www.zeroshell.org

[Luigi10]

Hey Everyone,

I am new to Zeroshell and apologize in advance if the answers to my questions have already been posted to the Forum.

We have set up a workstation in my office with 3 NIC cards. We have 2 PCI and 1 onbourd NIC.We are currently using Release 1.0 Beta 12 . From what I have read on this forum , QOS and Net Balancing are glitchy and have made sure not to enable QOS.

The issue we are running into is that the Failover is not working properly, I keep receiving Fauts everytime I switch between the interfaces.Below is my current setup.

Default Gateway ETH02
Cable Internet Connection ETH01
DSL Internet Connection ETH02

Thank You
Luigi

[ppalias]

If you apply Atheling's patch for mangling then you can use both QoS and Netbalancer. I don't understand what do you mean exactly

[Luigi10]

We are trying to setup load balancing between a DSL connection and a Cable connection. Whenever We have the failover monitor in place, the DSL connection fails. In the routing table, the default gateway shows that all traffic should be going out the connection for the DSL connection, but when I try to run a trace route or ping a public IP address it doesn't work.

Traffic is getting stopped at the WAN Port on the Zero Shell server for the DSL connection.

If I were to ping a device that is past the WAN Port for the DSL connection, it is successful. I don't know what the problem is. I can provide tracerts and IP addressing if you need.

Thanks for your time.

[ppalias]

Post here the screen from the web interface of Netbalancer and the balancing rules, if you have any. Also post anything else you have, like traceroutes or pings, and maybe logs from the netbalancer.

[Luigi10]

My company is an Internet service provider. We provide DSL and T1 lines to various customers. While we are troubleshooting this issue, we are using DSL service that we provide. So the connection from our Core router goes out through the connection to our DSL vendor and then in through a phone line into our office and into a3Com 3030 router. We then have the LAN-side of this 3Com 3030 router going into one of the WAN ports of the Zero Shell server.

Here is a tracert when our DSL connection is the Default Gateway:

C:\Documents and Settings\student>tracert 208.67.222.222
Tracing route to resolver1.opendns.com [208.67.222.222]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.150.1.1
2 10.104.117.2 reports: Destination host unreachable.
Trace complete.

Here is the routing table on ZeroShell:

Destination Netmask Type Metric Gateway Interface Flags State Source
10.150.1.0 255.255.255.0 Net 0 none ETH00 U Up Auto
10.104.117.0 255.255.255.0 Net 0 none ETH02 U Up Auto
192.168.250.0 255.255.255.0 Net 0 none VPN99 U Up Auto
24.185.196.0 255.255.252.0 Net 0 none ETH01 U Up Auto
10.0.0.0 255.0.0.0 Net 1 10.104.117.1 ETH02 UG Up Static
DEFAULT GATEWAY 0.0.0.0 Net 0 none ETH02 U Up Auto

You’ll see that the DEFAULT GATEWAY is pointing to ETH02. This is the connection to our DSL router.

The static routes on the DSL router are:
ip route-static 0.0.0.0 0.0.0.0 10.101.1.1 preference 60
ip route-static 10.150.1.0 255.255.255.0 10.104.117.2 preference 80

The DSL router is supposed to take the traffic from ZeroShell and send it out to the internet and then back, but according to the tracert above, ZeroShell isn’t sending the traffic to the DSL router. 10.104.117.2 is the WAN IP address of the ZeroShell server that connects to the LAN-side of the DSL router.

When I try to ping my core router and the 3Com 3030 router from a workstation on the LAN 10.150.1.x network, pings are successful, but whenever I try to access a website on the internet through the DSL connection it fails at the ZeroShell connection.

I only have NAT turned on for the Cable connection. Our DSL connection has NAT performed on the firewall that is directly in front of the Core router.

[ppalias]

Your ZS routing table is wrong. In the Default Gateway line you should also have the gateway IP address (10.104.117.1 I think). The way you have it is for p2p links, while you are on a routed network, so the router should know the IP to hit.

[Luigi10]

Thanks for the assistance. I was unable to specify the output interface and the IP address of the default gateway (10.104.117.1), but I was able to just put in the default gateway and that seemed to have fixed the routing issue we had.

Now I am trying to figure out what is needed in regards to DNS.

We currently have our DNS servers specified as the forwarders for our client's DNS servers. In the event of a WAN link failure that we provide (DSL or T1), the clients will not be able to resolve websites to IP addresses.

