February 11, 2012 at 6:57 pm #43273
Having trouble with my Zeroshell system. I have a primary network 192.168.2.x. The router that connects to the internet is 192.168.2.1. I have zeroshell on the lan with two nics. The OUTSIDE NIC is 192.168.2.247 while the INSIDE nic is 192.168.10.2. I am using Zeroshell as a Wireless portal system. The 192.168.10.x network has 4 access points that are wide open with no security. People connect to them with their laptops and then they are forced to login thru Captive. I want to setup VIRTUAL SERVERS so from the 192.168.2.x network, I can access the Linksys setups in the access points. Captive is set for ROUTE mode. I have NAT turned on with the NAT on the OUTSIDE NIC.
I have added an entry in the Virutal servers list as such:
ANY OUTSIDE IP using port 2 over TCP, can connect to the REMOTE SERVER 192.168.10.3 with port 80. The 192.168.10.3 is one of my LINKSYS access points. Even after I add this entry and hop on a computer on my 192.168.2.x network and try to do the following in Internet Explorer: http://192.168.2.247:2, it times out and will not let me connect to the access point on the 192.168.10.x network of zeroshell.
What am I doing wrong?
Any help is appreciated. 🙂
Thanks.February 12, 2012 at 12:40 pm #52191
the behavior is strongly bound to the FW rules … assuming that you haven’t any rule in the forward chain , only nat and CP enabled , you can try to add the AP’s mac-addresses and their ip addresses in the Captive portal free client…but in this case , a smart client could change its ip and mac address and surf free , a more secure method is to add , for each AP, a rule in the forward chain , beginning from the top
, so they will be processed before than CP rules ..assuming that your AP’s have ip address .10.3 , .10.4 , .10.5 ,and ETH00 is client side interface (AP’s) while ETH01 is lan side interface , rules like
1 in ETH00 out ETH01 proto tcp source ip 192.168.10.3 dest.ip 192.168.2.0/24 s.port 80 status ESTABLISHED , action ACCEPT. (LOG)
2 in ETH00 out ETH01 proto tcp source ip 192.168.10.4 dest.ip 192.168.2.0/24 s.port 80 status ESTABLISHED , action ACCEPT. (LOG)
3 in ETH00 out ETH01 proto tcp source ip 192.168.10.5 dest.ip 192.168.2.0/24 s.port 80 status ESTABLISHED , action ACCEPT. (LOG)
Try also to not use , in virtual server, well known ports , but eg. 8084 to 80 , 8085 to 80 , 8086 to 80 ..then rules like
in ETH01 ip 192.168.2.247 proto tcp local port 8084 remote ip 192.168.10.3 remote port 80
in ETH01 ip 192.168.2.247 proto tcp local port 8085 remote ip 192.168.10.4 remote port 80
in ETH01 ip 192.168.2.247 proto tcp local port 8086 remote ip 192.168.10.5 remote port 80
You must be logged in to reply to this topic.