[Freeipa-users] Re: Master -> replica through NAT?
AHA LOCATIONS!!! Unless I am way off here - what I need to do is set the replica to NOT be DNS, but then standup another replica inside the same "location" with DNS and make sure the hosts in that location talk to it, and in the inside location, they talk to the other host. The point is, and I think this is what I missed,, not ALL replicas have to have DNS setup. And that resolves the problem with the 2 talking that are connected across the NAT. Please tell me I am on the right path? -K On 6/21/17 9:22 AM, Kat wrote: I think I see the problem - I am really trying to do Split DNS in this configuration. So I need to keep DNS working, but somehow there must be a way to have the replica on the outside of the firewall understand that there is split DNS involved. I am having an issue figuring out if FreeIPA DNS can do that? Any pointers to some docs? -K On 6/20/17 1:32 PM, Kat wrote: Here is an odd problem (I think). I am using IPA in one environment, and want to set up a replica in another environment through natted connections. I can setup the client to the NAT server, but here is the tricky part - IPA is also DNS. So if I try to bring the DNS setup over with -- ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca It fails, because when it tries to lookup the master on the other side of the NAT FW, of course it resolves incorrectly. The first failure is conn-check, so even if I --skip-conncheck, it still fails since DNS will not resolve. Suggestions? -K ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Master -> replica through NAT?
I think I see the problem - I am really trying to do Split DNS in this configuration. So I need to keep DNS working, but somehow there must be a way to have the replica on the outside of the firewall understand that there is split DNS involved. I am having an issue figuring out if FreeIPA DNS can do that? Any pointers to some docs? -K On 6/20/17 1:32 PM, Kat wrote: Here is an odd problem (I think). I am using IPA in one environment, and want to set up a replica in another environment through natted connections. I can setup the client to the NAT server, but here is the tricky part - IPA is also DNS. So if I try to bring the DNS setup over with -- ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca It fails, because when it tries to lookup the master on the other side of the NAT FW, of course it resolves incorrectly. The first failure is conn-check, so even if I --skip-conncheck, it still fails since DNS will not resolve. Suggestions? -K ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Master -> replica through NAT?
Hi You are trying to setaup a replica behind a NAT? I will try to picture it bellow MASTER| - | NAT-DEVICE |- |REPLICA| 10.x.x.x | - |10.x.x.y 172.16.x.y|- |172.16.x.x | Is this setup somewhat correct? This makes fiew problems 1 UDP is stateles so You would need some logick on the NAT device to forward DNS requests correctly ie if DNS query comes from 172.17.x.x on 172.16.x.y DNAT it to 10.x.x.x. Second rule for the opposite direction Now how to make 172.16.x.x ask 172.16.x.y instead of 10.x.x.x You can try static routing Routing example: ip route 10.x.x.x/32 via 172.16.x.y dev eth0 proto static metric 100 Shuch a route should send all packets addressed to 10.x.x.x via 172.16.x.y if the router at 172.16.x.y has a knowledge of 10.x.x.x network it will forward packets to destination host. A nat device is usually a router too. Analogic rule should be added on the 10.x.x.x device In theory if there is only one nat(router) device static routes should work as the nat(router) knows both IP nets and should route packets unless the policy is to drop them If there are 2 nat boxes |MASTER| - |NAT1| === |NAT2| - |replica| I would suggest a tunel (vpn or IPIP one depending on the security needed). Regards W dniu 21.06.2017 o 15:12, John Keates via FreeIPA-users pisze: What you want is not possible because DNS resolves to one IP, not to a NAT’ed IP. Doing this differently is very hacky and totally unsupported. One host, one IP, one DNS record. NAT doesn’t belong in this type of networking. If you really wanted to shoot yourself in the foot, you can use Unbound and a Python plugin to do record-rewriting on the fly. The IPA DNS server would return 10.3.2.33 for example and that would be rewritten to 172.16.2.33 if you desire that. Queries would have to go to the unbound server and it forwards them to the IPA server. Responses are then rewritten on the fly if they contain the foreign IP range. This is bad in so many ways… On 21 Jun 2017, at 14:26, Kat via FreeIPA-users wrote: Nothing? No suggestions? Is it not possible to support DNS through a NAT? -K On 6/20/17 1:32 PM, Kat wrote: Here is an odd problem (I think). I am using IPA in one environment, and want to set up a replica in another environment through natted connections. I can setup the client to the NAT server, but here is the tricky part - IPA is also DNS. So if I try to bring the DNS setup over with -- ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca It fails, because when it tries to lookup the master on the other side of the NAT FW, of course it resolves incorrectly. The first failure is conn-check, so even if I --skip-conncheck, it still fails since DNS will not resolve. Suggestions? -K ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Master -> replica through NAT?
What you want is not possible because DNS resolves to one IP, not to a NAT’ed IP. Doing this differently is very hacky and totally unsupported. One host, one IP, one DNS record. NAT doesn’t belong in this type of networking. If you really wanted to shoot yourself in the foot, you can use Unbound and a Python plugin to do record-rewriting on the fly. The IPA DNS server would return 10.3.2.33 for example and that would be rewritten to 172.16.2.33 if you desire that. Queries would have to go to the unbound server and it forwards them to the IPA server. Responses are then rewritten on the fly if they contain the foreign IP range. This is bad in so many ways… > On 21 Jun 2017, at 14:26, Kat via FreeIPA-users > wrote: > > Nothing? No suggestions? > > Is it not possible to support DNS through a NAT? > > -K > > > On 6/20/17 1:32 PM, Kat wrote: >> Here is an odd problem (I think). >> >> I am using IPA in one environment, and want to set up a replica in another >> environment through natted connections. I can setup the client to the NAT >> server, but here is the tricky part - IPA is also DNS. So if I try to bring >> the DNS setup over with -- >> >> ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca >> >> It fails, because when it tries to lookup the master on the other side of >> the NAT FW, of course it resolves incorrectly. The first failure is >> conn-check, so even if I --skip-conncheck, it still fails since DNS will not >> resolve. >> >> Suggestions? >> >> -K >> > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Master -> replica through NAT?
Nothing? No suggestions? Is it not possible to support DNS through a NAT? -K On 6/20/17 1:32 PM, Kat wrote: Here is an odd problem (I think). I am using IPA in one environment, and want to set up a replica in another environment through natted connections. I can setup the client to the NAT server, but here is the tricky part - IPA is also DNS. So if I try to bring the DNS setup over with -- ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca It fails, because when it tries to lookup the master on the other side of the NAT FW, of course it resolves incorrectly. The first failure is conn-check, so even if I --skip-conncheck, it still fails since DNS will not resolve. Suggestions? -K ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org