8 Replies Latest reply: Jan 16, 2008 12:04 PM by Leif Carlsson
pherplexed Level 2 Level 2 (435 points)
I've just gotten Leopard server for my office and while I'm an advanced computer user, I'm admittedly noob at servers and advanced networking. So, I just wanted some opinions on if I've setup my server correctly.

We'll be using the server for file sharing, iCal service, wikis, and contacts. Our email and website are hosted by an external host (not our ISP, but a hosting company). So during setup, I entered the server DNS as myservername.private as suggested by the help docs.

How does this work when using the VPN service? I want to be able to connect remotely and access shares as if I was on the local network. So I've enabled the VPN server, and it created a connection file for setting up on client machines, but it's using myservername.private as the server address. Our ISP has given us a range of static public IP's, so do I just map one of those IP's to the server and use that IP as the VPN address?

Hope that made sense... thanks for any help.

MacPro dual core 2.66 4gbRam ATI x1900pro 512mb | 17" MacBook Pro 2gb Ram, Mac OS X (10.4.10)
  • 1. Re: Did I setup this correctly? (networking, dns questions)
    MrHoffman Level 6 Level 6 (12,455 points)
    The .private or .whatever TLD means this doesn't "go" outside your network.

    The Bonjour-defined .local TLD works the same way.

    If you want external (incoming) access into the static IPs, I'd get a DNS service configured into the static IP range. Your DNS on Leopard in coordination with whomever you have your static IP addresses from, or DNS from whomever you have your static IP from.

    The www.example.com domain goes to the web server IP.

    You will want to choose whether to have example.com to route to the web server, or to have it route to your local static network. Or you might want to activate and use another domain (such as example.net, or a xyz.example.com) as the domain for your local services.

    Incoming network connections need use the static IP address here (if you don't have external DNS), or can use whatever externally-visible DNS you might choose to configure and use.

    You'll probably want a firewall and such in front of your server(s), and the usual defensive network measures apply. The firewall can provide port forwarding and NAT, which can get you from the external addresses to internal (private) addresses. Having all the stuff on the local network means your local DNS zones all use the private address space, and whatever DNS external zone(s) defined have just the external static IP addresses and external-visible hosts. (Having just the subset of external hosts in an external zone reduces the effectiveness of DNS snooping.)

    The Cricket Liu book DNS & BIND (5th ed.) is a good reference for DNS.
  • 2. Re: Did I setup this correctly? (networking, dns questions)
    pherplexed Level 2 Level 2 (435 points)
    Thanks for the reply. I have to admit, the DNS stuff is a bit over my head. Can you explain in a bit more detail what you mean by getting a DNS service configured into my static IP range?

    Some more background information:
    •My ISP is business-class DSL (8Mbs down / 512Kbps up). We have been given 5 static public IP addresses with our account. I'm assuming the DNS info showing up on my router is being put there automatically by our ISP.
    •I have an IP map setup on my router that connects one of our static IP's to my Leopard Server. So, I tried to connect via VPN offsite using this static IP and it connected successfully (so it said) but none of my network shares would show up. I couldn't pull up the server's default webpage either.

    What am I doing wrong?
  • 3. Re: Did I setup this correctly? (networking, dns questions)
    MrHoffman Level 6 Level 6 (12,455 points)
    Your firewall/router has had the DNS setting configured to point at the DNS server(s) provided by the ISP.

    I'm not sure what you have set up at your firewall/router. Most firewall/routers don't have DNS capabilities.

    DNS can be configured with zones, and you can have information you want exposed (such as the external host name translations) in one (external) zone and information you don't want exposed (internal host name translations) in another (internal) zone.

    You can have your external static addresses arrive at your firewall, and a reasonably capable firewall can map the external address to an internal address using NAT. Using this scheme, external sites can reach the designated host, without having to know that it even has or uses a private IP address. And the hosts within the private network can communicate directly without having to deal with a gateway.

    Internal hosts resolve names through an internal zone and private IP addresses, and external hosts resolve names through an external zone and public IP addresses. (This approach keeps the folks that are trolling the DNS records from learning the details of your internal addresses and hosts and subnet(s).)

    dns.example.com.int has the A record for the internal view of the host.

    host IN A 10.xx.yy.zz

    dns.example.com.ext has the A record for the external view of the host.

    host IN A ww.xx.yy.zz

    so host.example.com in the internal zone has 10.xx.yy.zz, where the external DNS query gets the external address. And where NAT at the firewall turns ww.xx.yy.zz into 10.xx.yy.zz

    The Liu DNS & BIND book really helps here.

