ZeroTier Question
-
@dafyre said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
Any reason that the guest network needs access to the internal DNS server?
It sounds like he may be working for a school or something.... They probably have need of a few internal resources.
Maybe, but it depends how they are presented if DNS is needed. If DNS is needed, why not have a different DNS server for that VLAN?
-
@dafyre said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
Any reason that the guest network needs access to the internal DNS server?
It sounds like he may be working for a school or something.... They probably have need of a few internal resources.
But they should be gaining them through a secure external IP range, not the internal one. treating that public network as just that, fully public means that access to the internal resources could only happen through published IPs on the public internet.
If they have direct access to the internal network via the public Wifi - what kind of protection exists between those two networks? true, they could be limited by specific ports locked down between them, but then you're managing two sets of IPs instead of one - i.e. One set for people working from starbucks and another for the public wifi network you have.
-
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
-
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
DNS on the public side should do the trick, right?
-
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
This is definitely one way to handle it, but because of that way, you have some of the problems you have. Personally, I'd make that public network completely it's own thing. The VLAN would terminate to it's own port on the firewall (either real or virtual port) and if possible it's traffic would go to the internet over it's own dedicated IP.
This allows you to tread that network as if it wasn't part of your network at all. Those users would get an IP for DNS of say, Google (8.8.8.8) or your ISP. They would then flow through your firewall to get to whatever services are allowed to normal internet folks and you only have to worry about what's inside your network using your DNS and resolution problems.
As mentioned before, if you have non ZT devices uses your internal DNS server, and you register ZT IPs into those DNS servers, those not ZT devices will get the round-robin effect of DNS answers and will sometimes receive the ZT IPs instead of the LAN IPs, and you'll have issues.
Now you could solve this buy installing a gateway device on your main network, and have the router between the Public network and the wired network have a route to that gateway appliance allowing traffic a path to find the ZT IPs - but man.. Personally not a fan of that idea.
-
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
DNS on the public side should do the trick, right?
What do you mean? change the Public access DHCP server to give only a public DNS server? yeah that along might solve it, assuming his router can do hairpinning if required.
-
@Dashrender said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
DNS on the public side should do the trick, right?
What do you mean? change the Public access DHCP server to give only a public DNS server? yeah that along might solve it, assuming his router can do hairpinning if required.
Not what I meant, I meant a DNS server that he runs himself, but that is for the public portion of his network. That why he could hand out whatever data he wanted there.
-
Let me see if this helps explain my setup here.
172.16.0.60 is the HP Core Switch which acts as the router. Which also has 172.17.0.1 and 172.18.0.1 as Virtual IP's.
4 VLANs - 172.20.x.x not in use.
Sem Wired Scope
Sem WIreless Scope
Student/Guest Scope
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load. MOre often than not they get this error:
mailhost.wls.wels.net unexpectedly closed the connection.
Try:
Reloading the page
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_CLOSED
ReloadHIDE DETAILSHowever, if they go to https://wls-exchange.wls.wels.net/owa it works fine.
-
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
-
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
-
@WLS-ITGuy said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
There is your problem.
-
@scottalanmiller said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
DNS on the public side should do the trick, right?
What do you mean? change the Public access DHCP server to give only a public DNS server? yeah that along might solve it, assuming his router can do hairpinning if required.
Not what I meant, I meant a DNS server that he runs himself, but that is for the public portion of his network. That why he could hand out whatever data he wanted there.
oh, gotcha.. for him to have two completely independent DNS systems, one for corporate, and one for Guest network.
-
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
There is your problem.
Exactly - if you want to continue with your current network topology, you'll want to create records specifically for use in the Public WiFi space that are different than those used for your internal network space.
The reason for this is that your internal devices all are on both ZT and your internal network, so they won't care if they receive an internal or ZT IP, but your Public network doesn't know about ZT, therefore it will fail everytime your DNS server gives out a ZT IP address.
FYI - you can register the same host name to more than one IP, so your hostname mailhost can resolve to an internal IP and ZT at the same time, and this is what causes most of these problems.
But creating a unique A record for use on the Public network, you don't have to worry about the Public network getting ZT addresses.
-
This type of issue is why I repeatedly stressed that you had to plan everything out very carefully if you were going to start messing with DNS.
-
@JaredBusch said in ZeroTier Question:
This type of issue is why I repeatedly stressed that you had to plan everything out very carefully if you were going to start messing with DNS.
And why I recommend using a ZT Bridge... so you don't have to mess with DNS, lol.
-
@Dashrender said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
There is your problem.
Exactly - if you want to continue with your current network topology, you'll want to create records specifically for use in the Public WiFi space that are different than those used for your internal network space.
The reason for this is that your internal devices all are on both ZT and your internal network, so they won't care if they receive an internal or ZT IP, but your Public network doesn't know about ZT, therefore it will fail everytime your DNS server gives out a ZT IP address.
FYI - you can register the same host name to more than one IP, so your hostname mailhost can resolve to an internal IP and ZT at the same time, and this is what causes most of these problems.
But creating a unique A record for use on the Public network, you don't have to worry about the Public network getting ZT addresses.
OK. Mailhost.wls.wels.net already had a A record of 172.16.0.14 (Exchange Server IP) but to get those on the ZT network to see the server I had to create another one with the ZT IP. I did not create a 2nd A record for wls-exchange.wls.wels.net. I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
-
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
-
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
-
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
-
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
By unique, I mean fully unique. corporate/ZT network use mailhost, the public wifi uses mailhost1 or whatever you create. it's unique for use by the public network.
