Virtualmin server behind NAT

17 posts / 0 new
Last post
#1 Mon, 02/25/2008 - 17:29
markedwards

Virtualmin server behind NAT

I'm using Virtualmin on a machine behind NAT, with a single ethernet interface that uses 192.168.1.201.

If I set my "Default virtual server IP address" to the external IP (66.122.112.170), DNS comes out fine but Apache doesn't listen on the right address, so I have to change the Apache virtual servers by hand.

If I set the "Default virtual server IP address" to the real address of the machine, Apache is happy, but DNS gets all screwed up. I have tried using the "Default IP address for DNS records" but that isn't consistent. It doesn't properly apply to SPF records, for example, or to customized records.

Its seems there are two problems:

1) "Default IP address for DNS records" should always apply if it is set.

2) There should be a way to override the default IP for Apache virtual servers.

Tue, 02/26/2008 - 06:57
WillSargent

Hi Markedwards,

As an unofficial reply to your issue:

I completely agree about the DNS setup, it is quite a pain to do when virutalmin is running on a private network. I myself use ISA 2006 firewall to publish my virtualmin server.

My personal solution to the DNS situation was to create a completely custom BIND template that is created each time a new server is created. That makes ALL the DNS records correctly reflect my external IP's, just like they should. If you would like examples of this, I can publish it later.

On the apache issue, you cannot have your apache server listen on an ipaddress that is not bound to your box. In otherwords, unless your linux ethernet adapter is bound to your "real" ip address (not 192.168.1.201) you cannot listen on the "real" ip address. Apache will only listen to 192.168.... because that is the only ip address that your machine actually has.

Furthermore, apache listening on this address is what you want in your configuration.

The missing link here is that your NAT device (router, whatever) needs to be routing (via the DMZ fuction or port forwarding or virtual server) all http and https requests (port 80 and 443) on the "real" ip address to the internal ip of 192.168.1.201. Apache will work properly in this configuration, because apache will actually look at the domain name that is being requested and serve up the correct site.

So internet machines request an address from your vmin DNS server.
They receive the external ip address 66.122.112.170.
They send a web request to 66.122.112.170.
Your router forwards the request to the internal ip of 192.168.1.201 that apache is listening to.
Apache serves up the web page.
Internet clients are none the wiser. As far as they are concerned, your web page came from the external ip.

Now, a challenge to this is that from your local network, another computer that tries to browse your virtualmin server may or may not actually connect to the server successfully. It really depends on your router, because this is where the specific method of NAT comes into play (over which you have no control.)

What's really needed for virtualmin is a split DNS system. However that is not a currently a component, and really gets complicated fast since you would actually have to host two seperate BIND DNS servers on different ip's (could be the same box in theory, but I don't know if BIND supports such a thing.) One DNS server serves external requests with the "real" ip, and the other serves internal requests with the 192.168.1.201 ip.

Either way, apache would still be listening to 192.168.1.201.

I hope that this helps answer your question. Good luck!

Sun, 03/23/2014 - 09:38 (Reply to #2)
aussiegwapo

Hi WillSargent having the same problem with NAT via Virtualmin i know the template was deleted from the forum. I have 3 domains one for my Private VPS would love to get this up and running as im using my ip address at the moment instead of the domain name would make it heaps safer for me.

I have custom DHCP ip's for my home network with a netgear highend new modem router.

I was using webmin but still same thing as virtualmin and im newish to the program as i cant afford cPanel licence fees at the moment.

Thanks heaps if you could help

From Aussiegwapo

Sun, 06/07/2009 - 07:19
markedwards

Thanks, Will.

The suggestion to do a completely custom DNS template is a good one as a workaround. Certainly better than manually adjusting Apache settings for every virtual server.

Ideally, though, I'd like Virtualmin to be doing this work. The whole idea in using Virtualmin is that its an integrated system and the parts fit together. I'm trying to mess with that as little as possible. Also, I want users after me to have an easy time understanding the setup. I'm not the only one using this machine.

My NAT router is doing things properly, as you describe. I was actually trying to use the documentation's suggestion of setting the outside address in the "Default virtual server IP address" to the outside address. It seems the appropriate setting in this context is really "Default IP address for DNS records" set to the outside address.

Joe/Jamie, I think if this setting were to be respected by all DNS settings, this would work. Right now, I know that it doesn't apply to SPF records, at least.

Also, is there a full listing of possible variables that can be used in DNS templates? The Help suggests a few like ${IP} and ${DOM}, but being able to represent the Default IP setting from Virtualmin's module config would be very useful here.

Sun, 06/07/2009 - 07:19
markedwards

Thanks, Will.

The suggestion to do a completely custom DNS template is a good one as a workaround. Certainly better than manually adjusting Apache settings for every virtual server.

Ideally, though, I'd like Virtualmin to be doing this work. The whole idea in using Virtualmin is that its an integrated system and the parts fit together. I'm trying to mess with that as little as possible. Also, I want users after me to have an easy time understanding the setup. I'm not the only one using this machine.

My NAT router is doing things properly, as you describe. I was actually trying to use the documentation's suggestion of setting the outside address in the "Default virtual server IP address" to the outside address. It seems the appropriate setting in this context is really "Default IP address for DNS records" set to the outside address.

Joe/Jamie, I think if this setting were to be respected by all DNS settings, this would work. Right now, I know that it doesn't apply to SPF records, at least.

Also, is there a full listing of possible variables that can be used in DNS templates? The Help suggests a few like ${IP} and ${DOM}, but being able to represent the Default IP setting from Virtualmin's module config would be very useful here.

