Help for network configuration

I want to configure my eko1 server so that my websites are visible on the net. I tried leaving the default settings, but it didn’t work properly.

so I read many pages of documentation and exchanges, made many configuration tests and remained a little lost in front of the multitude of possibilities, the difficulty to understand certain concepts and to carry out tests while waiting for the DNS propagations and being connected to the local network.

I cannot get it to work satisfactorily, sites are not contacted and emails are not delivered, despite satisfactory values in intodns.com and mxtoolbox.com

Since a picture is worth a hundred words, I’d like to walk you through my installation process so you can point out any inconsistencies. I took screenshots without masking the information, considering that this does not constitute a risk. If not, please let me know.

1. I created glue records on the main domain at my registrar: ns1.ekoprojet.org and ns2.ekoprojet.org and made them point to the external IP address of my box.
   
2. I have assigned these nameservers to the different domains that I want to host on this server including, first, the primary domain
   
3. I assigned a fixed IP to my server on my local network: 192.168.1.50 and integrated it into the DMZ so that it is accessible from the outside
4. The address is indeed found, during the installation of the server, or by leaving the interface in DHCP.
   
   

   image970×336 31.9 KB
5. I tried to configure Routing and Gateways but I suspect that something is missing here
   
   

   image965×331 25.8 KB
6. I haven’t changed anything in Hostname and DNS Client but maybe something is missing there too
   
   

   image806×427 20 KB
7. I added the private address and the public address in the Host Addresses, but certainly there is one too many
   
   

   image736×414 36.1 KB
8. I added ns1 and ns2 entries in primary domain zone file
   At this stage and after many changes, the public IP is indicated in the zone files of my virtual servers such as that of the primary domain
   
   

   image692×391 48.7 KB
   
   9.I’m surprised that the default shared IP is listed like this and wondering if that needs to be changed
   
   

   image758×363 23.6 KB
9. It seems strange to me that the shared address is the private address on my network. Shouldn’t that be the public IP instead?
   
   

   image765×103 8.85 KB

Here are my nooby questions. I hope someone will find the time to point out my mistakes.
Thank you and good day

@thierry1,

If your servers is behind a router (which it sounds like it is), then IP addresses like “shared ip” are going to be private IPs (ex. 192.168.x.x) which is completely normal. This is because as long as your system nows how to reach the web, which it should if the router is configured correctly, then you are only really concerned with “inbound” routing FROM the web to your server.

For inbound routing, you would setup “port forwarding” on the router for the ports you want to point at your server (ex. 80, 443, 53, etc)

You don’t add the “public IP” to your “hosts” file, as this isn’t the way you assign “ns1” or “ns2” to your system. Instead you setup an “A record” within the zone of your domain “ekoprojet.org”.

and

As noted above, you would need to port forward over TCP and UDP port “53” which allows DNS queries to reach your system.

Make sure to do this for both TCP and UDP (some routers may allow you to do this for “both” saving you the extra record)

You SHOULD setup a “static” IP address for your system rather than a DHCP one, UNLESS you have the ability to setup static IPs on the router based on “mac address” which would ensure the same IP address is always assigned based on the mac address of the system.

*** I will not be going into how to accomplish the above, so if it seems confusing setup a static IP address on the system instead of relying on a dynamic one assigned by DHCP ***

You should NOT need to mess around with the Gateway options within Webmin unless you absolutely know what you are doing. The system should be able to reach the Internet through your router by default.

On the “Hostname and DNS Client” screen, be sure to list “127.0.0.1” as a DNS server so that DNS works properly in identifying hosted domains.

If you require further assistance, please continue to update the thread with specifics.

Hello and thank you for your detailed answer @tpnsolutions
She helped me on certain points of detail on which I had a doubt

1. I added 127.0.0.1 as DNS server in Hostname and DNS Client. The address 127.0.0.53 had been added by default and I left it.

image719×367 18.9 KB

2. On my router, I kept the integration of the server to the DMZ, which seems to aim to make this equipment accessible from the Internet, (The services likely to be accessed from the Internet will be located in DMZ, and all flows in coming from the Internet are redirected by default to the DMZ by the firewall. The firewall will therefore block access to the local network from the DMZ to guarantee security. In the event of a compromise of one of the services in the DMZ , the hacker will only have access to the machines in the DMZ and not to the local network. )

Maybe it’s not a good idea, but without it, the router doesn’t seem to be accessible from the outside.

3. I added configured the firewall of my router as below

image513×516 11.3 KB

4. I had already added the necessary records in the ékoprojet.org zone, as below and hope that it corresponds well to what you suggest to me

5. I set up the interface with the private static IP address assigned by my router to the machine/server

image764×389 29.4 KB

6. I left the Routing and Gateways as in the previous screenshot

image903×198 18.2 KB

Despite all this, a restart of the services and the router, my server still does not seem accessible from the outside. I have detailed the steps and added screenshots in order to track down the detail that must be the problem.

Thank you very much for your help and wish you a speedy recovery.

@thierry1,

I can connect to your server without issue.

I am testing from my public wifi and cannot connect… it seems that I cannot contact the server from my private network.
I will do other tests and thank you for the progress you have allowed me. Have a good day.

I can as well, sounds like a firewall issue. Can you see the default website ok or can’t connect to that either. Check fail2ban blocks.

What are ping and maybe traceroute test show.

Hello @stefan1959

I’m also thinking a firewall issue. That of the server is by default and that of the router is parameterized in an identical way. Does this seem wise to you?

Fail2ban is actually activated and configured by default, but what do you offer by Check fail2ban blocks?

A strange thing is that when I ping the hosted addresses, the response is always only the IP V6

Thank you for your support.

I use a VPS so no idea about the router setup.

Hmm and pings work ok. You have IP4 enabled on you PC (windows?)
Just thought, override DNS and add the address into HOST file of your PC.

fail2ban should show IP blocks

image1151×379 45.9 KB

Looking at your message you don’t have a IP6 address enabled and no IP address in the interface. Is this still the case?
I ran this test, says the website is failing on ip6, you sure your using the correct IP6 address

image907×961 90 KB

Hello guys,
Thanks for your help.
Indeed my IPV6 address had changed. So I enabled DynDNS.

Another question is that my router (orange livebox) has a firewall and so does my server. they are set the same way, but maybe one of the two is superfluous. Isn’t the function of the DMZ zone to open all ports to a device that manages its own firewall? like my server?

Here is a view of Fail2ban blocks, but I don’t know what to do with them yet. I dig into the question and report it here.

image961×325 21 KB

thanks again

As long as you don’t see your IP in there your right.
Yep, DMZ will open up all port.