Cannot use KeyHelp behind a NAT

[shoulders]

Hi

Before I do a feature request I just wanted to make sure I have not missed any thing. How do people setup KeyHelp behind a NAT?

Notes

• I have gone through all of the configuration options, i hope I have not missed anything.
• KeyHelp uses the IP addresses it detects in the NIC configuration and shows this in: Settings --> Configuration --> IP Addresses
• There are no DNS Zone templates
• If I add my external IP into the NIC configuration I am sure this will cause routing issues. I use 'NAT Loopback' and 'Split DNS' on my pfSense router.
• I cannot do 1:1 NAT because I want to keep my NAT as is for network security. I pretty sure this is just DMZ or full exposure on the web. (simple answer )
• Anyone running a web server at home will need NAT support
• I currently run Control Web Panel (CWP) behind a NAT with working authoritative name servers. The webserver is fully functional.
• server IP with vps behind nat - viewtopic.php?t=11503&hilit=nat&start=15

  Hello,
  
  most important (as far as I got from you) in the usage of Keyhelp regarding to DNS with an IP-address according to RFC-1918 ("private address") behind NAT is that you lose the public functionality of the Nameserver.
  
  Of course there are options making this work, but its not worth the effort and depends on the infrastructure you use.
  
  Keyhelp will work with close all functionality behind NAT. As long a public nameserver is used to all the domains, provided at the VPS with Keyhelp.
  It can be your own public nameserver or of some provider. You just need to point all relevant domain records to the public IP where you proceed NAT to.
  
  Basically Keyhelp and the configured services operation directly with an assigned public IP-address. Not behind NAT. But as explained and many of our users also operate Keyhelp behind NAT e.g. in testing/development enviroments.
  
  In short: Use external DNS-nameservers for the domains @$Keyhelp-Host and Keyhelp will mostly work in NAT infrastructure.

  This is not correct. It is very easy to setup your router to forward the correct ports for a Webserver (my name-servers work with no issue) and you do not need an external DNS server (except where you have registered your domain).
• How to configure a Shared IP on CWP - http://wiki.centos-webpanel.com/default ... ll-domains

Possible Solutions

• Manually edit each domains DNS Zone = not going to happen
• DNS Zone Templates. I could then manually change the IP address assigned in there
• (preferred) Add a custom IP option to: Settings --> Configuration --> IP Addresses - This could be then used to build all configs as normal and this IP would not be present on the NIC.

  

Thanks for any help

[24unix]

How do people setup KeyHelp behind a NAT?

Not at all.
IPv6 exists for decades. No need for NAT.

[shoulders]

I am in the UK, most providers do not offer IPv6.

Also I don't want to change to IPv6 yet as I cannot control the traffic as I want, I need to learn edge-routers more.

[24unix]

I am in the UK, most providers do not offer IPv6.

Also I don't want to change to IPv6 yet as I cannot control the traffic as I want, I need to learn edge-routers more.

If your provider isn't able (or willing) you could use Tunnelbroker (https://tunnelbroker.net), they give away free /64 and even /56 addresses. With a little bit of fiddling this also works in combination with a non static IPv4, but a static IPv4 is always easier.

I use OPNsense, very similar to your pfSense (which I used in the past), it can handle IPv6 perfectly.

You add a rule in the WAN interface for allowing port 80 and 443 to all your systems offering https and needing LE certs, thats all.

[shoulders]

this is my pfSense Tutorial: https://quantumwarp.com/kb/articles/4-n ... ense-notes

Adding Ipv6 or a workaround is probably too much for me at the minute.

But I will keep your suggestion on file, and thanks

[Tobi]

Puhhh, a lot of text from you.

But here is the answer

Manually edit each domains DNS Zone = not going to happen
DNS Zone Templates. I could then manually change the IP address assigned in there
(preferred) Add a custom IP option to: Settings --> Configuration --> IP Addresses - This could be then used to build all configs as normal and this IP would not be present on the NIC.

So you have three possible solutions for your problem.
If you preferr No.3, go ahead and open another feature request. But my personal opinion: this feature will take quite a while.

Or you just use solution No.2 and you will be fine by this afternoon.

It is your choice

[shoulders]

if you mean my pfSense article, I covered everything I needed so I don't have to remember it, however it is still in my head after a 5 minute refresh.

I will do a feature request for option 3 anyway.

Done: viewtopic.php?t=12785

Thanks

[Blackmoon]

Did you try follow:
Add an virtual loopback interface directly linux. Add the device the public ip address.
After that you can see in KeyHelp UI it?!

[shoulders]

@Blackmoon

I could add an IP alias of 31.31.31.31/32 but I think this will cause network routing issues. not 100%

[shoulders]

Did you try follow:
Add an virtual loopback interface directly linux. Add the device the public ip address.
After that you can see in KeyHelp UI it?!

I am going to give this a go, after looking into it the traffic and IP will never leave the computer.

[shoulders]

didn't work, the loopback adapter is ignored when looking at the adapters for information.

However, you can add the real IP to your normal network card as follows:

https://askubuntu.com/questions/585468/ ... -ubuntu-14

Code: Select all

# The primary network interface
allow-hotplug ens3
iface ens3 inet static
    address 10.0.0.250
    netmask 255.255.255.0
    gateway 10.0.0.1

#secondary ip address
auto ens3:0
iface ens3:0 inet static
    address 31.31.31.31
    netmask 255.255.255.255

restart the network with: /etc/init.d/networking restart

Once the IP(s) have been selected, they are then stored in KeyHelp which means adding a custom field would be an extremely easy thing to do and therefore add NAT support.

Settings --> Configuration --> System --> IP Addresses

But I am not happy with this as a permanent solution as I need to remove the NIC IP alias.

[Tobi]

NAT never was and never will be part of KeyHelp.
If you need these things, you need to configure your network, configure your routers and switches and configure the operating system underneath KeyHelp.

[shoulders]

You will loose a massive install base for what is a simple thing to add . here is a list just to show to the developers of KeyHelp it is a thing that people use.

• CWP
• Virtualmin
• HestiaCP
• myVesta

There are more but I have not checked this feature.

[Jolinar]

You will loose a massive install base for what is a simple thing to add . here is a list just to show to the developers of KeyHelp it is a thing that people use.

The developers of the panel could also add a button that allows you to order pizza. This would be a unique feature that no other panel has. However, just because a feature exists doesn't mean it's useful.

[Tobi]

Just adding a random button to a website does not add any function to this button.
You need to process the collected data and do something with it.

You can not know how much work and changes your „simple“ button will cause.