Tag Archives: endian

Endian DHCP stopped and failing to start on 3.0.5beta1

TL:DR Updated Endian this morning, and the DHCP service failed to start. Turns out having a 2nd DNS server set in the Web GUI doesn’t correctly write to the dhcp.conf file. Solution. Remove 2nd DNS server or manually add a comma (,) into the config file using nano.

In the Web GUI under “Status -> System Status”

The DHCP server was shown as “Stopped”.

Manually starting from the shell also failed.

‘service dhcpd start’

A quick look in the logs:

‘cat /var/log/messages’

Feb 25 10:22:51 endian dhcpd: Internet Systems Consortium DHCP Server V3.0.5-RedHat
Feb 25 10:22:51 endian dhcpd: Copyright 2004-2006 Internet Systems Consortium.
Feb 25 10:22:51 endian dhcpd: All rights reserved.
Feb 25 10:22:51 endian dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Feb 25 10:22:51 endian dhcpd: /etc/dhcpd.conf line 21: semicolon expected.
Feb 25 10:22:51 endian dhcpd:         option domain-name-servers 192.168.0.3 192.
Feb 25 10:22:51 endian dhcpd:                                                ^
Feb 25 10:22:51 endian dhcpd: Configuration file errors encountered -- exiting
Feb 25 10:22:51 endian dhcpd:
Feb 25 10:22:51 endian dhcpd: If you did not get this software from ftp.isc.org, please
Feb 25 10:22:51 endian dhcpd: get the latest from ftp.isc.org and install that before
Feb 25 10:22:51 endian dhcpd: requesting help.
Feb 25 10:22:51 endian dhcpd:
Feb 25 10:22:51 endian dhcpd: If you did get this software from ftp.isc.org and have not
Feb 25 10:22:51 endian dhcpd: yet read the README, please read it before requesting help.
Feb 25 10:22:51 endian dhcpd: If you intend to request help from the [email protected]
Feb 25 10:22:51 endian dhcpd: mailing list, please read the section on the README about
Feb 25 10:22:51 endian dhcpd: submitting bug reports and requests for help.
Feb 25 10:22:51 endian dhcpd:
Feb 25 10:22:51 endian dhcpd: Please do not under any circumstances send requests for
Feb 25 10:22:51 endian dhcpd: help directly to the authors of this software - please
Feb 25 10:22:51 endian dhcpd: send them to the appropriate mailing list as described in
Feb 25 10:22:51 endian dhcpd: the README file.
Feb 25 10:22:51 endian dhcpd:
Feb 25 10:22:51 endian dhcpd: exiting.

 

Luckily the log points us in the right direction.

/etc/dhcpd.conf line 21: semicolon expected.
Feb 25 10:22:51 endian dhcpd:         option domain-name-servers 192.168.0.3 192.

In the Web GUI if I remove the 2nd Name server, all is well, the service starts up and the log shows requests being received.
When I add it back in, it fails to start again.

When I add the comma in using nano, I’m able to manually start the service.
Although I’m sure it will break if any changes are made to the web gui.

Update: It appears that this bug has been around for a few days, and is reported: https://jira.endian.com/browse/UTM-1388

Endian Transparent Proxy and Hamachi Gateway Issue

Update: works around 95% of the time, but isn’t perfect.

After recently upgrading from IPCop to Endian for a clients router, we discovered an issue that wasn’t there with IPCop.
All the users connecting in via the Hamachi gateway also had there traffic passed through the squid proxy server at the office.

While most organaizations would encorrage this, it was an uninttended side effect, and brought the small slow ADSL connection to its knees.

After trying to fiddle with proxy.pac files, IP Tables rules, etc it seems the easiest option is to simply ban the IP address in proxy.

      Create a static DHCP address for the client
      Go to Proxy -> HTTP -> Access Policy. Add a new access policy
      Select the following values:
      Source Type: Network/IP
      Destination Type:
      Insert Source Network/IPs: Add the IP addresses from Step 1.
      Access policy: Deny access
      Position: First position

      Create Policy

      Test on a remote client using Speedtest.net or IPChicken

Early testing has shown that there aren’t any issues with this, the client still downloads the proxy.pac file, then finds out it can’t use the Proxy (Chrome seems to add it to a Ban list), and carries on connecting as usual.

Extended testing shows that every now & then Endian still gets asked to handle the request & gets a ‘denied’ response. So not a perfect solution, it still half works.

Endian Firewall and Office 365 Outlook not connecting

Problem: Switching from IPCop to Endian Community 3 resulted in Outlook not connecting to the Office 365 servers.

Solution: It appears the issue is with Squid (see http://www.squid-cache.org/mail-archive/squid-users/201308/0269.html). Office 365 resolves outlook.office365.com to 25 different addresses, but Squid defaults to try the first 10 then give up. To fix add the line: forward_max_tries 25
But where to do so in Endian?

Adding extra squid configuration options in Endian 3:
The Squid config is at /etc/squid/squid.conf – BUT this is rebuild every time you save the web GUI instead to add custom options, add them into /var/efw/proxy/custom.tmpl

For example:
SSH in:
cd /var/efw/proxy/
vi custom.tmpl
[add the following:] forward_max_tries 25

Then resave the settings in the Web gui to force the rebuild of the /etc/squid/squid.conf file.
Then check to see that the settings are there with the following command:
cat /etc/squid/squid.conf
And look for #begin custom.tmpl