I am aware of the fact that we can set DNS forwarders on the ZS box and then have our clients use the IP address of the ZS box as their DNS forwarder. My question for this is, is there a way to provide failover for this DNS function? I'd like to make it so that when our WAN link is up (DSL or T1), ZS will forward DNS requests to our Primary and Secondary DNS servers, but when those WAN links are down, we would like ZS to forward DNS requests to a DNS server out on the internet (for example, OpenDNS).

Is there a way to configure this?

Also is there a way to perform policy-based routing on ZS?

Thanks

[ppalias]

Although I guess that when your WAN links are down DNS will be the least problem of your clients, you can always add many DNS servers in the forwarders list, starting with your own and finally using OpenDNS.

[Luigi10]

Is there any way to configure the http proxy to specify a different IP address and port number? I am trying to incorporate this ZeroShell router into a network with a filtering system that requires proxy settings on all the workstations. If ZeroShell can automatically redirect all HTTP web requests to the filtering system instead of having to put the proxy settings on the workstations, that would significantly help us deploy this across all of our clients. Thanks.

[ppalias]

Yes you can do it with PREROUTING rules in IPTABLES, more specifically DNAT action.

[Luigi10]

I'm just not that familiar with this software to be able to do this on my own. How would I go about setting this up?

What information do you need from me in order to assist me? Our proxy server on this network segment is 10.150.1.3 with port number 8080. Our ZeroShell server has IP address 10.150.1.1 on the LAN and it has two WAN ports, one of them has a static IP address that connects to a DSL line that my company provides ISP services to. The WAN IP address on the ZeroShell server for that connection is 10.104.117.2 and the other WAN connection connects to a third-part Cable ISP provider and it receives an IP address through DHCP. Thanks.

[ppalias]

Your proxy server must support transparent mode.
The command should be like that

[Luigi10]

Thanks for the info. I'm assuming I need to type this in the Shell Prompt, correct? (Command Menu, Option S for Shell prompt)

How would I remove these commands if I needed to? I might be installing this server at a client's location on Thursday and I would need to remove these settings and change the IP addresses of the interfaces since the client has a different IP range. Thanks.

[ppalias]

Yes you have to add them in the shell. You can see the installed rules with

[Luigi10]

Thanks I'll test that out today. Does ZeroShell support SNMP? If so, how would I go about configuring it? We use What's Up Gold for monitoring purposes, and would love to be able to monitor the ZeroShell Server. Thanks.

[ppalias]

Fulvio has added MRTG and SNMP support in ZS. You just have to install it as an external package and configure it to your needs.

[Luigi10]

When I try to put in:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.150.1.3:8080

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.150.1.3:8080

it doesn't work. Any suggestions?

[ppalias]

Do you have any hits on the iptables?
Do the packets arrive on 10.150.1.3?
Is the proxy on 10.150.1.3 working in transparent mode?

[Luigi10]

I noticed that whenever I put a command into the shell that it doesn't save during a reboot. I am not very familiar with Linux at all and would greatly appreciate any assistance in making my commands put into the shell get saved during a reboot. Also I am trying to forward proxy requests to a third-party filtering server. The ZeroShell box will be the default gateway on the network (10.150.1.1). I am trying to make it so that when a workstation sends traffic towards the default gateway destined for the internet on port 80 (and possibly 443 but haven't decided yet) that ZeroShell will forward that traffic to the third-party web filter (in our case the IP address is 10.150.1.3 using port 8080) to be filtered and then sent to the internet. I also want to make sure that servers on the local LAN does not get filtered at all so there would have to be deny rules in place to let their traffic pass through the default gateway like normal. Can all of this be done through the web-based gui or does it have to be done in the shell? I noticed a section in the gui that mentioned prerouting and iptables but i am not familiar with iptable commands at all. I do have Cisco IOS experience, but not familiar with Linux at all. Thanks.

[ppalias]

I don't think you can do it with the web-gui.
It would be better with the CLI and since you have experience with IOS it won't be that difficult.
The full tutorial for iptables can be found here.
You must add a DNAT rule to match the dport 80 packets (and dport 443 if you want https) of the subnet or IP range that has the computers you want to intercept, that changes the destination IP to 10.150.1.3:8080. Normally if the proxy uses its source IP address on packets then you won't need to do anything else. If it keeps the original IP address as source you also need to redirect the answers from the wan interface to the proxy server again.