Wednesday, May 16, 2012

Zentyal Server for Home

Outlines my install of Zentyal for my Home Internet and phone server
 - plus documentation of various test configs


Zentyal Gateway setup: As DHCP server, typical install
  • Start with a simple Gateway setup with the following modules
    • Network, Firewall, DHCP, DNS, Backup, Events, Logs, Monioring
  • Follow more or less this guide: http://trac.zentyal.org/wiki/Documentation/Community/HowTo/GatewaySetup
  •  Enable the above listed modules
  • Network -- Interfaces
    • set eth0 to be external interface, in my case I will be using behind the router (for now) so set method to DHCP and selected External (WAN).
    • set internal interface which to Static, in my case I am using eth4 and 172.30.40.1 with netmask of 255.255.255.0
    • I will use the other ethernet ports at a later point for further testing.
  • Network -- Gateways
    • In my casey this should be setup automatically based on DHCP information received as my External interface is DHCP.
    • In my setup it shows my router's IP address through eth0, enabled, the default, with a weight of 1.  It is the only Gateway listed.
    • This can be manually adjusted if neededor desired.  Also, infocan be added for Proxy server configuration and traffic balance and WAN failover settings for multiple External connection environments.
  • Software Management -- Zentyal Components.  
    • Ensure DHCP and DNS services are enabled. 
  • Network -- DNS
    • DNS service acts as a caching server, which improves DNS lookup times.
    • The first listing should be 127.0.0.1 which references Zentyal's DNS service.
    • Additional DNS servers can be added after this entry as needed.
    • My setup works correctly only when I add my router (WAN DHCP server) listed as a second DNS server. 
  • DHCP (under Infrastructure)
    • In my case I am setting up eth4
      • default gateway: Zentyal
      • Search domain: none
      • Primary nameserver: Zentyal DNS (to use Zentyal as a cache DNS server)
      • Secondary nameserver: [blank]
      • NTP server: none
      • WINS server: none
    • setup a range of IP addresses available to be used by the DHCP server, name the range whatever you want
      • I set a range named "default"
  • HTTP Proxy -- General
    • HTTP Proxy allows the following:
      • Web Caching, allowing repeat web content to be reused rather than using additional bandwidth, for example if 10 people go to Gmail or E-week all the non users specific information will be loaded from local storage rather than from a server on the Internet, thus reducing bandwidth. 
      • Allows filtering and banning of certain content.
    • Setup as follows
      • Transparent proxy checked. This allows for Zentyal to be used as a proxy server without changing settings on local computers.  This requires that Internet traffic comes in the External interface on the Zentyal server and out via one or more internal interface(s).
      • Ad Blocking: undecided whether to check or not, will not for now, then check it later to see if I have problems with anything.
      • Port: I kept the default of 3128, since I checked transparent proxy, all the Internet traffic requested on internal  network automatically gets re-directed from port 80 to port 3128 of the Zentyal server.   
      • Added an appropriate cache file size. The larger the size, the more information will be saved on the server.  If you prefer to always be sure you have the latest info, set this low, if you want to conserve bandwidth, set it high.  I set it at 2 Gig for now.
      • Default Policy: This is the filter policy which is applied if incoming traffic doesn't meet a specific Object or Group policy.  I set this to "filter", but in a high security environment, you might prefer "always deny".  If you have users and groups setup you can use an "authorize & ____" option.
      • Cache exemptions: these are for adding web sites that you never want to cache, like up to the minute news web sites.  I added netflix and facebook here.
    • Module Status
      • Enable Users and Groups
      • Enable HTTP Proxy
  • HTTP Proxy --  Filter Profiles
    • You can add various filter profiles here, each one with its own rules
    • default filter group is used if the default policy set above is "filter" and there are no specific policies invoked via Object or Group policy sections
    • Object policy and Group policy is where you setup rules for which filter policy to use for specific groups of people or objects (i.e. computers via IP addressing schema).
    • Tested setup and use of default filter as follows
      • Click on Configure Default filter button
      • Add Domain and URL rule of always deny yahoo.com
      • Went to another web browser, tried accessing yahoo.com and was served a Zentyal - Access Denied page
      • WORKS
    • Now, modify default filter profile how you like, then create new filter profiles as desired and finally create groups of users or objects and tie them to your desired filter profile for that group.
      • As an example, for your young child's computer you can block social web sites by creating a "young" filter policy, then create a "young" object (or user) group and adding that computer (or user) to that group and tying the group to the
      • You could then let everyone else use the "default" filter and block hate, scam and porn web sites, or whatever you wish.
  • Antivirus:  
    • Enable via Module Status
      • This will check downloads for viruses and block infected content
  • Firewall - I will configure this at a later point in my testing

