ZeroTier Question
-
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
In Windows, it goes the other way...
zt_ip_address hostname.mydomain.org
-
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
In Windows, it goes the other way...
zt_ip_address hostname.mydomain.org
Same anywhere, it's a standard.
-
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
Do you have time to trouble shoot this today? I'm really curious to find out what is giving you the DNS replies you are getting.
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
Do you have time to trouble shoot this today? I'm really curious to find out what is giving you the DNS replies you are getting.
I have held off on making the hosts file change. As it was my error, I forgot to save the change to his ZT nic
-
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
Do you have time to trouble shoot this today? I'm really curious to find out what is giving you the DNS replies you are getting.
I have held off on making the hosts file change. As it was my error, I forgot to save the change to his ZT nic
Whoops!
-
That might do it
-
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
-
@WLS-ITGuy said in ZeroTier Question:
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
Any reason that the guest network needs access to the internal DNS server?
-
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
Any reason that the guest network needs access to the internal DNS server?
It sounds like he may be working for a school or something.... They probably have need of a few internal resources.
-
@dafyre said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
Any reason that the guest network needs access to the internal DNS server?
It sounds like he may be working for a school or something.... They probably have need of a few internal resources.
Maybe, but it depends how they are presented if DNS is needed. If DNS is needed, why not have a different DNS server for that VLAN?
-
@dafyre said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
Any reason that the guest network needs access to the internal DNS server?
It sounds like he may be working for a school or something.... They probably have need of a few internal resources.
But they should be gaining them through a secure external IP range, not the internal one. treating that public network as just that, fully public means that access to the internal resources could only happen through published IPs on the public internet.
If they have direct access to the internal network via the public Wifi - what kind of protection exists between those two networks? true, they could be limited by specific ports locked down between them, but then you're managing two sets of IPs instead of one - i.e. One set for people working from starbucks and another for the public wifi network you have.
-
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
-
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
DNS on the public side should do the trick, right?
-
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
This is definitely one way to handle it, but because of that way, you have some of the problems you have. Personally, I'd make that public network completely it's own thing. The VLAN would terminate to it's own port on the firewall (either real or virtual port) and if possible it's traffic would go to the internet over it's own dedicated IP.
This allows you to tread that network as if it wasn't part of your network at all. Those users would get an IP for DNS of say, Google (8.8.8.8) or your ISP. They would then flow through your firewall to get to whatever services are allowed to normal internet folks and you only have to worry about what's inside your network using your DNS and resolution problems.
As mentioned before, if you have non ZT devices uses your internal DNS server, and you register ZT IPs into those DNS servers, those not ZT devices will get the round-robin effect of DNS answers and will sometimes receive the ZT IPs instead of the LAN IPs, and you'll have issues.
Now you could solve this buy installing a gateway device on your main network, and have the router between the Public network and the wired network have a route to that gateway appliance allowing traffic a path to find the ZT IPs - but man.. Personally not a fan of that idea.
-
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
DNS on the public side should do the trick, right?
What do you mean? change the Public access DHCP server to give only a public DNS server? yeah that along might solve it, assuming his router can do hairpinning if required.
-
@Dashrender said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
DNS on the public side should do the trick, right?
What do you mean? change the Public access DHCP server to give only a public DNS server? yeah that along might solve it, assuming his router can do hairpinning if required.
Not what I meant, I meant a DNS server that he runs himself, but that is for the public portion of his network. That why he could hand out whatever data he wanted there.
-
Let me see if this helps explain my setup here.
172.16.0.60 is the HP Core Switch which acts as the router. Which also has 172.17.0.1 and 172.18.0.1 as Virtual IP's.
4 VLANs - 172.20.x.x not in use.
Sem Wired Scope
Sem WIreless Scope
Student/Guest Scope
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load. MOre often than not they get this error:
mailhost.wls.wels.net unexpectedly closed the connection.
Try:
Reloading the page
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_CLOSED
ReloadHIDE DETAILSHowever, if they go to https://wls-exchange.wls.wels.net/owa it works fine.
-
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
-
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
-
@WLS-ITGuy said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
There is your problem.
