Can Hsphere be used with an internal IP, ex. 192.168.10.10 as long as it is Nat'd to an external?

There is NAT support in hsphere here are the docs on it:
http://psoft.net/HSdocumentation/sysadmin/nat.html

As an Hsphere user who is using NAT, I thought I would just give my insight into how we finaly got it working properly. I have seen a lot of posts with different firewalls and issues using NAT.

The documents for NAT http://psoft.net/HSdocumentation/sysadmin/nat.html states

...you need to configure your NAT firewall so that your physical servers (web.example.com, mysql.example.com) can address themselves and each other both by external and internal IPs.

We first followed the above document to setup NAT. This is where we got caught as SiteStudio and some other services did not work. This also seams to be the issue with some of the other posts.

To fix this issue, we used the hosts file "/etc/hosts". The DNS serves the External ip's and the hosts file serves the Internal ip's. (Make sure you also edit your nsswitch.conf file. You want your local system to use the hosts file first then the DNS lookup.)

Edit your hosts file and put in each of your systems with their respective internal ip addresses.

/etc/hosts (example)

192.168.100.1 dns1.example.com dns1
192.168.100.2 dns2.example.com dns2
192.168.100.10 cp.example.com cp
192.168.100.50 mail.example.com mail
192.168.100.100 web.example.com web mysql.example.com mysql

Then in your nsswitch.conf file, find the "hosts:" line and make sure the order is files then DNS.


hosts: files dns

Don't forget to add the hosts and nsswitch.conf files to your backups. Also, if you add a "Reseller" to your configuration, don't forget to add their server names to your hosts file(s).

We have not setup any "Windows" hosting boxes as yet. If you have Windows servers, you will need to edit your "%WINDIR%\system32\drivers\etc\hosts" file as above.

The problem we have with this solution is we need to edit our hosts files on all of our servers every time we add/remove/change_ip's for servers or resellers. Maybe Hsphere could edit the hosts file(s) automaticaly :) . Even if you are not using NAT, using hosts files would still work.

I hope this helps anyone else who is having trouble with NAT and Hsphere.

brujo67,

A little free advice: unless you have no other choice, don't go with the NAT setup. Unless you're doing load-balanced servers, it offers absolutely no advantages yet comes with all the inherent problems of NAT. YMMV, but I think in the long run you'll be much happier if you use external IP's from the start.

Andrew

The documents for NAT http://psoft.net/HSdocumentation/sysadmin/nat.html states



We first followed the above document to setup NAT. This is where we got caught as SiteStudio and some other services did not work. This also seams to be the issue with some of the other posts.

To fix this issue, we used the hosts file "/etc/hosts". The DNS serves the External ip's and the hosts file serves the Internal ip's. (Make sure you also edit your nsswitch.conf file. You want your local system to use the hosts file first then the DNS lookup.)

Edit your hosts file and put in each of your systems with their respective internal ip addresses.

/etc/hosts (example)


Then in your nsswitch.conf file, find the "hosts:" line and make sure the order is files then DNS.



Don't forget to add the hosts and nsswitch.conf files to your backups. Also, if you add a "Reseller" to your configuration, don't forget to add their server names to your hosts file(s).

We have not setup any "Windows" hosting boxes as yet. If you have Windows servers, you will need to edit your "%WINDIR%\system32\drivers\etc\hosts" file as above.

The problem we have with this solution is we need to edit our hosts files on all of our servers every time we add/remove/change_ip's for servers or resellers. Maybe Hsphere could edit the hosts file(s) automaticaly :) . Even if you are not using NAT, using hosts files would still work.

I hope this helps anyone else who is having trouble with NAT and Hsphere.


Did you keep the ips-map.xml file in the ~cpanel/shiva/psoft_config/ directory active as Psoft recommends?

Do all your DNS records show Public IP's instead of the default local IP's for all Custom DNS records?
I mean you change it all to public IP's?

I have a problem that a recently added mail server shows both IP's to the Internet, when it should only show the Public IP.
I really want top get rid of this problem:
You can see it here:
http://www.dnsstuff.com/tools/lookup.ch?name=mail2.crservers.com&type=A

This problem does not happen with any of our other servers which have private IP's showing in the Customs DNS records as recommended by Psoft, and the public IP's are shown perfectly to the world.

Thanks for your help

Rodrigo

Did you keep the ips-map.xml file in the ~cpanel/shiva/psoft_config/ directory active as Psoft recommends?
Yes. follow the proper config as per the document psoft has created for nat. Your ips-map.xml file should have your ip mapping....

ie: <ip ext="xxx.xxx.xxx.11" int="192.168.200.11"/>

Do all your DNS records show Public IP's instead of the default local IP's for all Custom DNS records?
I mean you change it all to public IP's?
Yes again. Hsphere will create the proper DNS records for you. It will show your public IP's and not your internal ip's. I am not sure why your setup is showing internal IP's to the world. make sure you followed the doc on how to set this up. Also, confirm your settings in the ips-map.xml file.

Did you enter the Internal IP in a custom DNS record your self? If you enter any custom DNS records, enter the proper external IP.

I have a problem that a recently added mail server shows both IP's to the Internet, when it should only show the Public IP.
I really want top get rid of this problem:
You can see it here:
http://www.dnsstuff.com/tools/lookup.ch?name=mail2.crservers.com&type=A
I am guessing you added a new "Physical" then "Logical" server. If so, when you added the Physical server in Hsphere, did you...1) assign the Physical server the "Internal" IP? and 2) did you do the proper mapping of the IP in your ips-map.xml file?