Sun, 06/07/2009 - 07:19
WillSargent

Note: ${IP} should represent the IP that is assigned to the new domain. This would be the default (?)...

Sun, 06/07/2009 - 07:19
markedwards

There is a setting in Module Config called "Default IP address for DNS records". ${IP} appears to correspond strictly to the setting called "Default virtual server IP address".

My point is that the "Default IP address for DNS records" setting is quite a bit less useful if it doesn't consistently do what it says. It should affect all generated DNS records, and if there isn't a template variable that corresponds to it, then ${IP} should correspond to it when its active.

You follow me?

Sun, 06/07/2009 - 07:19
markedwards

I created a bug for this:

http://www.virtualmin.com/index.php?option=com_flyspray&Itemid=82&am...

I think the real issue here is that the "Default IP address for DNS records" setting ought to affect SPF records and the ${IP} variable in the DNS template.

Tue, 03/04/2008 - 19:40
WillSargent

Makes perfect sense to me. I think I had noticed this behaviour some time ago, and kinda pushed it aside, since I was making a custom template anyway.

I think it would be great for it to work the way it says it ought too. Thanks for bugging it.

Sun, 06/07/2009 - 07:19
markedwards

The outcome of the bug discussion with Jamie is as follows:

- ${DNS_IP} is the variable to use in templates which corresponds to the Default IP for DNS records setting. Use this instead of ${IP} when that setting is desired.

- Jamie agrees the SPF generator should use the Default IP for DNS records if that setting is active. This will be fixed.

Problem solved. Thanks everyone.

Wed, 06/17/2009 - 04:20
dmaster97

Hi, guys.

sorry, i'm still in the mud here.

i have the same situation. All the forwarding are working, but the dns is screwed. Currently i solved the situation by using a park domain somewhere outhere. The parked domain was setup to point to the server's public ip, while the virtualmin manage dns for intranet address. But it really is paintfull to manage as the domain grows.

so, when it was solved, is there any easier way todo? virtual min patches???

any tutorial to do the custom dns template?

i'm still noobie

thanks

Wed, 06/17/2009 - 04:39 (Reply to #11)
Joe
Joe's picture

Have you looked at Virtualmin's built-in DynDNS support? It's designed for this purpose.

--

Check out the forum guidelines!

Wed, 06/17/2009 - 05:05 (Reply to #12)
dmaster97

can you a bit more thorough? this is my first time setting up hosting with virtualmin. although i was familiar with webmin, i'm still scratching up my head to learn virtualmin.

i was doing everything by hand before in my other servers. i hate to break everything just because i manually edit some configuration.

Wed, 06/17/2009 - 09:57
andreychek

The feature Joe is referring to is the "Dynamic DNS Update" option in Addresses and Networking -> Dynamic IP Update.

Using something like DynDNS's services, you can use that feature to keep your current IP up to date with DynDNS, as well as modify any Virtual Servers using that IP -- it'll update Apache and BIND, for example.

There's a "Help" button on that page, one of the things it mentions is:

"When a change is detected, all virtual servers with shared IP addresses using the old address will be updated to the new one. This change will be made in both the Apache configuration and DNS records. "

However, it will only modify domains that Virtualmin knows about (ie, they're added as Virtual Servers within Virtualmin).

So if you have domains that existed before Virtualmin was installed, you'd need to import them into Virtualmin first in order for them to be updated.

I haven't used that feature before, so I'm not familiar with all the ins and outs of this, but hopefully that'll give you a head start into all this :-) -Eric

Thu, 06/18/2009 - 00:27
dmaster97

aahh....

I got it. got a little light. :) BIND views....

I was prefering the solution for the dns template. mentioned by markedwards. any example of the dns template? I have static ip, so dyndns is not my choice. I am exploring the view capability of bind.

Can it, in anyway, integrated easier in virtualmin? If I fill in the "external ip address" in virtual server setting, querying the dns will result the external address, when it supposed to return the internal ip address. Now I know it was BIND view related. i was able to provide view by manually edited the bind configuration.

Am I missing some steps in virtualmin before filling in "external ip address"?

i also notice that powerDNS plugin appear recently. Is it safe to switch it on?

Fri, 02/26/2010 - 15:57 (Reply to #15)
jflesher

I too have a public static IP address and run behind a router doing port forwarding on a private IP address; after reading this; I don't see a solution;

I tried changing all the Default shared address to the private IP address and then I tried to change the External IP address to the Public IP address; this still dosn't work

It seems that if you changed to this would work; is there a down side to this?

What is the solution?

Thanks

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Thu, 06/27/2013 - 13:42
oranjbox

I've come into a situation where I'm running a server behind a nat. The ip's are 1to1 natted from the internals to the externals. I've configured bind slaves and they are passing the correct values to and from the slaves as well. The issue I'm having and forgive me if it is covered elsewhere is that when I visit dom.tld which is already resolving to my hosting machine I am receiving the content for the /var/www folder because of the default ruleset. The idea is to just use namebased resolution as we don't at the moment have plans to put a lot of domains here and multiple ip's for this deployment weren't necessary. It would appear that somewhere in my config the name resolution is not properly making it to apache or apache is ignoring it.

Thoughts?

Here's a capture from the apache virtual hosts page.

Default Server Any Any Automatic Automatic Open.. Virtual Server Any 80 Automatic /var/www Open.. Virtual Server x.x.x.x 80 dom.tld /home/dom.tld/public_html Open..