Adding Bridged Networking
In order to roll out Zentyal to the rest of my network, I decided to try out Bridged networking, thus keeping my main router as DHCP server

  • Network -- Interfaces
    • eth3 changed 
      • Method = Bridged
      • Bridge = new
    • save so br1 shows up
    • br1 changed
      • Method = DHCP
    • eth3 changed
      • Bridge = br1
      • External = unchecked
    • eth0 changed
      • Method = Bridged
      • External = checked
      • Bridge = br1
    • change and save changes
  • plugged in office part of my house to eth3 and tested with the following observations
    • DHCP service from router on External interface of Zentyal worked well
    • filtering worked as expected
    • Network -- Gateways now shows br1 Interface
    • Computers connencted via eth3 do not show up on dashboard
    • communication between hosts on lan side of Zentyal worked without problems
    • communicating between Zentyal's lan and wan of Zentyal (even though computers on same sub-net as far as router is concerned) required firewall rules as follows: [I think this is a fairly unusual and poor configuration, only existing because of intermediate testing, but I am documenting required firewall rules anyway.]
      • Firewall rules to allow a certain port from wan to lan side computer
        • firewall -- packet filter -- filtering from external to internal  (this rule was not needed and did not work alone, port forward rule was better approach)
          • decision = accpet
          • source = any
          • destination = any
          • service = Minecraft (added service for ports 25565 & 25566)
          • description = Minecraft allow
        • firewall -- port forward
          • interface = br1
          • original destination = [IP of Minecraft Server]
          • Protocol = tcp/ip
          • original destination port = port range 25565 to 25566
          • source = any
          • destination ip = [IP of Minecraft server]
          • Port = same
          • replace source address = not checked
          • log = not checked
          • description = Minecraft
  • Go live - bridged and DHCP servered mixed environment
    • all house now on Zentyal lan 
    • All wired connections via bridged networking to eth3
    • Wireless via fixed/DHCP server on eth4
      • this keeps my wireless guests on separate sub-net with default firewall stops
    • Ran into some problems - after a couple hours some of the computers could not reach the DHCP server.  no time to fix now, so reverted back to only wireless internal to Zentyal.  Will problem solve later
    • Could be GATEWAY ISSUE  -- CONCLUSION: was a problem but did not solve this particular problem
      • while looking through setup, I noticed that the Gateway settings were changed in that my router IP address was no longer listed as the default gateway (no checkbox).  Verified the following settings:
        • Enabled = checked
        • Name = name give by zentyal
        • interface = br1 (in my case)
        • Weight = 1
        • default =  checked
      • not sure when this got un-checked in the first place, probably with some setup problem
      • Fixed, but problem still exists of bridged ports not accessing DHCP server/router
    • Could be a WAN SETTING issue -- CONCLUSION: not problem, was correct
      • Interface for eth0 may need to be taken off of WAN setting (box un-checked) for DHCP and DNS services to flow through properly. (Though perhaps we could create firewall rules to allow such traffic.)
      • Some documentation did not show WAN setting checked for connection to router, so tried to change and run, but as I suspected, this did not work properly:  After de-selecting WAN for eth0, I failed to get access to the Internet on my wireless (using eth4 with DHCP from Zentyal)
    • Could be FIREWALL ISSUE.  Add a rule as follows for next time I switch over to live:
      • CONCLUSION - this works, particularly the DHCP return service and rule was needed
      • Firewall -- Packet Filter -- External networks to Internal Networks
        • Add new
          • Decision = Accept
          • Source = any
          • Destination = any
          • Service = dhcp
          • Description = Allow dhcp
      • TEST - still not connecting to DHCP service, maybe I need port forwarding rule.... or DHCP return port rule as follows
      • DHCP service on port 67 was already setup, added service definition for port 68
      • Network -- Services    Add new service definition
        • Add new
          • Service name = dhcp return
          • Description = dhcp request return
        • Configuration - Add new
          • Protocol = TCP/UDP
          • Source port = Any
          • Destination port = Single port = 68
      • Firewall -- Packet Filter - External to Internal     New firewall rule
        • Add new
          • Decision = Accept
          • Source = any
          • Destination = any
          • Service = dhcp return
          • Description = Allow dhcp return
      • So far network working correctly!
Enable Other Modules - sometimes need to reboot Zentyal for proper functionality after enabling modules

