Ipcop( Green-Orange-Red)

Hi
I opened a previous question , on regards of tihs issue, but had not get any soluton. but i got some progress in my work, so i am creating another question to see, if any one can help me  in general .

I have  mechine with ipcop software installed which has 3 nic card. which is asfollows:


Ip Address for Ipcop :

Green:194.132.235.1
Red: 192.168.1.1( Gateway-192.168.1.10 and dns 192.168.1.10)
Orange: 192.168.3.1

and Orange box : 192.168.3.2 ( Gateway -192.168.3.1, and Dns : 192.168.1.10)
This orange box is connected to ipcop orange nic card via Corss over cable


Now problem is: every pc can ping every one, green network and ipcop itself is getting internet connection
but Orange network( orange box) is unable to find any internet host, unable to ping .

how i will fix this problem ?? here orange will work a DMZ.
LVL 29
fosiul01Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NopiusCommented:
Your IP addresses looks strange.

Usually RED is an Internet, GREEN is your LAN and ORANGE is DMZ.

But IP addresses in a RED zone seems to be Internet addresses. Are they? I may mistake but you should clarify.

Also I don't understand how it can be 2 gateways: 192.168.1.10 and 192.168.3.1, they cannot be both default gateways, I guess.

What about DNZ zone, please run 'iptables -L' and post the output here. By default Orange zone (DMZ) should be accessable from RED zone (Internet).

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fosiul01Author Commented:
hi thanks
let me explain you how , my network is setup:

i have router - isp line is connected to that router
which ip address is : 192.168.1.10

Router is connected to my ipcop box( which has 3 lan card)
one is for Green( ip is - 194.132.235.1 )- which is connected to my internal network
one is for Red ( 192.168.1.1 - which is connected to my router with Gateway of 192.168.1.10 and Dns of 192.168.1.10

Third one is ORange (dmz- ip address is -192.168.3.1)

now my linux box which is acting as DMZ , its ip (192.168.3.2, gateay 192.168.3.1, dns 192.168.1.10 and is connected to orange lan card of ipcop box with cross over cable)

now my internal network is fine ( which start from194.132.235.1 - XXXXX)
ipcop box is fine

problem is linux box(orange) is not getting any internet connection
i can assume, it could be dns i put 192.168.1.10
but i dont know what dns i will put in dmz box.

hope it makes sence ?
0
JJHoustonCommented:
can you tell us what troubleshooting you've done from the orange machine?

can you ping it's gateway?  can you ping and outside ip like 66.102.9.104 (www.google.com)?
if you can't ping outside, can you tracert and see where the error is happening?

my first assumption is that you've put no rules in place to allow traffic from you Orange network to your red network, you may need specific rules in place to allow DNS or any other traffic through.

Let me know if that helps, or if you have any further info.

0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

NopiusCommented:
Hi, fosiul01.

194.132.235.1 is bad address for internal network. Really this IP address belongs to internet network in Stockholm, not to you. So if you ever try to connect to any of the web site in this network, you will fail.

> problem is linux box(orange) is not getting any internet connection
i can assume, it could be dns i put 192.168.1.10

DNS should be the same as in internal network.

It doesn't make much sense to have separate DMZ on private network address space  (192.168.3.x). Your IPCop is already behind a NAT (because it's external address is in private IP network 192.168.1.x). So your DMZ host would be behind 2 NATs and they can't be accessed from Internet directly. Usually DMZ hosts have real internet IP addresses and are not NATed. So it is possible that on IPCop NAT is not turned on on DMZ. For checking that you need to post 'iptables -L'
0
fosiul01Author Commented:
HI, Thanks, I am was not at town to check any post.
The way i am trying to do, it worked at my office. the previous IT guy , he did the same setup with Same IP i got , in office its working fine, now when i am trying to implement to home, its not working. actually, i think its fine.
because to day, i checked at office network. DmZ cant ping any internal netowork aswell as out side address like ping gmail.com.

so in my case its almost same, i will set up web server with rule to check if my setup work or not, if its does not work, i will  come back again.
0
fosiul01Author Commented:
Hi, attached a picture, if you can have look of this picture, and if you can tell me.and this is workable network, Dmz is wokring here.

192.168.88.130/26
what would be subnet mask of this one ?
Diagram.JPG
0
JJHoustonCommented:
if this is a network diagram of your current network, it's quite kooky.  Not what I would call a normal addressing scheme, but anyway.

a 26bit subnet mask will be 255.255.255.192.  this divides the normal range into segments of 62 hosts per network, which means that in your diagram, the router and dmz are on seperate networks.
DMZ Host Range : 192.168.88.129 - 192.168.88.190 (Network address is 192.168.88.128)
router/firewall Range : 192.168.88.1 - 192.168.88.62

most likely your DMZ machine has a default gateway of 192.168.88.129

back to your original question.Have you configured DMZ pinholes in your firewall rules?
have a look at:
http://www.ipcop.org/1.4.0/en/admin/html/section-firewall.html

anything from your DMZ by default won't have access to your Green network, so you won't be able to ping or access anything on the green network.if you want to use your internal DNS server, you need to configure your firewall to allow port 53 (DNS) from the Orange to the Green.
0
fosiul01Author Commented:
yes i know its kooky!! but i will not take this blame!!!, it previous IT manager!!!, i just following his road thats all!!!

yes,about pinholes , i know i will have to forward web request from dmz to green.

i will try today night or tomorrow, i think , the way i setup at home ( its same of this one, just IP is different)is correct, just need to try it now,
wish me luck with funny network address!! i will let you know tomorrow.
0
JJHoustonCommented:
take it easy dude!  I know all about inheriting kooky networks and bizarre firewall configs.  I once inherited a network that when I checked out the ip range, we were borrowing from the US Army Intelligence Corps!  wtf?!?!

anyway, I was just commenting, not blaming you or telling you you're "$^& or anything,

another thing that might help before heading home to test, check out the details of the firewall that works, maybe there is something you've missed there.

Good luck.  
0
fosiul01Author Commented:
ok i will check

but i just posted another question, if you can have a look , and if you can help me.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_23173997.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.