    And there are many ways to set this up. You could (with few enough hosts) run everything with the external static addresses you have.
  • 4. Re: Did I setup this correctly? (networking, dns questions)
    Leif Carlsson Level 5 Level 5 (4,950 points)
    As you already have a domainname for your mail and web services so you could ask the one hosting those (they probably host your domainname too) to map a "hostname" of your choice to the public IP you are forwarding ports and protocols to your internal server from. Then you can find your office server using that. You could for example use "office.<your domainname>".

    "I'm assuming the DNS info showing up on my router is being put there automatically by our ISP."

    Correct. Many ISP have all "their" IPs setup for reverse lookup using some kind of "identifying name" usually with the IP number also "in there".


    If you want to use something like "server.<internal domainname>.private" (where the full internal domainname would be "<internal domainname>.private") for the server use only the server's internal IP for DNS on all internal machines or it will pickup the public IP reverse IP name. (Using just "private" as the internal domainname is a bit short.)

    This is importatnt: Internal DNS should really be setup correctly before setting up the rest of the server's services. Sometimes you can remedy problems by issuing this command in Terminal:

    (check first then follow instr.)
    sudo changeip -checkhostname


    This is for Tiger Server DNS but it might help explain some things regarding DNS:
    http://www.peachpit.com/articles/article.aspx?p=423922&seqNum=3


    For a working VPN you need to forward the right ports and protocols:

    PPTP : TCP port 1723 and GRE protocol (or sometimes "VPN passthrough" is sufficient but not all routers can forward PPTP correctly).

    L2TP : UDP ports 500 and 4500 should be enough (if not also forward UDP 1701) as the server is behind NAT. For Windows XP built-in VPN client compatibility use PPTP.

    When you are connected you can't browse the company LAN for services because mDNS/Bonjour isn't forwarded through the VPN. You need to know the IP or machine name (if internal DNS is correctly setup and depending on if using static IPs for machines beside the server or not).


    This might explain some about VPN:

    http://www.maclive.net/sid/132

    When connected to the VPN you should have the server internal IP for DNS (you'll get it automatically through the server VPN settings) so you can find internal only services using names as when you're at the office.
  • 5. Re: Did I setup this correctly? (networking, dns questions)
    pherplexed Level 2 Level 2 (435 points)
    Leif- excellent information, thank you so much for posting! I've got everything up and running like a charm.

    Cheers-
    cc
  • 6. Re: Did I setup this correctly? (networking, dns questions)
    pherplexed Level 2 Level 2 (435 points)
    Om, well....at least I thought I had everything setup like a charm. So, I keep having random problems with iCal not finding the server or VPN not allowing connections or if connected, not allowing access to shares.

    So I've been reading up on DNS, networking, etc. and for whatever reason, i'm just not getting it. SO, if I may ask for some more opinions on the following setup (I'm a visual learner )



    So, based on this setup, what do I need to put for the following:
    •On Myserver.private, what do I put for DNS info in Server Admin? What about system prefs?
    •On client machines, what do I put for DNS under system prefs?
    •Should i be running DHCP from my router or myserver.private? Why?

    Thanks so much for any help on this!

    Message was edited by: pherplexed
  • 7. Re: Did I setup this correctly? (networking, dns questions)
    Jeff Lambert Level 1 Level 1 (5 points)
    PHerplexed,

    We have the exact same setup here and I'll receive a new Mac Pro 8 core and load up leopard server on it when it arrives. I'm having the same questions has you regarding DNS setup. We currently have a 10.4.11 server and are getting the DNS name doesn't match error in our logs so I want to set the leopard version without this error.

    I've tried reading and reading the post above and I just can't grasp the concept yet. Your picture helps a lot for illustrating my setup too:-)

    Jeff
  • 8. Re: Did I setup this correctly? (networking, dns questions)
    Leif Carlsson Level 5 Level 5 (4,950 points)
    The domain .private it isn't really a descriptive name but should work.

    In Network prefpane you should have the search domain: .private
    and for DNS only the machines own IP.


    In sharing setup use only the server/host-name: myserver .
    This should be the A record for the machine IP number in the DNS - and don't forget the reverse IP/name record.

    All machines on LAN and VPN clients should get the myserver IP as their only DNS.

    office.mywebdomain.com is only there to find the DSL router public IP without entering the IP.

    Use the server DHCP partly because it can send more info to clients (LDAP-info for instance) than the DSL router can.

    Keep LAN DHCP IP-range separate from VPN client IP-range.


    Anyhing in log to explain problems?