IP Settings
This is place to learn how to configure your network, hostname and DNS servers.
Menu
You can find this feature in the menu system at the following location:
Network|Settings|IP Settings
Configuration
Settings
Network Mode
The ClearOS system can run in one of four different modes:
- Standalone Mode - No firewall - for a standalone server without a firewall (for example, a file server)
- Standalone Mode - for a standalone server with a firewall (for example, a public web server)
- Gateway - for connecting your LAN, DMZ, and/or HotLAN to the Internet
- Trusted Gateway This is an undocumented mode which allows ClearOS to act as a transparent in-line bridge. To get it set
MODE="trustedgateway"
in /etc/clearos/network.conf.
Hostname
A hostname is the full name of your system. If you have your own domain, you can use a hostname like gateway.example.com, mail.example.com, etc. The hostname does require at least one period (.)
Internet Hostname
This is how you are known from the internet. It may be your poweredbyclear.com DDNS name or another name. It is used, for example, by OpenVPN when creating its client configs to say which FQDN the OpenVPN client should contact to make a connection.
Default Domain
Specify the Internet domain of this server. This is the domain name (e.g. example.com) of your organization and not the hostname of this server but it could also be the internal domain name that you want to use on your LAN. If you do not have your own domain then you can use one of the free dynamic DNS hostnames provided by the ClearSDN. Alternatively, you can also make one up: gateway.lan, mail.lan and use it internally only.
DNS
On DHCP and DSL/PPPoE connections, the DNS servers will be configured automatically for your IP Settings. Users with static IP addresses should use the DNS servers provided by your Internet Service Provider (ISP).
If you use automatic DNS servers they can be temporarily overridden until the next reboot. Or, If you un-check the Automatic DNS Servers box in the External interface, you can manually specify your DNS servers here.
If you are using Multi-WAN, please review the MultiWAN User Guide on the topic of DNS servers.
Network Interfaces
This is broken down into five normal sections, Ethernet, Virtual, VLAN, xDSL and Wireless. Some of the configuration is common between the sections. Sections will only show if interfaces of those types exist. Other sections such as Bonded will appear with manual configuration.
From this screen you can configure or delete interfaces or run speed tests on external interfaces.
Configuring Ethernet Interfaces
Roles
When configuring a network interface, the first thing you need to consider is the network role in IP Settings. Will this network card be used to connect to the Internet, for a local network, for a network with just server systems? The following network roles in IP Settings are supported in ClearOS and are described in further detail in the next sections:
- External - network interface with direct or indirect access to the Internet
- LAN - local area network
- Hot LAN - local area network for untrusted systems
- DMZ - de-militarized zone for a public network
External
The external role provides a connection to the Internet. On a ClearOS system configured as a gateway, the external role is for your Internet connection. On a system configured in standalone mode, the external role is for connecting to your local area network.
On ClearOS, you can have more than one external interface configured for load balancing and automatic failover. See the Multi-WAN user guide for details.
LAN
The LAN (local area network) role provides network connectivity for your desktops, laptops and other network devices. LANs should be configured with an IP address range of 192.168.x.x, 172.16.x.x-172.31.x.x or 10.x.x.x. For example, you can configure your ClearOS LAN interface with the following settings:
- IP: 192.168.2.1
- Netmask: 255.255.255.0
In this example, all systems on your LAN would have IP addresses in the range of 192.168.2.2 to 192.168.2.254.
By default, all LAN's (including VLAN's) can communicate with each other. A LAN can also access a HotLAN but not vice-versa.
Hot LAN
Hot LAN (or “Hotspot Mode”) allows you to create a separate LAN network for untrusted systems. Typically, a Hot LAN is used for:
- Servers open to the Internet (web server, mail server)
- Guest networks
- Wireless networks
A Hot LAN is able to access the Internet, but is not able to access any systems on a LAN or ClearOS itself. As an example, a Hot LAN can be configured in an office meeting room used by non-employees. Users in the meeting room could access the Internet and each other, but not the LAN used by company employees.
The firewall port forwarding page in webconfig is used to forward ports to both LANs and Hot LANs.
DMZ
In ClearOS, a DMZ interface is for managing a block of public Internet IP addresses. If you do not have a block of public IP addresses, then use the Hot LAN role of your IP Settings. A typical DMZ setup looks like:
- WAN: An IP addresses for connecting to the Internet
- LAN: A private network on 192.168.x.x
- DMZ: A block of Internet IPs (e.g from 216.138.245.17 to 216.138.245.31)
Webconfig has a DMZ firewall configuration page to manage firewall policies on the DMZ network.
Connection Type
DHCP
For most cable and Ethernet networks, DHCP is used to connect to the Internet. In addition, your system will have the DNS servers automatically configured by your ISP when the Automatic DNS Servers checkbox is set.
If you have an upstream proxy on your external interface you can configure it here.
You will rarely want to have an LAN interface configured as DHCP.
PPPoE (for xDSL)
For PPPoE xDSL connections, you will need the username and password provided by your ISP.
