Hairpin routing
-
@Dashrender said:
Your company deploys Pertino or ZeroTier. Owncloud does not support either.
Before getting bogged down and missing this... what do you mean that ownCloud does not support Pertino and ZeroTier?
-
@scottalanmiller said:
@Dashrender said:
Your company deploys Pertino or ZeroTier. Owncloud does not support either.
Before getting bogged down and missing this... what do you mean that ownCloud does not support Pertino and ZeroTier?
How did I know you were going to ask that - It's not my situation, so I can't answer you. That said, just go with the flow and assume they don't. oh and you can't install a gateway appliance either (don't ask me why).
-
Okay, so just so we are all clear, it does support Pertino and ZeroTier
-
What if you use a DNS entry that exists in one form externally and a different one internally? That way it goes to different IP addresses depending on where you are?
-
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
-
@scottalanmiller said:
What if you use a DNS entry that exists in one form externally and a different one internally? That way it goes to different IP addresses depending on where you are?
Won't work when you're using AD Connect because all DNS quiries go through AD's DNS.
And since you're running a split brain DNS (internal is the same as external - example.com) you'll never get a reply from an external DNS server.
-
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
-
Set internal DNS to IP (A-record) to be different than outside world?
meaning, Internal or LAN will point to DNS address that is specific to internal?
Typically I do similar.
Internal DNS i would create an A-Record that points to internal LAN IP server address. External DNS A-record will point to my ISP provided IP address (12.12.12.12)
So hosts internally will auto-map to internal owncloud server, and not have to re-route over interwebz? maybe my logic is flawed
-
@Dashrender said:
And since you're running a split brain DNS (internal is the same as external - example.com) you'll never get a reply from an external DNS server.
This sounds like layer after layer of bad decision making. There is a reason why split horizon (I know one bad MS document says split brain but that really should be avoided) DNS is not a good practice.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
Should "just work." Of course, passing storage in and out of the firewall is a bit nutty, but shoudl work.
-
@scottalanmiller said:
@Dashrender said:
And since you're running a split brain DNS (internal is the same as external - example.com) you'll never get a reply from an external DNS server.
This sounds like layer after layer of bad decision making. There is a reason why split horizon (I know one bad MS document says split brain but that really should be avoided) DNS is not a good practice.
It may not be, but MS does it themselves.
What is the name of the internal NTG domain?
-
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
Should "just work." Of course, passing storage in and out of the firewall is a bit nutty, but shoudl work.
yeah, if Owncloud is used by internal personal more than external, this is probably a pretty bad setup, stresses the firewall for no good reason.
-
@Dashrender said:
It may not be, but MS does it themselves.
I'm going out on a limb here only because they can't possibly have warned against it more but I've never signed into their network but...
No, they absolutely don't do this.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
Should "just work." Of course, passing storage in and out of the firewall is a bit nutty, but shoudl work.
yeah, if Owncloud is used by internal personal more than external, this is probably a pretty bad setup, stresses the firewall for no good reason.
Even if it is just used "some" it's still not a great setup.
-
In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.
-
This is an issue I am working on and I don't have time to be here right now, but I will give the full setup anyway.
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.Setup:
12.12.12.10 = NAT and all working.
12.12.12.12 = 1-1 NAT to proxy server and all working.
Internal DNS is proxy.domain.com = A record 10.202.1.16
Internal ownCloud DNS is oc.domain.com = CNAME proxy.domain.com (also used A record 10.202.1.17 either works fine)
External DNS is oc.domain.com = CNAME proxy.domain.com
External DNS for proxy.domain.com = A record 12.12.12.12Issue:
Laptop has Pertino + ADConnect
So due to ADConnect the laptop ALWAYS gets oc.domain.com as 10.202.1.16 (or .17 when I had the A record internally)
Because the proxy and ownCloud do not have Pertino, the laptop cannot talk to ownCloud.Solution: Hairpin NAT and set internal DNS to External IP
Issue: How to set it up manually on the 1-to-1 NAT.It works as expected on the default masquerade.
https://i.imgur.com/7IW606s.jpg. -
I use name.local here myself... works fine
I just create A-records
to do internal DNS-A record within Windows Server DNS, there is a guide out there
Essentially need to create an internal DNS A-Record to point to the internal IP address of the own cloud server.
Then on the domain Registrar website; create an external DNS A-record and point it to your External WAN address 12.12.12.12 as given in example.
Be sure to have appropriate firewall rule and port forwarding configured to accept traffic on interface for 12.12.12.12 and redirect the requests on destination ports to the internal owncloud IP address
-
@Dashrender said:
In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.
.local had no problems and routes fine. It can't be looked up by public DNS servers, which is a good thing not a bad one. Yes, MS made the split horizon mistake in 2000, that was a decade and a half ago and has long since not done that. It's a horrible practice with endless problems.
Any problems with .local I'm confident were myths. Like that it could not route. It works flawlessly until you have Macs which use .local specifically to break AD as part of an MS / Apple feud from long ago.
The recommendation since .local is to have a unique domain that you own but is not .local.
Split horizon has not been considered remotely acceptable since 2003 era or earlier. There's really no upside. And as there is everything warning against it and nothing recommending it, it's quite shocking that it happens. It's the most basic thing that they have always warned about in AD training.
-
@JaredBusch said:
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.
That makes sense. Very different from "doesn't support it"