Topic: [SOLVED] PROBLEM to get SMEServer connected to LAN

[supafly1975]

My intentions are to setup a "server-only" behind my router. DHCP of my router is ON, and OFF on the SMEServer...
All hardware are RH compatible. I run a Asus P4PE, with 1 IDE disk (to be doubled soon as RAID), 512MB Ram and all onboard peripherals. (NIC) The router is a Belkin F5D7231-4.

The problem is : in the client list of my router, i can not find the ip of the SMEServer, even when the set local ip-adres of the server is within the routers range. Even the internet connection test fails time after time....

First i thought it had something to do with the desktop PC..

So i ran a Ubuntu Live CD, and without changing anything on the PC, the ubuntu live got access to the internet.

What is wrong in my system?

[pfloor]

You haven't given us detailed enough information about your setup.

Did you set the gateway address correctly during installation?

Did you follow these instructions? http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter5#Option_3:_Server-only_mode

Paying particular attention to the last sentence:

"...On the next configuration screen, you should enter the IP address for the Internet gateway on your local network."

[supafly1975]

For the major part of the installation, i am pretty sure i got everything right.
...i hope i got the ip adres correct...(not sure)

below are the settings for the router (the one the server is connected to)



I believe for the gateway ip, i input the number 192.168.2.1? The local IP-adres of the router i am using?

The onboard NIC is a broadcom 4401
I also have a pci NIC (i believe a 3COM905 something)...

[pfloor]

For the major part of the installation, i am pretty sure i got everything right.
...i hope i got the ip adres correct...(not sure)

below are the settings for the router (the one the server is connected to)



I believe for the gateway ip, i input the number 192.168.2.1? The local IP-adres of the router i am using?

You think???  You need to be precise when providing information.  You need to make sure that you did in fact use 192.168.2.1 as your gateway.
 

The onboard NIC is a broadcom 4401
I also have a pci NIC (i believe a 3COM905 something)...

You have 2 nics, why?  Are they both enabled?  If you are only using one of them, disable (or remove) the other.

How do you have the server configured (Server-Only, Server-Gateway or Server-Private-Gateway)?

Have you tried swapping the network cable to the other nic by any chance?

[arne]

If you (supafly1975) type the command " ifconfig " on the sme server console, what will the output be ?

What about (from console): " ping 192.168.2.1 " and " ping www.bbc.net.uk "

[Electronjunkie]

Just out of curiosity, is there a dial up modem in your server system?
I have noticed the same issue of not being able to access the internet with my server system when I had a dial up modem in the system. After removal of the modem I was able to install and connect without issue. I think this may be due to the server wanting to use the dial up modem instead of the NIC. I'm not certain how to disable the modem setting within the server or switch it over to use the NIC instead, I always just removed the hardware. This day and age dial up modems aren't really the preferred internet connection method so I don't have much of a need for one. If you do have a dial up modem and its built into the motherboard try disabling it thru your system BIOS. Just my 2 cents but may be worth a try.

[electroman00]

supafly1975

Warning: Private LAN subnets (networks) that contain Private Client computers and/or systems and maintain data (possibly sensitive)
shall not include servers or equipment that require External Port Access (External Port Forwards).
Private Client based LAN networks shall not allow/permit External Port Forwards to the Private LAN Network (no exceptions).

Providing External Port Forwards to a Private Client LAN creates an Extreme Network Security Vulnerability.

By default all Firewalls block external port access (0-65,535) to the LAN Zone & DMZ Zone.

Creating External Port Forwards to a Private LAN Zone defeats the default firewall block ALL external port requests.
An attacker only needs access via a single port to compromise a Private Network.

Therefore Private LAN Networks are restricted from External Port Forward usage.

Should a scenario arise where by an External Port Forward is needed to provide access to a Private Network
the administrator should consider other network configurations to preserve the External Port Forward restriction thus preserving Network Security.

All systems requiring External Port Forwards, access to provide external port requests can and should be configured within a DMZ Network Zone.

What that means is this, if you are going to provide www access to SME on your LAN you will
have to create a External Port Forward to SME which effectively creates an Extreme Network Security Vulnerability.

See >> http://en.wikipedia.org/wiki/Demilitarized_zone_(computing) wikipedia.org DMZ Zone

Once you read the above, then read page 85 of your user manual.

The Belkin you have does provide DMZ configuration.

However a true firewall DMZ does two basic things.

