ZeroTier Question
-
@Dashrender said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
There is your problem.
Exactly - if you want to continue with your current network topology, you'll want to create records specifically for use in the Public WiFi space that are different than those used for your internal network space.
The reason for this is that your internal devices all are on both ZT and your internal network, so they won't care if they receive an internal or ZT IP, but your Public network doesn't know about ZT, therefore it will fail everytime your DNS server gives out a ZT IP address.
FYI - you can register the same host name to more than one IP, so your hostname mailhost can resolve to an internal IP and ZT at the same time, and this is what causes most of these problems.
But creating a unique A record for use on the Public network, you don't have to worry about the Public network getting ZT addresses.
OK. Mailhost.wls.wels.net already had a A record of 172.16.0.14 (Exchange Server IP) but to get those on the ZT network to see the server I had to create another one with the ZT IP. I did not create a 2nd A record for wls-exchange.wls.wels.net. I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
-
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
-
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
-
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
-
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
By unique, I mean fully unique. corporate/ZT network use mailhost, the public wifi uses mailhost1 or whatever you create. it's unique for use by the public network.
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
By unique, I mean fully unique. corporate/ZT network use mailhost, the public wifi uses mailhost1 or whatever you create. it's unique for use by the public network.
Of course, this presents roaming problems, if a device on the public network later joins the corporate network, it might not work any more.
-
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
-
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
-
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
I now have a dumb question...
Why if I go to the mailhost or wls-exchange address does it work on the Secured wireless but if a student is connected it doesn't? If both VLAN's use the same DNS shouldn't DNS resolve to the local IP before trying to go out to the ZT IP?
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
-
@WLS-ITGuy said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
I now have a dumb question...
Why if I go to the mailhost or wls-exchange address does it work on the Secured wireless but if a student is connected it doesn't? If both VLAN's use the same DNS shouldn't DNS resolve to the local IP before trying to go out to the ZT IP?
Assuming there are two entries in DNS for each of those two hostnames (mailhost and wls-exchange) then the secure is either getting lucky or the devices on the secure network have ZT installed on them. if ZT is installed, then it will work no matter what address the device receives, if lucky.. well, again luck.
-
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
You could, but, if there are any other hostnames that you reference from the Guest network that only exist on your internal DNS, those will no longer function when you make the change.
-
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
Yes. It will get the external IP address at that point and then how it works will depends on how your router handles hairpin connections.
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
You could, but, if there are any other hostnames that you reference from the Guest network that only exist on your internal DNS, those will no longer function when you make the change.
Stop mixing things up. A guest network is a guest network and should have zero connection to a private network unless there is a very specific reason.
-
The hairpin routing could be a big gotcha for you too.
Old Cisco Pix firewalls could not do hairpin routing.
What hairpin routing means is that a device behind the firewall is trying to reach an IP that it thinks is on the internet, but really is just the IP address of the outside interface of the firewall. so the internal traffic hits the firewall, the firewall realizes it's for it's own network and just hairpins it back inside to the correct destination.
-
@JaredBusch said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
You could, but, if there are any other hostnames that you reference from the Guest network that only exist on your internal DNS, those will no longer function when you make the change.
Stop mixing things up. A guest network is a guest network and should have zero connection to a private network unless there is a very specific reason.
You're right it SHOULD! but his does have connections. So as you keep saying, he has to be very careful with his DNS to make sure he doesn't create a whole new can of worms by splitting the guest network out.
-
@Dashrender said in ZeroTier Question:
The hairpin routing could be a big gotcha for you too.
Old Cisco Pix firewalls could not do hairpin routing.
Okay? Any modern router can. and version 7.x and newer for the PIX firewalls could do.
-
Ultimately, the simplest solution might be to completely rework your network as follows:
Production network physical, only thing on this network is servers and printers, including DNS servers, configure non ZT NICs to not register with DNS - this is critical (though could break things like clustering)
PC internal network, This network has PCs a DHCP server on it, DNS is something global, like 8.8.8.8
Guest network, Guest PCs and a DHCP server, DNS is something global, like 8.8.8.8
(really splitting the guest and PC internal is really more for show than anything)
All business devices have ZT installed with the ZT network having DNS configured for Production DNS servers.
The PC's would need to have their ZT IPs manually added to production DNS.
How this works: The ZT PCs will have access to the Production network through ZT network, and will use that because the production network will use the ZT DNS servers. You'll never have to worry about IP issues because the only ones in DNS should be the ZT ones. Non ZT users will use global DNS and that will resolve to something on your firewall and your firewall should forward as needed internally.
-
@Dashrender said in ZeroTier Question:
Ultimately, the simplest solution might be to completely rework your network as follows:
Production network physical, only thing on this network is servers and printers, including DNS servers, configure non ZT NICs to not register with DNS - this is critical (though could break things like clustering)
PC internal network, This network has PCs a DHCP server on it, DNS is something global, like 8.8.8.8
Guest network, Guest PCs and a DHCP server, DNS is something global, like 8.8.8.8
(really splitting the guest and PC internal is really more for show than anything)
All business devices have ZT installed with the ZT network having DNS configured for Production DNS servers.
The PC's would need to have their ZT IPs manually added to production DNS.
How this works: The ZT PCs will have access to the Production network through ZT network, and will use that because the production network will use the ZT DNS servers. You'll never have to worry about IP issues because the only ones in DNS should be the ZT ones. Non ZT users will use global DNS and that will resolve to something on your firewall and your firewall should forward as needed internally.
I think this may cause bigger issues as there are rules on the core switch which is on the ZT/LAN side to allow access to the printer, exchange server, and the DHCP/DNS server.
-
that proposal is a huge massive upset to the way things are working today. That Core switch would have to have a major overall in it's configuration.
But the simply idea that it represents is that you move to a LANLess design - not to different than saying you put everything in a remote datacenter and you have to access all services over the internet basically the same way websites and email are accessed today over the internet.