This problem does not happen with any of our other servers which have private IP's showing in the Customs DNS records as recommended by Psoft, and the public IP's are shown perfectly to the world.

Thanks for your help

Rodrigo

brujo67,

A little free advice: unless you have no other choice, don't go with the NAT setup. Unless you're doing load-balanced servers, it offers absolutely no advantages yet comes with all the inherent problems of NAT. YMMV, but I think in the long run you'll be much happier if you use external IP's from the start.

Andrew

I have to agree and disagree here.

Yes, there are problems with NAT and using it. Most people will be much happier with external IP's.

The reasion we are using NAT comes down to security and management of all of our servers. We currently have 5 servers in our Hsphere "Pool" and we are going to be adding more soon. We also have dedicated servers for clients and Rack space we sell to other clients. Our mandate is to have security for all of our servers and have everything behind firewalls.

If we ran a firewall service on all of our servers, then this would give us another level to manage. We have made the decision to run a few firewalls and manage then seperatly from the "Working servers".

So, if you only have a few servers, run up a firewall on each of them and do not use NAT. If you want to seperate your services (firewall, working servers, etc) then depending on the firewall you use, you may have to use NAT.

Greetings:

A firewall is but one form of protection.

NAT can be helpful; but it isn't the greatest security point.

Thank you.

Did you enter the Internal IP in a custom DNS record your self? If you enter any custom DNS records, enter the proper external IP.

I am guessing you added a new "Physical" then "Logical" server. If so, when you added the Physical server in Hsphere, did you...1) assign the Physical server the "Internal" IP? and 2) did you do the proper mapping of the IP in your ips-map.xml file?

lionspark:

Our system was installed by the Psoft staff for a 2 server configuration.
After they did the job, the Custom DNS Records in the DNS Manager showed the internal IP's and the public IP's were showing to the world just fine.
The system worked fine that way.

Then, we added a new mail server (physical and logical). We did this following Psoft's documentation to the letter.

After the new server install, which went with no problems, the local IP was showing in the DNS Manager, just like the other servers set up by Psoft.
But if you do a A Record scan from the Internet for this server, both Local and Public IP's are showing!

I changed the IP on the new "offending" server from the local to the public IP This I did disregarding Psoft's instructions which state:

"In E.Manager->DNS Manager, add DNS records with internal IPs.
Note: Internal IPs will be transformed to the corresponding external IPs in DNS zones configuration."

This change was suggested in the forums, but it had no effect. Both the local IP and the public IP keep on showing to the world.

I have re-checked all configuration as detailed by Psoft in:
http://www.psoft.net/HSdocumentation/sysadmin/nat.html
and ips-map.xml is well formed with both local and public IP's for all servers.

I have restarted named, restarted the DNS servers, ran DNS_Creator, and still that "Dual" A record keeps on showing both local and public IP's to the world!
Look here:
http://www.dnsstuff.com/tools/lookup.ch?name=mail2.crservers.com&type=A

I wonder where that is stored? So I can eliminate it!

I feel like doing all the stuff you mention above, hosts files, etc.

The only thing that makes me wonder is that changing all Custom A records from local IP's to public IP's goes against what Psoft recommends.
Besides, all servers are working ok, except the last one I added.

Any thoughts on this will be greatly appreciated.

Thanks,

Rodrigo

lionspark:

Our system was installed by the Psoft staff for a 2 server configuration.
After they did the job, the Custom DNS Records in the DNS Manager showed the internal IP's and the public IP's were showing to the world just fine.
The system worked fine that way.
We also had our servers installed by Hsphere (5 systems, 1 - cp, 1 - web/sql, 1 - email and 2 - DNS). I guess we started at a different version as we needed to take care of the NAT after the install was done.
I have re-checked all configuration as detailed by Psoft in:
http://www.psoft.net/HSdocumentation/sysadmin/nat.html
and ips-map.xml is well formed with both local and public IP's for all servers.

I have restarted named, restarted the DNS servers, ran DNS_Creator, and still that "Dual" A record keeps on showing both local and public IP's to the world!
Look here:
http://www.dnsstuff.com/tools/lookup.ch?name=mail2.crservers.com&type=A

Are you runing RedHat systems? If so, did you follow the instructions for "Iptables" in the instructions for your new server???

I wonder where that is stored? So I can eliminate it!

I feel like doing all the stuff you mention above, hosts files, etc.

The only thing that makes me wonder is that changing all Custom A records from local IP's to public IP's goes against what Psoft recommends.
Besides, all servers are working ok, except the last one I added.

Yes, DON'T manualy change your "A" records in the DNS Zones. Hsphere will just change them back when you next make changes.

Let me know about the Iptables.

We also had our servers installed by Hsphere (5 systems, 1 - cp, 1 - web/sql, 1 - email and 2 - DNS). I guess we started at a different version as we needed to take care of the NAT after the install was done.

Are you runing RedHat systems? If so, did you follow the instructions for "Iptables" in the instructions for your new server???


Yes, DON'T manualy change your "A" records in the DNS Zones. Hsphere will just change them back when you next make changes.

Let me know about the Iptables.

Well, the problem of "dual" A records is gone.
The Psoft staff fixed it. Here's the explanationa they gave:

"For some reasons (I don't know why) zone file for this dns zone contains 2 records for mail2 (internal and external IP). I have run DNSCreator for this dns zone and restarted named. As you can see, now it is OK."

Everything is workin OK, now. The Custom DNS recorsd in the DNS manager still point to the local IP's like Psoft recommends. So I did not change this to the public IP's as sugested here.

I did modify the "etc/hosts" files on all servers to include all servers with internal IP's

Thanks to all for the help.

Rodrigo