ZeroTier Question
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
By unique, I mean fully unique. corporate/ZT network use mailhost, the public wifi uses mailhost1 or whatever you create. it's unique for use by the public network.
Of course, this presents roaming problems, if a device on the public network later joins the corporate network, it might not work any more.
-
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
-
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
-
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
I now have a dumb question...
Why if I go to the mailhost or wls-exchange address does it work on the Secured wireless but if a student is connected it doesn't? If both VLAN's use the same DNS shouldn't DNS resolve to the local IP before trying to go out to the ZT IP?
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
-
@WLS-ITGuy said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
I now have a dumb question...
Why if I go to the mailhost or wls-exchange address does it work on the Secured wireless but if a student is connected it doesn't? If both VLAN's use the same DNS shouldn't DNS resolve to the local IP before trying to go out to the ZT IP?
Assuming there are two entries in DNS for each of those two hostnames (mailhost and wls-exchange) then the secure is either getting lucky or the devices on the secure network have ZT installed on them. if ZT is installed, then it will work no matter what address the device receives, if lucky.. well, again luck.
-
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
You could, but, if there are any other hostnames that you reference from the Guest network that only exist on your internal DNS, those will no longer function when you make the change.
-
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
Yes. It will get the external IP address at that point and then how it works will depends on how your router handles hairpin connections.
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
You could, but, if there are any other hostnames that you reference from the Guest network that only exist on your internal DNS, those will no longer function when you make the change.
Stop mixing things up. A guest network is a guest network and should have zero connection to a private network unless there is a very specific reason.
-
The hairpin routing could be a big gotcha for you too.
Old Cisco Pix firewalls could not do hairpin routing.
What hairpin routing means is that a device behind the firewall is trying to reach an IP that it thinks is on the internet, but really is just the IP address of the outside interface of the firewall. so the internal traffic hits the firewall, the firewall realizes it's for it's own network and just hairpins it back inside to the correct destination.
-
@JaredBusch said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
You could, but, if there are any other hostnames that you reference from the Guest network that only exist on your internal DNS, those will no longer function when you make the change.
Stop mixing things up. A guest network is a guest network and should have zero connection to a private network unless there is a very specific reason.
You're right it SHOULD! but his does have connections. So as you keep saying, he has to be very careful with his DNS to make sure he doesn't create a whole new can of worms by splitting the guest network out.
-
@Dashrender said in ZeroTier Question:
The hairpin routing could be a big gotcha for you too.
Old Cisco Pix firewalls could not do hairpin routing.
Okay? Any modern router can. and version 7.x and newer for the PIX firewalls could do.
-
Ultimately, the simplest solution might be to completely rework your network as follows:
Production network physical, only thing on this network is servers and printers, including DNS servers, configure non ZT NICs to not register with DNS - this is critical (though could break things like clustering)
PC internal network, This network has PCs a DHCP server on it, DNS is something global, like 8.8.8.8
Guest network, Guest PCs and a DHCP server, DNS is something global, like 8.8.8.8
(really splitting the guest and PC internal is really more for show than anything)
All business devices have ZT installed with the ZT network having DNS configured for Production DNS servers.
The PC's would need to have their ZT IPs manually added to production DNS.
How this works: The ZT PCs will have access to the Production network through ZT network, and will use that because the production network will use the ZT DNS servers. You'll never have to worry about IP issues because the only ones in DNS should be the ZT ones. Non ZT users will use global DNS and that will resolve to something on your firewall and your firewall should forward as needed internally.
-
@Dashrender said in ZeroTier Question:
Ultimately, the simplest solution might be to completely rework your network as follows:
Production network physical, only thing on this network is servers and printers, including DNS servers, configure non ZT NICs to not register with DNS - this is critical (though could break things like clustering)
PC internal network, This network has PCs a DHCP server on it, DNS is something global, like 8.8.8.8
Guest network, Guest PCs and a DHCP server, DNS is something global, like 8.8.8.8
(really splitting the guest and PC internal is really more for show than anything)
All business devices have ZT installed with the ZT network having DNS configured for Production DNS servers.
The PC's would need to have their ZT IPs manually added to production DNS.
How this works: The ZT PCs will have access to the Production network through ZT network, and will use that because the production network will use the ZT DNS servers. You'll never have to worry about IP issues because the only ones in DNS should be the ZT ones. Non ZT users will use global DNS and that will resolve to something on your firewall and your firewall should forward as needed internally.
I think this may cause bigger issues as there are rules on the core switch which is on the ZT/LAN side to allow access to the printer, exchange server, and the DHCP/DNS server.
-
that proposal is a huge massive upset to the way things are working today. That Core switch would have to have a major overall in it's configuration.
But the simply idea that it represents is that you move to a LANLess design - not to different than saying you put everything in a remote datacenter and you have to access all services over the internet basically the same way websites and email are accessed today over the internet.
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
You could, but, if there are any other hostnames that you reference from the Guest network that only exist on your internal DNS, those will no longer function when you make the change.
the changing of your Core Switch without my massive changes post would be in line with this post.
-
Silly question. Could I just uninstall ZT from the exchange server and all my issues go away?
-
Here is some weird shit.
New install of ZT on machine off campus. No static IP on the ZT NIC. Mapped Drives work as well as Exchange. WTF!
-
@WLS-ITGuy said in ZeroTier Question:
Silly question. Could I just uninstall ZT from the exchange server and all my issues go away?
hmm... that's interesting... maybe. let's see it through.
Local devices in that network will see it fine, because DNS will only have one IP for it, devices on the guest network use the same DNS, so they too will be fixed because only one IP, and people at starbucks will be fine because global DNS is working.
-
@WLS-ITGuy said in ZeroTier Question:
Here is some weird shit.
New install of ZT on machine off campus. No static IP on the ZT NIC. Mapped Drives work as well as Exchange. WTF!
Yes. That is how they should work.
