How Split DNS? Virtualservers internal works only with static entries in the hosts file devices our hotel LAN WLAN (4x routers)

Agile_lab · January 11, 2018, 9:30am

Short summary clearly:
I do not connect to domains(+SSL) from internal network (only connect if I add to hosts static entries WAN IP second router). External everything works.

EDIT:
Your router likely doesn’t support “NAT Reflection”, also called “Hairpin NAT” or “NAT Loopback”.
This means that the requests to your public IP address from inside your own network are either not sent to the server at all or are sent to the server with the wrong “Respond-to” IP address, causing “Triangular Routing” which your computer can’t handle.
Your router may have a setting that allows you to turn on NAT Reflection. Otherwise, the only way to solve this is with “Split DNS” - setting up DNS in your network to return your server’s private IP instead of its public IP.

!!This means 3 routers NOT support ‘NAT Reflection’ only 1 MikroTik.

Server machine:

OS: Debian 9.3
Webmin version: 1.872
Virtualmin version: 6.02
Usermin version: 1.732
Server: NGinx with Phusion Passenger (Ruby On Rails)
All installed packages are up to date

–
Business client hotel network setup is 4X ROUTERS:

First router ISP O2 HG622u gateway - public IP xx.xxx.xx.xxx

open DMZ > WAN TL-WR1043ND (static IP)

LAN port to WAN Mikrotik
LAN port to WAN TL-WR1043ND

LAN to WAN TL-WR841N / TL-WR841ND

Virtualmin is behind TL-WR1043ND

open 80, 443, 993, 465, 5222, 5223, 5269

From external net everything works (http, https, imaps, jabber)
BUT If I’m at the local network:

a) on net first router get only domains with screen login to admin gateway HG622u for every domain.

b) on net second router get only domains without SSL only http

BUT!

If I add to laptop /etc/hosts at network on first or second router IP adress from WAN TL-WR1043ND everything works.

HOW to get to see the same(+SSL) domains on both local network as on the external network, without add data to /etc/hosts.

Note: If I setup clear nginx (6 domains) + dnsmasq without virtualmin, everything works internal, external.

Note2: WE love Virtualmin and support open source software and other our VPS and dedicated machines in other countries with Virtualmin works perfectly… this is first machine with internal (wlan, lan) - external network for clients.

Thank you for Your response!

Alex

noisemarine · January 13, 2018, 2:22am

You have to set up Bind DNS to use “views”. Make sure your devices use it as the DNS server.

https://doxfer.webmin.com/Webmin/BIND_DNS_Server#Using_BIND_views

Agile_lab · January 13, 2018, 7:16pm

Hello Noisemarine,

OK > I setup new client view > name: everyone for all clients and move (Existing DNS Zones) everything into this view

(except root - I can delete it? or how move? Becouse now “Existing Client Views Warning - the following zones are not in any view : .”
/etc/bind/named.conf.default-zones:2: when using ‘view’ statements, all zones must be in views

EDIT: I also move root zone to new view everyone

No errors were found in the BIND configuration file /etc/bind/named.conf or referenced zone files.

BUT I (the hotel customers) still can NOT connect from internal (intranet) to domains (only from vpn as opera, or protonvpn…), OR only from external network.

I would like to do this > if a customers arrives at the hotel and connect to any of the 4 wifi (WLAN, LAN) >> will get domains (6x for the time being
) from virtualmin + customers from external. Now works only from external.

Thank very much for Your answer.

Alex

Joe · January 13, 2018, 7:43pm

You will need to disable DNS for (all) domains in order to switch to using views. Once you setup Virtualmin to use views you can turn the DNS feature back on and it’ll generate new records within views. I’d recommend making sure you have good backups (and specifically a backup of just the zones files) Just In Case anything goes wrong (views are well-tested in Webmin, and in wide use by about a gazillion people, but this is a complex configuration…better to be safe than sorry).

Agile_lab · January 13, 2018, 9:51pm

Hello Joe,

OK.

I have edited the basic post. I added technical information about system.
I added root zone to new views (name: everyone - contains all dns zones now) and no error now + restart bind9

BUT I still can not get domains from internal (intranet) ONLY connect if I add to customers devices hosts static entries WAN IP second router TL-WR1043ND

Behavior is the following:

test domain with http > show login screen to the home gateway on first HG622u
production domains with SSL > ERR_CONNECTION_TIMED_OUT

From external network everything works.

Thank you very much for Your answer and support!

Alex

noisemarine · January 14, 2018, 7:11am

I’m not sure if I understand what you have done. Did you create two views? One for internal and one for external? Essentially, that is what you need to do so that your hotel users will be served DNS records from the “internal” view, and people outside will be served records from the “external” view. Hopefully somewhat obviously, the internal zone file has names that resolve to internal/LAN IP addresses, and the external zone file has names that resolve to the public IP addresses. So, each domain has two zone files.

manojnaikade · January 13, 2019, 12:45am

did you able to do it using views? I would be really happy to know how