Public IP's on Virtualmin behind NAT

Hi all,

We are relatively new to Webmin/Virtualmin, mostly used to WHM/cPanel environment.
We have a lab and we’re testing the following config:

Websites are hosted on servers running Virtualmin, which are on a DMZ network. The DMZ network has a private IPv4 and servers are accessed via public IP using NAT 1:1.

Database servers will be on a private network and have Webmin. Already connected with the Virtualmin servers.

DNS servers will sit on the DMZ network as well, also using NAT 1:1.

After searching I found some topics about the subject, like:

Since they’re quite old topics, I would like to know if this is still the correct approach to this config:

  • System Settings -> Module Config -> Network Settings, and make sure you set “Default IP address for DNS records”

I would also like to understand, using this method, how to assign different IP addresses to different domains? For example, if virtual hosts are created listening to all addresses (or in this case the private address), then it wouldn’t matter if I point to public or to because the connection would forward both requests to the same server (eg, internal, and the server would then answer to either, even if the requested IP is not the IP assigned.

I believe an option would also to be to add virtual interfaces like eth0:1 eth0:2 etc but I don’t see many articles (may be my fault) taking this approach on Virtualmin when behind NAT.

Thank you

So, there’s no one from webmin/virtualmin able to reply to this?

I’m assuming that you have only one public IPv4 address on the WAN side of the NAT router
You would have to configure port forwarding for ALL ports used by public facing services (http(80), https(443), dns(53, webmin(10000), etc. The list goes on and on if you include mail (25,587,486,993) etc
Self hosting DNS on the LAN will require manual editing else Webmin will populate DNS with local addresses.
If your Webmin server is the only public facing server you may be able to achieve this but you can’t have, for example, two mail servers operating behind NAT at the same time on IPv4.
You may want to move to IPv6 which allows each device a public address. But you still need to ensure the ports open (or not blocked) in the router.

Of course if you have more than one public IPv4 address then you could dedicate one to the Webmin server if your router allows such a configuration.

Unless you have a compelling reason to do this inhouse behind NAT, I’d suggest you test on a cloud instance where you’d avoid all these problems. You can find some very inexpensive instances.

@PeterP thank you for your answer but I feel like you completely missed my question.

Please don’t take me wrong way and I do apologise in advance if my answer comes a bit off.
Please do understand I know perfectly how to forward traffic behind NAT and how to use NAT, and also if you understand NAT 1:1 it doesn’t require “ports” to be “forwarded” as one-to-one NAT. (and already “dedicates one to the webmin server”).
Nat 1:1 -> Incoming traffic from the Internet to the specified IP will be directed toward the associated internal IP. Outgoing traffic to the Internet from the specified internal IP will originate from the associated external IP.

You devoted an entire answer to NAT but NAT isn’t my question. My question is about the VIRTUALMIN CONFIGURATION to sit behind NAT. My problem isn’t IP’s availability either. I have plenty of public IPv4’s to use, and my current test setup with Virtualmin has two dedicated IP addresses:

  • One public IPv4 for Virtualmin/web server
  • One public IPv4 for Slave DNS server

Also, this is a “Cloud” instance. This sits on a remote infrastructure on a cluster, not in the basement. This is an HA cluster which comprises various servers, firewalls, HA routers, etc. I could put the servers behind a load-balancer even.

I deeply apologise if my answer comes off a little rough but I am enjoying the webmin/virtualmin software, but not falling for the community. Topics on this forum go unanswered, people reply with things that are not related like they didn’t even read the questions and this frustrates me. Aside from all the time it takes to get an answer from anyone, like this is a dead community. I’m really not looking to offend you or anybody really, but I do hope you understand my frustration with this “virtualmin community experience”.

I am testing a Virtualmin/Webmin setup that currently accounts three servers:

  • The Virtualmin server is both web and master DNS.
  • There is a second webmin server, on a private closed network, which is the MySQL/MariaDB server. Remote MySQL working well.
  • There is a third server only serving as Slave DNS.

The setup is currently working AS IS (including letsencrypt ssl) and I’ve looked a lot trying to understand the best approach to this configuration with Virtualmin.

My question is, for those who are experienced with Virtualmin, that know it well, what is the correct approach from the Virtualmin POV to tell the Virtualmin system that a domain will have a given IP externally.
Virtualmin wiki link for Virtualmin Features is close to empty:

So, I would like to understand, from experienced and knowledged users what are the correct approaches to tell the Virtualmin server that IP-1 is for domain and IP-2 is for, so DNS gets configured correctly from the start. My question is not about NAT, is how to configure Virtualmin behind NAT for such scenarios, like giving an IP to a domain and other IP to another domain on the same server, being that the IP is not bound to any interface, but upon domain creation get the correct records created.

Obviously there are ways to do it, and I also know how this can be accomplished (independent of virtualmin or not). But again, and I am going to stress this, I came here looking for community experience with such scenarios. Thanks.

No apology necessary. Clearly I did not appreciate your setup correctly and I’m probably not the person who can answer your questions.
But I am a little confused why there is a problem at all and why NAT (of any version) is used. If your servers are remote, surely you address them by public IP addreses, so why are these servers not configured (static or DHCP) with public IP addresses? Then Virtualmin would operate as usual, I think. Perhaps I am just extending my ignorance of modern data centre technologies, and if that is the case I apologize and withdraw from the discussion.
I do hope that you find the answers you’re looking for and when you do that you’ll share them here to help others.
And in all sincerity - good luck.

Hi @PeterP no problem at all at least someone is responding and I can elaborate maybe it helps to make better understanding of what I’m looking for to the community.

Ok so let me explain a little more about my setup:
Several dedicated servers running hypervisor1 OS. Each dedicated server does have a single public IP address which is not used and is restricted for management purposes.
The servers are in different locations (same provider) but all connected to the same switches.
So the public IPv4 subnet in use, and its routing, is server agnostic, delivered via a VLAN.
My routers/firewalls take the interface that picks the VLAN as WAN. So all the public addresses are delivered to the WAN interface.
This addresses are used for CARP HA. Which means if the hypervisor1 where the firewall1 sits goes down, the backup router will take that traffic and keep normal operations. So, IP’s are not really bound to physical machines or interfaces. They cannot.

Just to finalize, I actually don’t address my servers using their public addresses. The cluster and this setup is accessible to me via local network, as I have a site-to-site VPN from my place to the remote cluster. Public IP’s are for services that require access from the internet.

What I am trying to find out is what is the best way to tell Virtualmin “hey, your interface IP is, but your websites records and DNS should point to”.

What I did now is there’s that option to set a default IP for the master DNS, and set a name manually for the slave DNS. So I’ve put the public IP set on “Default IP address for DNS records” to use the external IP address rather than the internal address, and I’ve added a zone record matching the hostname of the slave DNS and its public IP. So DNS wise is working.

I also have a constant warning on my virtualmin dashboard saying:

Your system's primary IP address appears to have changed from
to Virtual servers using the old address may be unreachable
or serve the wrong web content.

I haven’t updated any IP address using this feature, so the correct IP is still coming on the newly created DNS records when I add a new virtual server.

I think I’m out of my depth here, so I’ll leave and hope that the extra explanation yoiu have given will enable others to make useful suggestions.
Boa sorte

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.