1 Enables (1 to 1) Nat (Network Address Translation)
2 Provides subnet IP isolation.

Since your Belkin manual doesn't explicitly state for the DMZ Zone 1 to 1 Nat we can assume that it is
configured that way, as most are.
We can safely assume the #1 above requirement has been met.

Side Note:
The LAN Zone unlike the DMZ Zone enables (1 to many) Nat (Network Address Translation)
That is the reason why you can't use SME in either of the gateway modes on the LAN Zone.
SME in gateway mode enables it's internal (1 to many) Nat, thus it would create IP translation issues
with the firewall 1 to many Nat.

#2 is a different story though.

A good firewall allows the Lan Zone to be configured on a separate subnet from the DMZ Zone i.e.

Lan Zone 192.168.1.1
DMZ Zone 192.168.2.1

or

Lan Zone 192.168.1.1
DMZ Zone 172.16.1.1


The Belkin doesn't allow that configuration, thus it doesn't provide the required subnet isolation.
It only allows you to change the rightmost IP oclet 192.168.1.xxx
In order to provide subnet isolation you need to be able to change at least the 3rd oclet i.e. 192.168.xxx.1
Since the DMZ and LAN Zone's are on the same subnet, if you Port Forward to the DMZ you are in effect creating the same
Network Security Vulnerability stated above.

So the Belkin was not designed with the intent of the user providing www access to a server.
There are some types of equipment you could install on the Belkin, however it appears that it
doesn't support servers like SME without creating a Network Security Vulnerability.

Most low end (brick) Router's will suffer from the same issue, so it's important to select the correct, capable Firewall, Router for your needs.

I know that most all of the Linksys and Dlink work and are capable, I have both.

Also a FOSS (free open source software) firewall will suite your needs extremely well, however they will take a little more effort to setup.

IPCop, Smoothwall, PFSense, monowall are just a few.
Each has their own set of features.

Starting with IPCop would probably be your best, easy to setup and feature rich.

Also if you decide on a better firewall, all is not lost with the Belkin, you can still use it as an Access Point.

So the basic network rule of thumb is....

Servers that require external access to provide their services, should never be included in a Private Secure Lan.

SME server-only....can be included on a Private LAN, providing only local area access to the server, no www access.

I don't think the documentation is quite clear on that point.

hth

edit: minor edits to improve clarity

[electroman00]

Also here's a link to a Basic Network Diagram you may want to consider.

http://home.c2i.net/jeaskildt/smoothie/NetworkDiagr/basic2.jpg

[arne]

Firewalls is also a some kind of question of personal taste.

During the years I have developed (linux) firewalls for myself and others, of all the types that is desribed in the theory, I have come over, there has been bridge mode, routing mode, different kind of dmz arrangement, and it has all been used and tested out, during the years.

Of cource I did read that time, some years ago, the basic text claiming a dmz or a doble nat is more secure, etc.

But after testing out allmost all the variants there is, I actually ended up using a arrangement basically quite simular to that described by supafly1975.

Of cousese this setup can work and it can also be used, and I also use it myself all the time now. An ifconfig and a ping command, as mentioned above, and the posting of the output here, should give some answers.

To be slightly more precise. I actually use a virtual installation of Smoothwall as the nat router and none server functions are fully open against internet. They are all filtered for approved source addresses. (May be not really nessessary, but it gives a silent and easy to read traffic log.)

For a general home network I think it is, in most cases, quite OK to have a server on the lan, if the server itself and each of the workstations also has a firewall. (For instance the Windows XP buildt in firewall.) (But for business purposes I have used to use the wan/dmz/lan model.)

By the way, some small computer with the free Smoothwall would be a good replacement for the Belkin router. (But of course the Belkin router can also be used.)

[supafly1975]

concerning the ifconfig eth0, i get :

Link encap:Ethernet HWadr 00:0C:6E:0F:CB:8E
inet addr : 192.168.2.100 Bcast : 192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU : 1500 Metric:1
RXpackets : 2262 errors:0 dropped:0 overruns:0 frame:0
TXpackets : 2301 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RXbytes:479986 (468.7KiB) TXbytes:169282 (165.3KiB)
Interrupt:209


When using Ping WWW.YAHOO.COM, i get "ping:unknown host www.yahoo.com"

This is the broadcom onboard NIC...
The otherone, is dismounted.

What i think, is that i get and receive data, but i can not find the pc on my LAN. Strange?

Anybody?

