Problems on Green after Migration

nick · 18 September 2021 06:58

Hi,

after migrating to a new Server the green Interface isn‘t working any more. I have done this while migrating:

Installed same build on new server
Configured red, green, blue and orange interfaces
Restored backup and checked settings
Followed this steps: Migrating to new hardware

After first reboot Ipsec was disabled but works again after enabling, web-interface also reachable and works. While booting only got this warning:

WARNING: BCP 177 violation. Detected non-functional IPv6 loopback.

Think this warning can be ignored > Squid web proxy started with 2 errors

But now have no access on green to the internet and all machines on the green interface, also no access to orange and blue. same from orange to green and orange to blue.

When connected from outside with OpenVPN i can access to machines on green, orange and blue.

Could anybody help here?

Thanks.
Nick

bbitsch · 18 September 2021 08:53

Looks like you have installed a firewall rule to block green device, unintentional.

nick · 20 September 2021 08:45

Hmm, only made a backup from the old server and restored it to the new one written above.

Compared during the weekend all settings and rules old server/new server and pressend on each page/option ok/save/update. Now access green itself, green to blue and green to orange is working, access from green to red (internet) isn’t working.

Think running in this problem here: https://community.ipfire.org/t/proxy-problem-after-upgrade-to-core-155-the-proxy-server-is-refusing-connections/5020/23 > The server is a x86_64 and running with IPFire 159 (think similar @pmueller).

Access from green to red (internet) is only working with setting up a rule from green to red. Something is going wrong with the web-proxy here but i didn’t know what can i do here.

bonnietwin · 20 September 2021 11:13

If you think the problem is related to the proxy server then if you disable the proxy server you should be able to access the internet again.

If that doesn’t allow green to access red what do you get if you try

ping -c4 ipfire.org

from the console. What result and message do you get?

If you can’t get a response back from ping then are you connected to your ISP.

Some ISP’s fix the mac address that is used for the first time and when you change the hardware they will not connect as the mac is different. If this is the case you will need to get your isp to reset the mac address they have stored for you or you can change the mac address presented by IPFire on red0 using menu Network - Assign MAC-Address to enter the mac address you used to have with your old hardware.

You can check if red0 is connected on the main WUI page. Does IPFire show it is connected and do you have an IP address showing for ther Internet connection and for the Gateway. If those entries are present and IPFire shows Connected under status with the connection time then you are connected to your ISP.

nick · 20 September 2021 12:20

With disabled proxy i didn‘t get a connection to the internet.

The result of ping -c4 ipfire.org:

4 bytes from fw01.ipfire.org (81.3.27.38) icmp_swq1 ttl=55 time 18.8 ms
4 bytes from fw01.ipfire.org (81.3.27.38) icmp_swq2 ttl=55 time 18.9 ms
4 bytes from fw01.ipfire.org (81.3.27.38) icmp_swq3 ttl=55 time 18.9 ms
4 bytes from fw01.ipfire.org (81.3.27.38) icmp_swq4 ttl=55 time 18.7 ms

— ipfire.org ping statistics —
packets transmitted, 4 received, 0% loss, time 3002ms
tt min/avg/max/maeve = 18.718/18.840/18.917/0.075ms

WUI looks ok, connected with the known Ip-Adress.

I‘m confused:
With an simple rule (green to red, allow all) i have internet on the green interface. in that case it makes no difference if proxy is enabled or disabled.

bonnietwin · 20 September 2021 12:43

Okay, so your ping result says that you have full Internet connection.

What happens if you try the ping from a machine in the green lan.
If the ipfire.org does not give a connection, try ping -c4 81.3.27.38

If neither of the pings work from the green lan then that would really suggest that you have a firewall rule set somewhere.

Do you have any entries in firewall.local?

nick · 20 September 2021 12:53

Ping to ipfire.org and 81.3.27.38 from a machine in the green lan works. Both results looked the ping-test before.

The firewall.local inside:

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
        ;;
  stop)
        ## add your 'stop' rules here
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac

bonnietwin · 20 September 2021 13:19

Okay so the pings work but the web browsing doesn’t.
The firewall.local file you have is the default empty one.

Searching for pings working but no browsing I found an entry where the nsswitch.conf entry for hosts had to be modified to fix the problem.

What does your /etc/nsswitch.conf have in it for hosts. Mine has

hosts: files dns myhostname

All other entries just have files.

Is your hosts entry different from this?

bonnietwin · 20 September 2021 13:27

When you disabled the proxy, did you also turn the proxy setting on your browser back to using the system settings?

nick · 20 September 2021 13:31

No, mine looks as yours.

nick · 20 September 2021 13:37

Yes i have. Done it before this post again to be sure. Also disabled all Fw-Rules and tryed. It wouldn’t work. :-(.

bonnietwin · 20 September 2021 13:38

Unfortunately I have just about reached the end of my knowledge for this then. Hopefully there are other people who have more experience/knowledge who can suggest things to check for.

nick · 20 September 2021 13:39

Ok. Many thanks for spending your time. :-).

nick · 27 September 2021 06:40

Made all Steps as wrote in my first Post/Question again. Now it works. Didn‘t know what happens first Time.