Hello

I'm looking for some help in getting ping access or port 80 access between my subents.

I have 4 nics set up with the following ips
internal 172.16.5.0/24
wifi 172.16.6.0/24
dmz 172.16.7.0/24
external ***.***.***.***

If have got masqurading ules setup etc that allow the wifi and internal network to access the internet.

What I dont seem to be able to do is ping a host from say the internal network to the wifi network.

For instance say i have a compunter on the internal lan at 172.16.5.60 and wish to ping or access my wifi access point at 172.16.6.2, currently it fails. I can however ping 172.16.6.1 from the internal network and can 172.16.5.1 from the wifi network.

I've allowed packet filter rules of internal > any > any and wifi . any . any to try get it working with no luck

What am I missing.

Thanks

Greg

You can try putting the Wifi and Internal networks in the Proxy list. You should be able to access port 80 from Internal to Wifi and vice versa. And I think if you go to Network Security > Packet Filter > ICMP tab and check Firewall forwards ping. You might be able to ping to and from different subnets.

I have the ping options all ticked i.e
Firewall is Ping visible
Ping from firewall
Firewall forwards pings

Its actually port 443 that i need to access the admin page of the wifi router over so the proxy bit wont help I guess. I thought i wouldn't have to worry about the proxy if I had packet filter rules allowing it to pass anyway

Any other ideas.

Thanks

Greg

An Update

So if I try to access the wifi access point over port 80. It works fine. But not when using https. (but if i plug into that lan segment and change my ip addr to match https works fine)

Still cant ping either

Hi, Greg,

Have you enabled the 'Global ICMP settings'? I haven't played with it, but I'll guess that the "Any" service definition only includes TCP and UDP.

You didn't say what mode you are in. If you have the Proxy in a Transparent mode with 'Scan HTTPS (SSL) Traffic' selected, your https attempts are "captured" by the Proxy before packet filter rules are considered. Watch the HTTP live log when you're attempting access to see if they're being blocked by the Proxy. If so, then the easiest thing would be to add the host definition for the WiFi router to the 'Transparent mode skiplist'.

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

If from the wifi you can ping the .6.1 gateway of the lan, then you are successfull traversing through the firewall. As such your setup will be correct. What can cause pings not to respond to hosts are:

a) are the wifi clients actually using .6.1 as their gateway?
b) how are you providing wireless, just plugging in a nat router into the wifi network eth? Is this wifi router having an ip address, and can you ping that? also, is the wifi router a true bridge and doing dhcp handoff etc or have you plugged the astaro ethernet cable into your routers WAN port? (this will essentially give you a firewall behidn a firewall)

my thoughts (not knowing your configuration) is that you have a double nat going on and this would definately cause your problem. If so, try plugging in the astaro interface to just port 1-4 of the wifi router (not the WAN port!) and then disable the SPI/security packetfilter on that router, along with (optionally) dhcp and just have ASG hand out dhcp addresses to that segment (put the 192.168.5.1 address in the wifi dhcp server settings.)

Sorry to give you a few things to test, wasnt sure of your exact setup.

__________________
Angelo Comazzetto
Astaro AG
--------------------------------------------------------
Visit the KB for documentation and help (www.astaro.com/kb)
Astaro is FULLY free for home use, including all subscriptions. Download it from http://my.astaro.com

The proxy is set up in transparent mode of which the internal network and te wifi network are added for access.

When I enable the Scan SSL traffic, I am able to reach the wifi access point (172.16.6.2) via https from the 172.16.5.0 network.

I don't have Scan SSL traffic enabled (and don't want to) by default, so i have set up a packet filter rule that says internal > https > wifi access point. But this doesn't seem to work.

I am plugged into the LAN side of the wifi router, not the wan side. SPI is turn off and dhcp is turn off. I have set up a dhcp server in astaro for the wifi segment, which is all working well. I have no issues accessing the internet from any of my wifi devices, just resources on my internal lan.

The wifi dhcp in astaro is setup to have the default gateway as 172.16.6.1 and the dns as 172.16.5.1

From the wifi i am able to ping 172.16.6.1 (address of nic in astaro box that is wifi segment) and 172.16.5.1 (address of nic for internal segment) but nothing else on the 172.16.5.0 network

If have created a packet filter rule of wifi > any > internal to try get this working, but it doesn't seem to make a difference.

From the internal network i am able to ping 172.16.6.1, but not 172.16.6.2 (the access point). However I am able to access the admin webpage of the access point via port 80. So web access to it works, but ping doesn't.

Thanks

Greg

Greg, what you describe should work, so it must be that you have an oops that you aren't seeing because you know what's there. How about showing a picture of the relevant packet filter rules.

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

Here are my packet filter rules. Doesn't get much simpler.

Cant seem to access the access point admin page on port 80 or 443 anymore either. This is driving me mad.

Still cant ping 172.16.6.2 from 172.16.5.60, but am able to reach 172.16.6.1 no worries.

Attached Images

packetfilterrules.jpg (46.8 KB, 6 views)

Figured out what is causing me to lose access to the http web admin page of the wifi access point.

If i put the access point in the "Transparent mode skip list" then I can't access it. If I remove it from that list then I can.

I can also access the https web admin page if i tick the "Scan HTTPS (SSL) traffic" tick box. Which as I sated earlier I don't wont to do.

I dont understand. I would have thought that putting something in that list would cause it to NOT use the transparent proxy and therefore use the firewall rules, which as you can see from my previous post, allows ANY traffic from the internal network to the wifi network.

It only seems to work if I go via the proxy. Its like there's no route for the traffic to go between the two networks, as the ping still doesn't work either.


Thanks for your suggestions so far.

Regards

Greg