Change to static IP on a network with dynamic NAT

Virtualmin
1

I run a hand full of websites via Virtualmin Pro on a Cloud-service instance with a static external IP (123.123.123.123). I would like to follow the recommendations and supply the static IP.

By doing this I hope to fix these issues:

If I go to the Virtualmin control panel > Select example.com > Logs and reports > Check Connectivity:

DNS resolution mismatch
example.com resolved to 123.123.123.123 instead of the expected 10.1.1.131
Check with your DNS registrar that the nameservers for the domain are set correctly, and that the IP address in your DNS records is correct.

SMTP connection failed
Network is unreachable
Make sure your system’s mail server is running and listening on the external network interface.

Apache server is complaining about missing VirtualHosts:

ubuntu@ns1:~$ sudo service apache2 restart * Restarting web server apache2 [Mon Jun 23 21:21:19 2014] [warn] NameVirtualHost 123.123.123.123:80 has no VirtualHosts [Mon Jun 23 21:21:19 2014] [warn] NameVirtualHost 123.123.123.123:443 has no VirtualHosts

(The SMTP error puzzles me since mails are coming through all right. But I figure it could relate to the DNS resolution mismatch)

Here’s some info on the network model. At the moment Virtualmin only picks up the internal IP address (10.1.1.131) and registers it as given by DHCP.

The hosting provider is running dynamic NAT meaning that all outgoing traffic from the instances goes through the virtual router with internal IP address 10.1.1.1, external IP 123.123.123.111

Heres some information from the terminal:

ubuntu@ns1:~$ curl ifconfig.me 123.123.123.111

ubuntu@ns1:~$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

ubuntu@ns1:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 02:00:6c:0d:00:05
inet addr:10.1.1.131 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::6cff:fe0d:5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:815428 errors:0 dropped:0 overruns:0 frame:0
TX packets:632875 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:548156404 (548.1 MB) TX bytes:777898188 (777.8 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:41958 errors:0 dropped:0 overruns:0 frame:0
TX packets:41958 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13824582 (13.8 MB) TX bytes:13824582 (13.8 MB)


I am not using the BIND DNS module, using external. FQDN setup ok.

My guess is that I should go to Webmin > Networking > Network configuration > Network Interface > eth0

Here I would

  • Choose Static Configuration
  • Supply the static IP 123.123.123.123 in IPv4 address
  • Supply the netmask 255.255.255.0
  • Leave broadcast to automatic

Then I would go and change all the IPs of my virtual servers to 123.123.123.123. And I guess the “Address type to change” would be the “Real address”.

Not too sure of all this though, so before I go lock myself out of the system, I thought I’d better ask for some advice here. Any tips on setting the static IP up correctly and getting rid of the DNS resolution issue?

2

If your cloud provider requires you to use the private (10.*) IP and go through the router, you mustn’t change the IP in your network config. That would render your server unreachable.

If you’re not providing DNS services, you can actually work with the private IP in all places. Your server doesn’t really need to know that it is reachable through NAT from the outside.

It is important though that your server is always reachable via your external IP, i.e. your hoster’s router must forward that IP to your private one on all relevant ports (25, 80, 443, 110, 465, 993, 955 etc). Make sure you configured firewalls/port forwardings correctly if required.

About the errors/warnings you’re seeing:

“DNS resolution mismatch”: You can probably ignore that. It’s an artifact stemming from the NAT construct.

“SMTP connection failed”: This would imply that forwarding from your external to the internal IP is not working properly. This is not necessarily a problem of your server. Try to ping your server from the outside, and see if connection to port 25 works. Make sure your Postfix is running and listening on port 25, and that no local firewall is blocking connections.

Apache warning: Those mean that there’s extraneous NameVirtualHost for your external IPs in Apache’s main config file. You need NameVirtualHost directives for your internal IPs there, you can remove all other such directives. The message is not problematic though, except the external IPs are the only ones in there. Apache needs the internal IPS.

3

Thanks for your reply Locutus - very helpful :slight_smile:

The apache error stemmed from the external IP 123.123.123.123 being mentioned in apache.conf along with the internal IPs like this:

NameVirtualHost 10.1.131:80 NameVirtualHost 10.1.131:443 NameVirtualHost 123.123.123.123:80 NameVirtualHost 123.123.123.123:443

I have deleted the external IPs and the messages are gone.

The SMTP error does not stem from firewall issues, as far as I can tell. Postfix is running and the required ports are open.

A final thing I forgot to mention in my post above:

For the moment I have added the external IP to /etc/hosts like this:

127.0.0.1 localhost.localdomain localhost 127.0.0.1 ns1.mydomain.com ns1 localhost 123.123.123.123 ns1.mydomain.com ns1

I figure the server needs to be able to resolve it’s own external IP. This has helped resolve some issues with CMS modules needing to “loop back” to the server.

4

About the SMTP error: Okay, this will require some further investigation then. :slight_smile:

What about your hoster, do you need to configure firewall/port forwarding there? Or are all ports on your external IP forwarded to the internal?

Can you connect to your server from the outside on other ports, like 80 or 110?

5

I have to manually forward the ports I intend to use (including 25, 110, 465, 587, 995, 993), and to my knowledge all ports are forwarded correctly - I can connect to them.

6

Okay, sorry then I don’t really know why the connectivity check would report that your SMTP is not reachable… You might try another mail server check on the Internet, to get a “second opinion”. :slight_smile:

If you tell me the IP address in question, I can do some tests from my end too.