  • Module Status : Enable the following modules
    • Enabled the modules: IDS, VPN, Traffic Shaping, Users & Groups, VoIP, Bandwidth Monitor, FTP, Jabber, File Sharing & Printer Sharing
    • Backup Configuration locally and remote via System -- Import/Export Configuration
  • Software Management -- Zentyal Components
    • Select Virtualization Manager to install
    • Apply changes and Save
  • Module Status : Enable Virtual Machines and save changes

VoIP Configuration
It seems to me that Zentyal is either in transition or has two very different methods of registering phones.  Prior version of Zentyal had all phone configuration through the User and Groups settings, now it seems the best and most complete registration of telephones is done via VoIP -- Phones settings.   This new interface allows you to setup phones independent of setting up users.  That is you don't need to create dummy users for phones for which you don't want to associate a real user.

Problem I am having is in setting up phones which are provisioned via the Users and Groups section.  I set everything up according to documentation, then I can make outgoing calls, but when I try to call that exentsion I get the message: "The person at extension .... is unavailable".  These extensions also no longer register in the VoIP users section of the Dashboard.  Below I outline the setting I have for these.
  • VoIP -- General (mostly defaults)
    • General Configuration
      • Enable demo extensions  = checked
        • These are different than what is listed in the help file
          • *4 for Music on Hold
          • *6 for Echo test
      • Enable outgoing calls = not checked (for now)
      • VoIP domains = zentyal (default for now)
    • SIP provider
      • leave all blank for now
    • NAT configuration
      • none in my config, so leave default value of no
    • Local Networks
      • none for now.  This is important to identify if non-natted (i.e. routed) networks are available and will be use for phones
  • VoIP -- Phones     WORKING
    Phones seem to be allotted extension only in the range 4000 to 7999,  Prior ranges of 1000 to 3999 do not seem to work at this time and seem to be designated for use in the Users and Groups VoIP setup, which appears broken.   Following is how I correctly setup VoIP phones
    • New Phone
      • Enabled = checked
      • Extension = 4001 [any # between 4000 and 7999]
      • Voicemail = 5001
      • Email notified = blank for now ---- need to test
      • Description = [left blank]
    • Tried setting up extension in the 1000 to 1999 range and would get a busy signal when trying to call the phone.  I did this as part of a test trying to get Users and Groups defined phone configurations working.  See my notes below.  The result that calls can be made from the phone, but not to the phone is similar, but the result of another person trying to call this phone varies depending on where it was defined.
  • Users and Groups   NOT WORKING
    This is my attempt to get Users for VoIP phones working.  So far this is unsuccessful.
    I have set up the following Users to try and get VoIP working for users
    • Phone 2
      • first name = phone
      • last name = 1012
      • comment = [blank]
      • user quota = 100 [default]
      • password = password I used in the phone setup
      • User groups = voip [a group I setup for voip users]
      • Asterisk user account = enabled
      • Extension = 1012
      • remaining settings are not important
    • phone1 
      • same as above, but with extension = 1001 as well as last name = 1001
    • Users and Groups -- Groups: VoIP
      • Asterisk Group queue = Enabled
      • Exetension = 9001
      • Sharing directory Name = voip
    • Results 
      • This user can make calls to other phones and test extensions, but can not receive calls .... Attempts result in caller getting the message "the person at extension .... is unavailable".
      • Tried setting up replicated settings in VoIP -- Phones: with same extension and password.  Got the same results, no change.
  • VoIP AND Firewall Issues  (no longer needed after abandoned pass-through config)
    For setu643p in pass through configuration, need to setup Firewall rule to allow VoIP from external network to internal network if you want phones with IP addresses assigned by your router external to Zentyal to be able to communicate with Zentyal server and phones on Internal networks.  Warning: firewall rule defined below may be too loose for your safety needs.
    • Firewall -- Packet Filter -- from external to internal networks
      • Decision = Accept
      • Source = Any
      • Destination = Any
      • Service = VoIP
      • Description = "VoIP from external"
    • Firewall -- Packet Filter -- from external network to Zentyal (may also need)
      • Decision = Accept
      • Source = Any
      • Service = VoIP
    • ALSO ... Added rule on external router to route traffic headed to Internal Zentyal network (172.30.40.1) to Zentyal's External IP address
  • VoIP -- Meetings
    Meetings work as group extensions......

