Hi

You are trying to setaup a replica behind a NAT?

I will try to picture it bellow

MASTER|   -   |     NAT-DEVICE      |    -   |REPLICA    |
10.x.x.x |   -   |10.x.x.y 172.16.x.y|    -   |172.16.x.x |

Is this setup somewhat correct?

This makes fiew problems 1 UDP is stateles so You would need some logick on the NAT device to forward DNS requests correctly ie if DNS query comes from 172.17.x.x on 172.16.x.y DNAT it to 10.x.x.x. Second rule for the opposite direction

Now how to make 172.16.x.x ask 172.16.x.y instead of 10.x.x.x You can try static routing

Routing example:
ip route 10.x.x.x/32 via 172.16.x.y dev eth0 proto static metric 100

Shuch a route should send all packets addressed to 10.x.x.x via 172.16.x.y if the router at 172.16.x.y has a knowledge of 10.x.x.x network it will forward packets to destination host. A nat device is usually a router too.

Analogic rule should be added on the 10.x.x.x device

In theory if there is only one nat(router) device static routes should work as the nat(router) knows both IP nets and should route packets unless the policy is to drop them

If there are 2 nat boxes
|MASTER| - |NAT1| === |NAT2| - |replica|

I would suggest a tunel (vpn or IPIP one depending on the security needed).

Regards

W dniu 21.06.2017 o 15:12, John Keates via FreeIPA-users pisze:
What you want is not possible because DNS resolves to one IP, not to a NAT’ed 
IP.
Doing this differently is very hacky and totally unsupported. One host, one IP, 
one DNS record. NAT doesn’t belong in this type of networking.

If you really wanted to shoot yourself in the foot, you can use Unbound and a 
Python plugin to do record-rewriting on the fly. The IPA DNS server would 
return 10.3.2.33 for example and that would be rewritten to 172.16.2.33 if you 
desire that.
Queries would have to go to the unbound server and it forwards them to the IPA 
server. Responses are then rewritten on the fly if they contain the foreign IP 
range. This is bad in so many ways…


On 21 Jun 2017, at 14:26, Kat via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:

Nothing? No suggestions?

Is it not possible to support DNS through a NAT?

-K


On 6/20/17 1:32 PM, Kat wrote:
Here is an odd problem (I think).

I am using IPA in one environment, and want to set up a replica in another 
environment through natted connections. I can setup the client to the NAT 
server, but here is the tricky part - IPA is also DNS. So if I try to bring the 
DNS setup over with --

ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca

It fails, because when it tries to lookup the master on the other side of the 
NAT FW, of course it resolves incorrectly. The first failure is conn-check, so 
even if I --skip-conncheck, it still fails since DNS will not resolve.

Suggestions?

-K

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to