Static
If you have a static IP, you will need to set the following parameters:
- IP (typically ends in 1 or 254 for a LAN interface)
- Netmask (e.g. 255.255.255.0)
- Gateway (for external connections only - typically ends in 1 or 254)
For a LAN interface you will almost always want it to be static.
Automatic DNS Servers
For interface types DHCP and PPPoE the Automatic DNS Servers checkbox is set. If you would like to configure your own DNS servers (often required for Multi-WAN) then leave this setting unchecked.
Upstream and Downstream Bandwidths
You can set them manually here or on the previous scree you can run a speed test on the interface by clicking on the speedtest icon:
Upstream Proxy
If you have an upstream proxy on your external interface you can configure it here.
Configuring Virtual Interfaces
ClearOS supports virtual IPs. To add a virtual IP address, click on the link to configure a Virtual Interface and add specify the interface you want the IP address to be associated with, the IP Address and Netmask. ClearOS will determine the interface Role from the interface it is associated with. You will also need to create custom firewall rules if the virtual IP is on the Internet.
Configuring VLANs
Can be internal or external. You need to decide the NIC which the VLAN belongs to and allocate it's VLAN ID. Other settings are the normal Connection Type, IP Address, Netmask, Gateway, Enable DHCP Server, Automatic DNS Servers.
Configuring a Wireless Interface
The wireless interface has been removed from the IP settings for the moment. Any Wireless configuration needs to be done manually, although the app-wireless (from the command line) and DHCP Server still work.
The Wireless section allows you to set specific Wireless options in addition to the normal ones. The interface can only be used to configure 802.11g networks. Many settings are similar to the Ethernet settings
yum install app-wireless-core
If you do not see the Wireless interface at all, you will need to troubleshoot the NIC drivers.
Configuration Extras
Isolating LAN's and VLan's
By default all LAN's and VLAN's can communicate with each other. It you want to isolate them, create a file /etc/clearos/firewall.d/05-isolatedlans and in it put:
#!/bin/bash # Source networking configuration. . /etc/clearos/network.conf # Bail if not ipv4 if [ "$FW_PROTO" != 'ipv4' ]; then return 0 fi if [ -n "$LANIF" ]; then # Add isolation rules for iLAN in $LANIF; do for oLAN in $LANIF; do if [ "$iLAN" != "$oLAN" ]; then $IPTABLES -I FORWARD -i $iLAN -o $oLAN -j DROP fi done done fi # Really all the above should be inserted below the existing "RELATED,ESTABLISHED" rule # but this is a dirty fix. Delete the existing and add a new one. $IPTABLES -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Then restart the firewall with a:
systemctl restart firewall.service
Multiple HotLAN's
It is possible to have multiple HotLAN's but you would need add a firewall script /etc/clearos/firewall.d/04-hotlans and in it put:
#!/bin/bash # Source networking configuration. . /etc/clearos/network.conf # Bail if not ipv4 if [ "$FW_PROTO" != 'ipv4' ]; then return 0 fi if [ -n "$HOTIF" ]; then # Clear all HotLAN rules for HotLAN in $HOTIF; do RULE_IDS=$($IPTABLES -nv --line-numbers -L FORWARD |\ grep " $HotLAN *0\.0\.0\.0\/0 *0\.0\.0\.0\/0" | awk '{ print $1 }' | sort -rn) if [ -n "$RULE_IDS" ]; then for rule_id in $RULE_IDS; do $IPTABLES -D FORWARD ${rule_id} done fi done # Add replacement HotLAN rules for HotLAN in $HOTIF; do if [ -n "$EXTIF" ]; then for WANIF in $EXTIF; do $IPTABLES -A FORWARD -i $HotLAN -o $WANIF -j ACCEPT done fi done fi
Then restart the firewall with a:
systemctl restart firewall.service
PPPoE with VLAN tag
If you want a PPPoE connection and need to specify a VLAN ID (e.g. 101 in the UK for VDSL), this is generally set in the modem so is nothing to do with ClearOS. However there is a modemless PPPoE set up used by some ISP's in some countries (Canada?) where the network cable from the ISP goes straight into ClearOS and there is a requirement to set a VLAN ID.
In theory, to do this, create a VLAN interface attached to your external interface, set the VLAN ID, Role=External, Connection Type=PPPoE and set your PPPoE username and password.
There is currently a bug in the Network Interfaces where you are not given the option to set the Connection Type to PPPoE. The workaround is to set the connection type to DHCP and save the interface. Then go back and edit the interface you've just created. You will then be able to set the Connection Type to PPPoE and input your username and password.
Troubleshooting
In most installs, the network cards and IP settings will work straight out of the box. However, getting the network up the first time can be an exercise in frustration in some circumstances. Issues include;
- Network card compatibility
- Invalid networks settings (username, password, default gateway)
- Finicky cable/DSL modems that cache network card hardware information
Here are some helpful advanced tools and tips to diagnose a network issue from the command line:
- mii-tool displays link status and speed
- ethtool eth0 displays links status, speed, and many other stats - not all cards support this tool
- ifconfig eth0 displays IP settings on eth0