  • VoIP tricks
    • Demo extensions
      • *6 is echo test
      • *4 is Music on Hold
  • Music on Hold setup
  • Voicemail setup
Notes on phones:
  • Web setup at http://[ipaddress]
  • Default Grandstream web access password: admin 
  • Default Grandstream phone access password: 123
    • GXP285 setup
      • Basic Settings
        • dynamically assigned DHCP
      • Advanced settings
        • nothing unusual
      • Account
        • Account Name:
        • SIP Server: 172.30.40.1:5060
        • Outbound Proxy: 172.30.40.1:5060
        • SIP User ID: 4001
        • Authenticate ID: 4001
        • Authenticate Password: 4001123 = [account#]123   (for testing)
        • Name: 4001
    • GXP201 setup
      • same except account use 4002 for name, and ID fields


Minecraft Port Configuration 
I want to open up the Minecraft game port to be allowed.

The following configuration is for Minecraft server located within Zentyal's Internal network, but given IP address from router external to Zentyal (pass through configuration).  A port forward was given at the router level to accept this traffic to the router's external address and forward it to the IP Address of Minecraft Server
  • Network -- Services
    • Add New
      • Service name = "Minecraft"
      • Description = 25565
      • Configuration
        • Protocol = TCP/UDP
        • Source port = port range = from 25565 to 25566  (any should also work)
        • Destination port = port range = from 25565 to 25566
  • Pass Through Configuration
    • Firewall -- Port Forwarding
      • Add new
        • Interface = br1
        • Original destination = IP Address of Minecraft Server
        • Protol = TCP/UDP
        • Original destination port = single port = 25565
        • Source = Any
        • Destination IP = IP Address of Minecraft Server
        • Port = Same
        • Replace source address = NOT checked
    • Firewall -- Packet Filter -- from external to internal networks
      • Add new
        • Decision = accpet
        • Source = any
        • Destination = any
        • Service = Minecraft (I configured above)
        • Description = "Allow Minecraft"
  • New Configuration with all network internal to Zentyal
    • Changes to my Router
      • remove Route to my internal IP addresses
      • Add Port forward from enternal my router to Zentyal 
        • using port 25565 for traffic to primary Minecraft server
        • using port 25566 for traffic to secondary Minecraft server
        • Accept rule for each friend we allow to our Minecraft servers.. individually directed to Zentyal IP address at one of the above ports depending on where they are playing
    • Firewall -- Port Forwarding
      • Add new
        • Interface = eth0
        • Original destination = Zentyal
        • Protol = TCP/UDP
        • Original destination port = single port = 25565
        • Source = Any
        • Destination IP = IP Address of Primary Minecraft Server
        • Port = Same
        • Replace source address = NOT checked
    • Firewall -- Port Forwarding
      • Add new
        • Interface = eth0
        • Original destination = Zentyal
        • Protol = TCP/UDP
        • Original destination port = single port = 25566
        • Source = Any
        • Destination IP = IP Address of Secondary Minecraft Server
        • Port = 25565
        • Replace source address = NOT checked
FTP Configuration 
I want to open up FTP to be accessible by anyone for now
  • Annonymos access = Read/Write
  • SSL Support = Allow SSL
  • Tried to Connect from laptop using FileZilla on 172.30.40.1 port 22
    • Get authentication failed (hmm, so much for Annonymous)
    • Added username and password for administrator, now works fine
  • Looking for where to upload OS install images and Hard Drive images for use by Virtual Machine module.... for now used /home/[user]/Downloads
  • Default libvirt storage location of Disk images is /var/lib/libvirt/images, but I don't see any new images created here.  I think I will upload a Linux Mint LXDE machine I already have into here.