[arne]

Ping WWW.YAHOO.COM, i get "ping:unknown host www.yahoo.com"

This shows that the server does not have connection to internet or the dns resolving does not work.

To find out if it is a dns issue or a no connection at all issue type also: ping 87.248.113.14 (Then you have eleminated the option of a eventually non working dns and it can be stated: No, there is no contact to internet at all.) You can also do a "ping 192.168.2.1" 

To find out if the network connection to the server work at all, temporarely turn off firewall of PC 1 and from server console type: ping 192.168.2.2 If no answer the server does not have a (local) network connection at all.

To find out if there is some other network adapters or something that makes problem, do not type "ifconfig eth0" but only "ifconfig"
(Then other cards that eventually makes problems will also be visible.)

What about changing the question header from "PROBLEM" to "Problem to obtain network connection" ?

[electroman00]

For a general home network I think it is, in most cases, quite OK to have a server on the lan, if the
server itself and each of the workstations also has a firewall. (For instance the Windows XP buildt in firewall.)
(But for business purposes I have used to use the wan/dmz/lan model.)

arne

As long as the server on the LAN provides local access only, it sure is OK.

If the LAN maintains a (1 to many) NAT then your limited to server-only mode.

server- only mode SME's firewall is disabled and SME becomes a fully exposed server, so your totally dependent on an external firewall for protection.

Which you hopefully have, however if you port forward an external access port to SME then you have in effect
disabled the firewall, exposing the LAN as well as the non-firewall SME server which you have no control over from the protection stand point.

Some may argue that the entire firewall isn't disabled just one port is disabled.

That's true, however an attacker only needs one port and the system is compromised, so then it's just a matter of semantics.

So it doesn't matter if it's one port or the entire firewall disabled, the system was compromised.

It doesn't matter if the hole in the dam is 1" or 65,535 inches.

You have a dam problem....

And somebody may want to know why your dam problem, became their dam problem.

I don't know about you, but...

I have a hell of a time trying to explain the dam problem to people who don't know what the dam problem is.

And that dam problem, is the problem with explaining the dam problem.

It may not be a dam problem for you, but it sure is a dam problem for me.

For example, this dam posting in this PROBLEM thread has now become a DAM PROBLEM.

Not that it was a DAM PROBLEM before, it was just a PROBLEM thread.

Now if someone has a PROBLEM with me using all caps for the DAM PROBLEM then understand

that I used caps because the original thread title was in caps, I just used caps to keep it the same.

So I hope you understand why I used caps for the DAM PROBLEM.

Now if the original poster titled the thread.... "Howto setup Belkin router with SME".... then I wouldn't have

had to use all caps when typing the DAM PROBLEM.

Then it wouldn't have been a DAM PROBLEM..!!

It would have been....... "Howto setup Belkin router with SME".

No DAM PROBLEM..see!!

So if your confused about the DAM PROBLEM, then.... that just goes to show how difficult it can be to explain the DAM PROBLEM.

  So I hope you understand the DAM PROBLEM.

Because I sure as hell don't understand the DAM PROBLEM anymore.

[supafly1975]

Arne,

I tested the equipment :

No local network found...

Strange, the components work properly in a Ubuntu Live Session...

P...

[arne]

Supafly1975 ->

I have used the same setup as you suggest for a little bit more than ten years, and there has been zero problems with security and etc, so I know it can work. This by the way also includes two different router models from Belkin. It also includes SME servers from the earlier versions of e-smith and furter on all revisions up to SME 7.3.

What I now just guess is the problem is that you have more than one network adapter in the PC, which mess up the configuration. If you had posted the output from the command "ifconfig" it would be quite easy to see, but you did not. "ifconfig eth0" as you posted would hide the information that is of interest.

If "ifconfig" show there is more than one network adapter, this should be removed physically. If the adapter no 2 is buldt in to the main board, then dissable it from the bios.

When there is only one network adapter that the operating system can see, you should log into console as admin and make a new configuration as server only with the proper ip address. Then it will work.

Finaly you can do a "ifconfig" to see that there is just one network adapter with the proper configuration and you can do a muber of pings to some ip from console to see that you have connection to lan and to internet.

[supafly1975]

Arne

Thanks for your multiple answers and your time to explain the possibilities for my setup...

Yesterday the problem got solved.

I inserted another NIC (also a 3COM 3C905, but with a different PCB layout and a much younger version than the one i mentioned above).
This one worked immediatly...

SOLVED! YES!