Page MenuHomeSoftware Heritage
Create Task
Maniphest T3460

Restore access to the gui of the passive firewall
Closed, MigratedEdits Locked
Actions

Description

OpenVPN use an internal address 192.168.100.2 to route the traffic.
It conflict with the VLAN440 address of pushkin and avoid to access it through this address.

The quick solution is to move pushkin to 192.168.100.4
(louvre must be moved to 192.168.100.5 before)

Revisions and Commits

rSPSITE puppet-swh-site
D6060rSPSITE76e4f3fba539 Change pushkin ip address
rDDOC Development documentation
D6063rDDOCdde95608d439 infrastructure: document how to access the second firewall through the VPN

Related Objects
Search...

Event Timeline

vsellier triaged this task as Normal priority.Aug 4 2021, 6:36 PM
vsellier created this task.
vsellier changed the task status from Open to Work in Progress.Aug 5 2021, 2:34 PM
vsellier moved this task from Backlog to in-progress on the System administration board.
vsellier added a comment.Aug 5 2021, 2:45 PM
  • network configuration manually changed on louvre:
root@louvre:~# diff -u3 /tmp/interfaces /etc/network/interfaces
--- /tmp/interfaces	2021-08-05 12:44:20.213896058 +0000
+++ /etc/network/interfaces	2021-08-05 12:37:29.480805493 +0000
@@ -5,7 +5,7 @@
 
 auto ens18
 iface ens18 inet static
-	address  192.168.100.4
+	address  192.168.100.5
 	netmask  255.255.255.0
 	gateway 192.168.100.1
  • server rebooted
  • puppet rerun on louvre and pergamon
vsellier added a revision: D6060: Change pushkin ip address.Aug 5 2021, 3:32 PM
vsellier added a commit: rSPSITE76e4f3fba539: Change pushkin ip address.Aug 5 2021, 3:45 PM
vsellier added a comment.Aug 5 2021, 4:17 PM

the pushkin's ip was changed and the new ip was declared on puppet.
It seems the firewall is still not reachable with the new ip.
I'm trying to diagnose the problem

vsellier added a comment.Aug 5 2021, 4:44 PM

well I have misinterpreted the routing issue.
It seems it's only because the openvpn service is also started on pushkin (it's normal to be ready in case of a primary/secondary switch).
The route for the openvpn traffic is also declared on the secondary so a packet from the VPN is falling in a black hole:

packet from openvpn client to 192.168.100.4 -> openvpn (glyptotek) -> pushkin through vnet1 -> openvpn (pushkin) (wrong route, the packet is lost)

I will rollback the ip changes because it's not solving anything and document a way to access to the secondary through the vpn

vsellier mentioned this in rSPSITE10abbbd71e19: Revert "Change pushkin ip address".Aug 5 2021, 5:05 PM
vsellier added a revision: D6063: infrastructure: document how to access the second firewall through the VPN.Aug 5 2021, 5:28 PM
vsellier added a comment.Aug 5 2021, 5:29 PM
  • louvre configuration reverted
  • pushking configuration reverted
  • access documented: D6063
vsellier added a commit: rDDOCdde95608d439: infrastructure: document how to access the second firewall through the VPN.Aug 5 2021, 5:48 PM
vsellier closed this task as Resolved.Aug 5 2021, 5:49 PM
vsellier moved this task from in-progress to done on the System administration board.
gitlab-migration changed the task status from Resolved to Migrated.Oct 19 2022, 6:03 PM
gitlab-migration claimed this task.
gitlab-migration added a subscriber: gitlab-migration.

This task has been migrated to GitLab.

About · Developer information · Legal