Converting From Bridged to Standard Configuration
To better keep track of registered computers and control more of my network from Zentyal, I decided to use Zentyal for DHCP server on my principle network.  Setup as follows

  • Network -- Interfaces
    • eth2 (the interface I will switch the cable to after configured)
      • method = Static
      • External = NOT checked
      • IP address = 173.30.44.1
      • Netmask = 255.255.255.0
  • Network -- Objects
    This is where I want to configure the computers and servers I always want to give the same IP address to.  As an EXAMPLE
    • Add New
      • Name = HP Printer
        • Members -- add new
          • Name = HP Printer
          • IP address = 172.30.44.9
          • MAC address = [device MAC with colons]
  • DHCP  -- Choose interface eth2
    • Default gateway = Zentyal
    • Search domain = None
    • Primary nameserver = local Zentyal DNS
    • Secondary nameserver = [blank]
    • NTP Server = None
    • WINS Server = None
    • Ranges ... Add New
      • Name = free range
      • from = 172.30.44.64
      • to = 172.30.44.127  (this equals 172.30.44.64/26)
    • Fixed addresses .. Add new
      • Object = HP Printer
      • Description = [ip address] -- this is for quick reference and can be blank or whatever
  • Went live with this change... no problems so far... slight change is that I switched eth2 and eth4 so eth4 is for wired and eth2 being used for wireless.  not of consequence here.
  • Removing Firewall Rules that were needed for Bridged Mode, but no longer needed:
    • Firewall -- Packet Filter - External to internal
      • remove Minecraft service allow (now have port forward rule)
      • Remove eBox administration allow (for now only accessing from internal)
      • Remove VOIP allow (all phones internal to Zentyal)
      • Remove DHCP allow (no longer need to access External DHCP server)
      • Remove DHCP return allow (see above)
      • (this leaves no rules in this section)
    • Firewall -- Packet Filter -- External to Zentyal
      • (no changes)





Virtual Machines
Virtual Machines on Zentyal still seem to be a work in progress.  Here are my notes on trying them out (unsuccessfully so far).
  • Virtual Machines : Add New
    • Name LM-lxde
    • Auto start = not checked
    • System Settings: 
      • OS = i686 compatible
      • Base Memory = 512
    • Network Settings:
      • Add New Bridged to br1
    • Device Settings:
      • Add New Hard Drive
        • Drive type = Hard Disk
        • Action = create new disk
        • Name= LM-lxde
        • Size = 8000 MB (no thin provisioning option in the GUI)
      • Add New CD drive
        • Drive type = CD/DVD
        • Path =/home/[user]/Downloads/linuxmint-11-lxde-cd-32bit.iso
    • Starting it... Lights come up and all, but I cannot view the virtual machine in the console.  Hmmmm.....
    • Tried connecting from Virt-manager on my computer
      • signed into server with standard username and password
      • can see virtual machines, edit them, control them
      • can NOT view them in console... errors with the message "Error: viewer connection to hypervisor host got refused or disconnected!"
    • Install virt-manager on server and try
      • connect to ssh session with server
        • sudo ssh [user]@[serverip]
        • sudo apt-get install virt-manager
      • connect to virt-manager session on server as follows in a new terminal window
        • ssh -X user@serverip  (ssh with X session enabled)
        • virt-manager (to open virt-manager)
      • This allows me to see virtual machine, pause it, and presumably manipulate it in other ways
      • Can NOT view in console.  I am asked for a password then given "tcp/ip error: VNC connection to hypervisor host got refused or disconnected!"
      • searching online, this seems to be a broader issue with Ubuntu, though I do not experience it on my ubuntu server, anyway, trying virtual box for now as follows
  • Alternate is to install Virtualbox as described here:  http://forum.zentyal.org/index.php/topic,8969.msg42447.html#msg42447
    • Deleted Virtual machine I created
    • in Zentyal: Software management -- Zentyal Components -- delete
      • selected Virtualization manager and chose delete button
    • in SSH command line session: (from terminal: ssh user@zentyalip)
      • sudo apt-get remove virt-manager
      • sudo apt-get remove libvirt-bin
      • sudo apt-get install virtualbox-ose
        • get Fail message stating "No suitable module for running kernel found"

