Smoothwall // issue with IP address

raphaelS

Hi,

I have a smoothwall box with a fixed IP address to protect few PCs and a server (Windows 2000 as files server, FTP, HTTP and Exchange) on the Green NIC.

I know the server should be on a Orange NIC but I don't know if it would work with Exchange?. Anyway the problem is not there... I think!

The IP forwarding is setup to go to the server for each corresponding ports (21, 80,...) and everything is ok from outside.

What I like to do is to be able to access the server by the Red NIC IP address from the PCs on the Green if I need to. They all have a fixed IP address (10.10.250.xx).

Then if for example if I post a link to a file somewhere on the web, let say an image like that (check the link), because I am using the Red IP address none of the PCs on the Green can't see this image. And I would like to be able to see it...

I guess I should edit my /etc/rc.d/rc.firewall but I am not sure how... Is there someone out there who knows?!

Thanks!
Raphael

edited for few spelling errors...

Jaden

Firstly, I have found IpCop to be a better choice than Smothwall. It's better supported, and is completely free (free version if Smoothwall is restricted use).

It's identical in almost all ways, including setup.

You can get it Here

Now, your issue.

Yes, servers should all be on the Orange Zone, with DMZ pinholes setup to allow services through. That aside, I have my mailserver on Green, but only cos I'm not arsed moving it.

I think what your saying (please correct me here) is that currently, if you link to something on your webserver so that it uses the Red IP, 195.218.98.71

http:\\195.218.98.71\porn\donkey.jpg

This will be viewable from outside your LAN, but not from Green inside the LAN.

Is this what you want to fix?

To do this, you have to tell the Smoothwall machine that everytime it recieves a request from green to access 195.218.98.71, that it needs to go to 10.10.250.xx, where 10.10.250.xx is the green IP of your webserver.

editing the hosts file and rebooting the Smoothwall machine would be an easy way of doing this.

edit etc\hosts, and add this line:

10.10.250.xx 195.218.98.71

Reboot.

Strictly speaking, the hosts file should use host names and not IPs, but 195.218.98.71 doesn't seem to have a DNS entry anywhere.

I assume you use Winscp and Putty to administer your Smoothwall machine, if not, I would suggest downloading them.

Winscp gives you a remote windows explorer type interface to your firewall.
Putty gives you a remote command line (just like typing into the terminal itself).

Both are very handy.

Make sure you enable SSH, by going into the web interface, and going to the "System" tab. Enable SSH from here, and click on save.

Hope this helps.

PM me if you have any more questions.

raphaelS

Originally posted by Jaden
Yes, servers should all be on the Orange Zone, with DMZ pinholes setup to allow services through. That aside, I have my mailserver on Green, but only cos I'm not arsed moving it.

I know the feeling...

edit etc\hosts, and add this line:

10.10.250.xx 195.218.98.71

Reboot.

I tried that but it doesn't work because hosts seems only to be for the computer where it is... but I edit the one I have on my PC in C:\WINNT\system32\drivers\etc (I didn't know I have that!) and it works like that... As I am the only one who needs it that will do for the moment!

Thanks for your help!
Raphael

Jaden

The etc/hosts file change will only work if your LAN PCs use the Smoothwall machine as one of their DNS servers. With my machine, I have DHCP enabled, and use the Smoothwall (in my case IpCop) machine as both the default gateway, and the primary DNS server. (I have external DNS servers as secondary and tertiary choices).

When a green PC tries to find a host, it looks in it's HOST file, then for a WINS entry, then for a DNS entry. If the smoothwall box is set as it's first DNS server (despite the fact that is only a crude DNS derver), then it will look in it's own HOSTS file, and resolve the correct host name.

Editing local HOSTS files on PCs can lead to confusion, it should only be used as a last resort, or quick fix. In my experience, I tended to forget that HOSTS files may have been altered, and it lead to many wasted hours trying to understand why PCs couldn't see other machines because they kept looking for old settings that I had long since stopped using......

Civilian_Target

Originally posted by raphaelS

What I like to do is to be able to access the server by the Red NIC IP address from the PCs on the Green if I need to. They all have a fixed IP address (10.10.250.xx).

Then if for example if I post a link to a file somewhere on the web, let say an image like that (check the link), because I am using the Red IP address none of the PCs on the Green can't see this image. And I would like to be able to see it...

This will solve your problem, although not necessarily in the way you're thinking of. Just to to www.dyndns.org and get yourself a dynamic DNS domain name. Smoothwall already has builtin support for this, all you need to do is fill in the boxes on your smoothwall interface and it'll snd you IP to dyndns every 20 mins. Now everyone can access your server and they don't need to worry about your IP address, they just go to yourname.dyndns.org

Simple and effective.

raphaelS

I removed the entries in the hosts files on the PCs on the green because I knew it couldn't be a good idea!

It seems that in the hosts you can't use an IP address (like 195.218.98.71 in my example) but it has to be a domain.
I have subdomains that are redirect to this IP and I added these subdomains in my Smoothwall hosts file and it works for all the PCs on the green!

Thanks again for your help on that!!

Raphael

raphaelS

Thanks...
But I don't need to use dyndns because I have a domain registred and hosted somewhere from where I can redirect subdomains to my Smoothwall fixed IP...

Raphael

Originally posted by Civilian_Target
This will solve your problem, although not necessarily in the way you're thinking of. Just to to www.dyndns.org and get yourself a dynamic DNS domain name. Smoothwall already has builtin support for this, all you need to do is fill in the boxes on your smoothwall interface and it'll snd you IP to dyndns every 20 mins. Now everyone can access your server and they don't need to worry about your IP address, they just go to yourname.dyndns.org

Simple and effective.

echomadman

http://community.smoothwall.org/forum/

ask over there, the guys are quite helpful,

the whole smoothwall/ipcop thing gets dragged up everytime someone asks a question about it, the latest release of smoothwall (GPL 2.0) is excellent imo, people have a grudge against smoothwall because Richard Morell was an abusive twat
, he's gone from the project now and smoothwall is as true to open source ideals as any other group out there, just because they have a corporate side people think they've sold out

It's identical in almost all ways, including setup.

thats because ipcop is built on the smoothwall installer , anyway they don't really look the same anymore.