- This topic is empty.
June 4, 2016 at 11:12 am #44570utilizadortntMember
This is my first post and I can’t start without thanking Fulvio for his availability and friendly support.
I must say HE IS the reason why I didn’t give up on Zeroshell. THANK YOU FULVIO !!
I am trying to get Zeroshell to work but unfortunately I am getting a bit frustrated.
My goal is to use zeroshell as a proxy server and a captive portal.
I have two networks:
– FIBER NETWORK: GOAL is to make all clients use ZEROSHELL as their captive portal (+transparent proxy)
– 192.168.1.1 is the gateway and dhcp server
– Ethernet and wireless clients
– OFFICE NETWORK: GOAL is to make all clients use ZEROSHELL as their transparent proxy server
– 10.0.0.254 is the gateway
– Ethernet only
This is how I’ve configured the ZEROSHELL “server”:
ETH00 – 192.168.1.254
ETH01 – Not connected
ETH02 – 10.0.0.253
ETH03 – Not connected
Then I configured Zeroshell gateway as 192.168.1.1 and all was looking good and from there I could ping all networks.
When I connected the laptop to the FIBER network I had to manually configure the IP settings to use 192.168.1.254 as my gateway.
When accessing the internet all as ok but it was not using neither the captive portal or the proxy (tried squid and dansguardian).
When I connected the laptop to the OFFICE network I also had to manually configure the IP settings this time to use 10.0.0.253 as the gateway.
Surprisingly enough I could ping the internet but the internet browsers wouldn’t load any page at all.
After several hours of frustration, I decided to swap the configuration:
ETH00 – 10.0.0.253
ETH01 – not connected
ETH02 – 192.168.1.254
ETH03 – not connected
It was even more confusing. The OFFICE network could not access the internet and the FIBER network could access the OFFICE network, which for obvious reasons I do not want this.
Anyway sorry for the long post. At this stage I am willing to start from scratch and I am currently “playing” with a virtualbox image trying to understand where I’ve failed.
Any help is much appreciated and welcome. Many thanks in advance.
Ciao.June 6, 2016 at 5:43 pm #54166utilizadortntMember
Right, found the problem. Well one of them…
My issue was lack of RAM. I only have 512MB on the ZEROSHELL box. Although it’s a server it’s a very old one.
Now that I “understand” a bit more about zeroshell I think I have the proper questions to ask. Here goes:
1st – Should zeroshell “management interface” be on the fiber network (were the gateway is) or the office network?
2nd – To enable office devices access the fiber network do I need to enable NAT on the fiber or the office network?
3rd – Without using Zeroshell as the DHCP server how can I “force” all clients to use zeroshell as a gateway or proxy?
Many thanks in advance ! In the meantime I’m configuring another box for my tests.June 6, 2016 at 9:35 pm #54167iulybMember
For management interface I don’t think there is right or wrong, however I would put it on the interface that is the least exposed to a potential attack.
You network diagram is kind of weird. I would do it a bit different.
Fiber and MPLS would go into Zeroshell using ETH00 and ETH01.
Ofiice network would g on a different interface, ex ETH02.
You still can achieve your goals with your setup but might be a bit more complicated. You have 2 local networks + internet. Keep in mind that anything that is not local will go the gateway (supplied by DHCP).
When you say that you want your laptop to see Office network, there are 2 scenarios, your laptop may see only one computer or it can see all computers. If you want to see only 1 computer then NAT + DMZ might be an easy route. If you want to see all computers, you have scenarios with 2 gateways, for example:
Laptop -> Office GW= ZH (192.168.1.254)
Laptop -> Internet GW 192.168.1.1
For this you might need to add a new route on fiber device. In this way a request for 10.0.0.10 will be routed to ZH.
You also can try to supply computers with ZH as gateway and then setup ZH gateway as 192.168.1.1. and add a rute for 10.x.x.x
I hope this helps.
- You must be logged in to reply to this topic.