  • General notes:
    • On my computer images are stored at: /var/lib/libvirt/images
    • copied images from my computer to user download directory of Zentyal as follows
      • ssh ipaddress
      • scp root@ipaddress:/var/lib/libvirt/images/MineOS-CRUX.img /home/chenier/Downloads/
Misc Items
  • HTTPS service for firewall rules
    • to make it easier to create firewall rules to block certain https traffic, create a service definition as follows
    • Network -- Services  add new
      • service name = https
      • save and click configuation
        • Protocol = TCP/UDP
        • Source Port = any
        • Destination Port = Single port 443
    • save configuration
  • Needed firewall rule to logon to Zentyal from computer on bridged network.  I setup the following rules after which I was alble to login.
    • Firewall -- Packet Filter -- Internal networks to Zentyal
      • Add New
        • Source = Accept
        • Source = Any
        • Service = https
    • Firewall -- Packet Filter -- external Networks to Zentyal
      • Add New
        • Decision = Accept
        • Source = Source IP = IP of my computer
        • Service = https
    • Firewall -- Packet Filter -- external to internal networks
      • Add New (maybe not needed)
        • Decistion = Accept
        • Source = any
        • Destination = any
        • service = eBox administration

Updating
Decided to update with community updates for for now instead of purchasing subscription.
  • Software Management -- Zentyal Components
    • Software Management -- Settings
      • Enable Automatic security updates daily at 2:38 am
    • Software Management -- System Updates
      • select all and choose to update
    • Software Management -- Zentyal components -- Update
      • select 
        • Core 2.2.4 to 2.2.7
      • click on update and confirm
      • click on save changes
      • select (after everything finishes)
        • Antivirus 2.2 to 2.2.1
        • Backup 2.2.2 to 2.2.4
        • Common Library 2.2.2 to 2.2.3
        • Monitor 2.2.1 to 2.2.3
        • Software Management 2.2.2 to 2.2.4
        • VPN Service 2.2 to 2.2.1
        • (save other updates for another day :)
      • click on update and confirm
      • click on save changes
    • Reboot server just to be sure everything is straightened out

Identify  and Peg Network Objects
In order to peg DHCP addresses to specific computers/appliances while using dynamic DHCP on device, need to identify and peg devices on the server side.  This is a two step process.  A) Define Network Object for the unique MAC address with defined single IP address then B)Make static route in DHCP server.  Details follow for one example on my network:
  • Network -- Objects  : Add new
    • Name = phone 4001
      • members (Add new)
        • Name = phone 4001
        • IP address = CIDR = 172.30.40.41/32  (this is single IP address)
        • MAC address = (Mac for phone, copied and pasted from Dashboard)
        • (obviously, MAC address is required when desiring to peg specific devise to single IP address)
  • DHCP --  choose static interface (eth4 in my example)
    • Fixed addresses (at bottom of page)  -- Add new
      • Object = phone 4001
      • Description = (optional, but I put the pegged IP address for reference)


Configure Storage and Printers
Configure Virtual Machines
Configure Users
Configure phone advanced features
Posted by at

1 comment:

  1. bpeFebruary 15, 2013 at 9:51 AM

    pas mal
    j'ai installé zentyal avec tous les modules, j'ai donc galéré
    il manque un schéma de votre réseau

    ReplyDelete

Subscribe to: Post Comments (Atom)