ZeroTier Question
-
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
-
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
-
@WLS-ITGuy said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
There is your problem.
-
@scottalanmiller said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
DNS on the public side should do the trick, right?
What do you mean? change the Public access DHCP server to give only a public DNS server? yeah that along might solve it, assuming his router can do hairpinning if required.
Not what I meant, I meant a DNS server that he runs himself, but that is for the public portion of his network. That why he could hand out whatever data he wanted there.
oh, gotcha.. for him to have two completely independent DNS systems, one for corporate, and one for Guest network.
-
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
There is your problem.
Exactly - if you want to continue with your current network topology, you'll want to create records specifically for use in the Public WiFi space that are different than those used for your internal network space.
The reason for this is that your internal devices all are on both ZT and your internal network, so they won't care if they receive an internal or ZT IP, but your Public network doesn't know about ZT, therefore it will fail everytime your DNS server gives out a ZT IP address.
FYI - you can register the same host name to more than one IP, so your hostname mailhost can resolve to an internal IP and ZT at the same time, and this is what causes most of these problems.
But creating a unique A record for use on the Public network, you don't have to worry about the Public network getting ZT addresses.
-
This type of issue is why I repeatedly stressed that you had to plan everything out very carefully if you were going to start messing with DNS.
-
@JaredBusch said in ZeroTier Question:
This type of issue is why I repeatedly stressed that you had to plan everything out very carefully if you were going to start messing with DNS.
And why I recommend using a ZT Bridge... so you don't have to mess with DNS, lol.
-
@Dashrender said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Students are reporting that when they go to https://mailhost.wls.wels.net/owa on campus that it doesn't load.
However, if they go to https://wls-exchange.wls.wels.net/owa it works fine.This tells you that your DNS is the issue.
From a student device (or a test device on student network) what do those two domain names resolve to?
Mailhost resolves to the ZT IP address
WLS-Exchange resolves to the internal IP of the server.
There is your problem.
Exactly - if you want to continue with your current network topology, you'll want to create records specifically for use in the Public WiFi space that are different than those used for your internal network space.
The reason for this is that your internal devices all are on both ZT and your internal network, so they won't care if they receive an internal or ZT IP, but your Public network doesn't know about ZT, therefore it will fail everytime your DNS server gives out a ZT IP address.
FYI - you can register the same host name to more than one IP, so your hostname mailhost can resolve to an internal IP and ZT at the same time, and this is what causes most of these problems.
But creating a unique A record for use on the Public network, you don't have to worry about the Public network getting ZT addresses.
OK. Mailhost.wls.wels.net already had a A record of 172.16.0.14 (Exchange Server IP) but to get those on the ZT network to see the server I had to create another one with the ZT IP. I did not create a 2nd A record for wls-exchange.wls.wels.net. I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
-
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
-
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
-
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
-
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
By unique, I mean fully unique. corporate/ZT network use mailhost, the public wifi uses mailhost1 or whatever you create. it's unique for use by the public network.
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
By unique, I mean fully unique. corporate/ZT network use mailhost, the public wifi uses mailhost1 or whatever you create. it's unique for use by the public network.
Of course, this presents roaming problems, if a device on the public network later joins the corporate network, it might not work any more.
-
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
-
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
-
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
I now have a dumb question...
Why if I go to the mailhost or wls-exchange address does it work on the Secured wireless but if a student is connected it doesn't? If both VLAN's use the same DNS shouldn't DNS resolve to the local IP before trying to go out to the ZT IP?
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
-
@WLS-ITGuy said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
I now have a dumb question...
Why if I go to the mailhost or wls-exchange address does it work on the Secured wireless but if a student is connected it doesn't? If both VLAN's use the same DNS shouldn't DNS resolve to the local IP before trying to go out to the ZT IP?
Assuming there are two entries in DNS for each of those two hostnames (mailhost and wls-exchange) then the secure is either getting lucky or the devices on the secure network have ZT installed on them. if ZT is installed, then it will work no matter what address the device receives, if lucky.. well, again luck.
-
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
You could, but, if there are any other hostnames that you reference from the Guest network that only exist on your internal DNS, those will no longer function when you make the change.
-
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I don't see how I can create a unique A record for the Public Network when it goes through the same DNS as the other two networks.
You can't. That's why I mentioned having a different DNS server for that network.
So I would be making an entirely separate network for the Student/Public network on the same internet pipe?
Time for a dumb question... If we know that they have a URL that works on the Student/Guest side... why not just have them use that URL?
This is what I have going on for now as https://wls-exchange.wls.wels.net/owa doesn't work off campus. So I have them go to that on campus and mailhost off campus.
This just wraps you back around to either using the public DNS servers for the Public WiFi, or setting up a separate DNS server for that network.
So I should just set in the Scope options 8.8.8.8 and 4.4.4.4 as the DNS and see if mailhost works on the Student/Guest network?
Yes. It will get the external IP address at that point and then how it works will depends on how your router handles hairpin connections.
