with quote

Two months and no answer ?

Is it really impossible to have in ZS feature which is a standard
in even simplest routers ?

Can anybody confirm/deny if it is possible at all ?
Back to top
View user's profile Send private message
Montikore



Joined: 19 Jan 2016
Posts: 64

PostPosted: Mon Oct 02, 2017 12:05 pm    Post subject: Reply with quote

Hi,

For what i understand, this is a misconfiguration on your side. Zeroshell is of course capable of ding this, as this is the basics of routing.
Please give more info about your configuration/architecture if you want to get help.
Back to top
View user's profile Send private message
domu



Joined: 15 Mar 2012
Posts: 18

PostPosted: Mon Oct 02, 2017 6:22 pm    Post subject: Reply with quote

Sure, here are the relevant points of the ZS setup

Setup -> Network ->
Gateway - [empty]
- that is supposed to be controlled by NetBalancer settings
NAT Enabled Interfaces [pppoe0,pppoe1,pppoe2]
- two FTTx redundant links + one aircard

ETH0 - LAN
ETH2/3/5 - pppoe

NetBalancer
- default gateway - [disabled]
- pppoe0 - fiber1 (active)
- pppoe1 - fiber2 (spare)
- ICMP failover checking [enabled]

Please let me know what else you would need to know.
Back to top
View user's profile Send private message
Montikore



Joined: 19 Jan 2016
Posts: 64

PostPosted: Tue Oct 03, 2017 7:45 am    Post subject: Reply with quote

as suggested reaperz, did you check your NAT?
your external access interfaces (PPPoE) have to be under "NAT Enabled Interfaces" and nothing else.
Back to top
View user's profile Send private message
domu



Joined: 15 Mar 2012
Posts: 18

PostPosted: Tue Oct 03, 2017 9:54 am    Post subject: Reply with quote

Yup, that's exactly as it is. You can see it in my previous reply:
"NAT Enabled Interfaces [pppoe0,pppoe1,pppoe2]"
Back to top
View user's profile Send private message
Montikore



Joined: 19 Jan 2016
Posts: 64

PostPosted: Tue Oct 03, 2017 1:42 pm    Post subject: Reply with quote

do you use any port redirection / virtual server ?
Back to top
View user's profile Send private message
domu



Joined: 15 Mar 2012
Posts: 18

PostPosted: Tue Oct 03, 2017 9:46 pm    Post subject: Reply with quote

Yes I do. That is how servers are being "found" in the LAN.
Asterisk server among the others. The problem is that when
there is hacking attempt detected on Asterisk server - ofending
address is identified as IP of our ZS router, instead of external
IP address of the "attacker".

If I only have an _external_ IP address in the server logs - the
problem is solved.
Back to top
View user's profile Send private message
Montikore



Joined: 19 Jan 2016
Posts: 64

PostPosted: Wed Oct 04, 2017 7:54 am    Post subject: Reply with quote

this may be the problem then : if your server is accessed using virtual server, it means you use the zeroshell IP to access it and not its own IP, then this is not anymore basic routing and zeroshell processes the packets instead of just passing them through.
Back to top
View user's profile Send private message
domu



Joined: 15 Mar 2012
Posts: 18

PostPosted: Wed Oct 04, 2017 12:36 pm    Post subject: Reply with quote

Then how would you explain that any stock router that I know/used
- have virtual servers / port forwarding section
- passes external IPs to virtual servers in the NAT without any extra setup
?
Back to top
View user's profile Send private message
Montikore



Joined: 19 Jan 2016
Posts: 64

PostPosted: Wed Oct 04, 2017 1:45 pm    Post subject: Reply with quote

my answer was incomplete... this is the case when using the keyword MASQUARADE with iptable routing NAT, which is the default with ZS.
I don't know how to do this from the web interface (not sure it's even possible), but you have to use instead POSTROUTING.
I suggest you to search about this 2 different ways to do NAT to learn more about it.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group