- This topic is empty.
August 25, 2016 at 7:24 pm #44626
I have enabled transparent proxy, and am having some issues.
We use an internal DNS server so that local resources will resolve to the local IP addresses. For example, tfs.mydomain.com resolves to our internal TFS server address of 10.1.10.17. However, mydomain.com will actually resolve to the public IP address.
DHCP is configured so that it will hand out our DNS server (10.1.10.10).
When I enable proxy, none of our internal web pages will work. We just get DNS errors.
How can I fix this?August 26, 2016 at 2:27 pm #54229
Internal traffic should not go through ZS. unless is Wireless or Wireless -> Wired.
Even so, Proxy should not count. Where are u trying to access your sites from?
I have dns server on zs authoritative for home.domain.com and a few net appliances with http servers for admin/config with an entry on dns : appliance.home.domain.com
I can access http://spa.home.domain.com without any problems from my wireless laptop from both my routed or bridged wireless networks.
On the other hand havp project is kind of dead. I just added it for fun a few days ago and have no idea how to make it work with netflix. For real life stuff you should consider squid + some cache on ssd + squidclamav http://squidclamav.darold.net/August 26, 2016 at 3:16 pm #54230
Internal traffic will go through ZS if it is on a different subnet/VLAN, which it is. In my case, I have 5 interfaces, and 17 VLANs (and yes, there are reasons why I have 17 VLANs).
I am trying to access from 10.1.2.0/24, and the servers are on 10.1.10.0/24.
I believe if I could get ZS to use our internal DNS server that this would probably work just fine, but I don’t know where ZS gets it DNS info from (or how to change it to point to a different DNS server). I tried changing /etc/resolv.conf, but it didn’t seem to work.August 27, 2016 at 1:36 am #54231
Ok, in my case I have one wireless 192.168.15.XX and i can acess webservers on 192.168.5.xx.
I am using nets fot capture and not IFs.
Here is my setup on https proy:
src:192.168.5.105 Not Capture
src:192.168.5.104 Not Capture
5.105 and 5.104 are my TVs and are excluded in order to work with netflix.
Here is my firewall.
Chain Proxy (1 references)
pkts bytes target prot opt in out source destination
169 10140 ACCEPT tcp -- * * 192.168.5.104 0.0.0.0/0
208 12480 ACCEPT tcp -- * * 192.168.5.105 0.0.0.0/0
700 42776 REDIRECT tcp -- * * 192.168.5.0/24 0.0.0.0/0 redir ports 55559
601 33740 REDIRECT tcp -- * * 192.168.15.0/24 0.0.0.0/0 redir ports 55559
ZS get the DNS usually by DHCP from ISP if its own dns server is down. If you run DNS server on ZS then will use itself as resolver (and cache??? ) and it will forward request to whatever forwarder you have under forwarder section. You may need to activate ZS,s dns server and put your server as forwarder
On linux you can also mess with the DNS supplied by DHCP by editing ifcfg-ethxxx script and adding a DNS=xx.xx.xx.xx entry. Unfortunately I don’t see an option to specify your own DNS’s IP and GW for an interface. ZS have this info somewhere under $register dir. I never needed this is, but a few more option on IF setup would be nice. Let me know and if is easy enough I might create a patch.September 7, 2016 at 2:04 pm #54232
Are you accessing your server by DNS or by IP? I managed to get ZS to use my DNS (at least temporarily), but it still didn’t work. I have no idea where to go from here.September 7, 2016 at 5:25 pm #54233
Are you accessing your server by DNS or by IP? I managed to get ZS to use my DNS (at least temporarily), but it still didn’t work. I have no idea where to go from here.
Works on both cases. I use ZS’s DNS.
On DNS I setup an SOA for home.domain.com then I added corresponded A records.
Other thing to manage is to setup forwarders on the DNS. You can have 220.127.116.11, 18.104.22.168 as forwarders, but I would recommend to use the ones from your ISP.
Next is to test ZS. You loin into go on ZS and enter ns lookup, then type server then type zeroshell.org. You should see somenthing like this
then your local record:
Now, you need to make sure your computer use ZS dns. Easy way is use DHCP and in DHCP to have only one DNS pointing to your DNS router.
Now, on the routes part. The easy way is to go by interface. Go into the router section on ZS and check routing table. ZS usually does a good job here when there is only one IP range per interface but you said 5 IF and 17 LANs so you need to check carefully. Make sure every single subnet is tied to its interface.
You will have to ping from all directions, ex from a host on 10.1.1.1 to a host in 10.1.2.1 and so on..
You will need to add all this networks in DHCP.
Start with 3 networks and then grow.September 8, 2016 at 2:23 pm #54234
It works if I set up a SOA for MyDomain.com in ZS, however, our website isn’t hosted local, so it seems to break that…is there a way to forward that request onto the ISP DNS servers, or even our local DNS server?September 8, 2016 at 4:06 pm #54235
Okay, I might overcomplicated your issue.
I didn’t pay a close attention to resolver setup on ZS. My understanding is that you only need ZS to resolve right your tfs.domain entry, more precisely transparent proxy app on ZS.
You can try to setup DNS as cache and forwarder only on ZS. Enable DNS, don’t bother with SOA, just under forwarders add your internal DNS server.
Make sure your internal DNS server has the right forwarders ( e.g ISP, Google).
On DHCP pass the internal.September 8, 2016 at 5:15 pm #54236
yeah, that was the first thing I tried, but it appears that the forwarder doesn’t work, or I configured it wrong.
I set the domain to MyDomain.com and server to 10.1.10.10, but it still didn’t work (10.1.10.10 is our internal DNS server).September 8, 2016 at 8:37 pm #54237
then turn off the entire DNS and as root try
echo "nameserver xxx.xxx.xxx.xxx" > /etc/resolv.conf
Where xxx is your local DNS IP.
If it works you will need to add it into postboot script.
- You must be logged in to reply to this topic.