Hairpin routing
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
Should "just work." Of course, passing storage in and out of the firewall is a bit nutty, but shoudl work.
-
@scottalanmiller said:
@Dashrender said:
And since you're running a split brain DNS (internal is the same as external - example.com) you'll never get a reply from an external DNS server.
This sounds like layer after layer of bad decision making. There is a reason why split horizon (I know one bad MS document says split brain but that really should be avoided) DNS is not a good practice.
It may not be, but MS does it themselves.
What is the name of the internal NTG domain?
-
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
Should "just work." Of course, passing storage in and out of the firewall is a bit nutty, but shoudl work.
yeah, if Owncloud is used by internal personal more than external, this is probably a pretty bad setup, stresses the firewall for no good reason.
-
@Dashrender said:
It may not be, but MS does it themselves.
I'm going out on a limb here only because they can't possibly have warned against it more but I've never signed into their network but...
No, they absolutely don't do this.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
Should "just work." Of course, passing storage in and out of the firewall is a bit nutty, but shoudl work.
yeah, if Owncloud is used by internal personal more than external, this is probably a pretty bad setup, stresses the firewall for no good reason.
Even if it is just used "some" it's still not a great setup.
-
In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.
-
This is an issue I am working on and I don't have time to be here right now, but I will give the full setup anyway.
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.Setup:
12.12.12.10 = NAT and all working.
12.12.12.12 = 1-1 NAT to proxy server and all working.
Internal DNS is proxy.domain.com = A record 10.202.1.16
Internal ownCloud DNS is oc.domain.com = CNAME proxy.domain.com (also used A record 10.202.1.17 either works fine)
External DNS is oc.domain.com = CNAME proxy.domain.com
External DNS for proxy.domain.com = A record 12.12.12.12Issue:
Laptop has Pertino + ADConnect
So due to ADConnect the laptop ALWAYS gets oc.domain.com as 10.202.1.16 (or .17 when I had the A record internally)
Because the proxy and ownCloud do not have Pertino, the laptop cannot talk to ownCloud.Solution: Hairpin NAT and set internal DNS to External IP
Issue: How to set it up manually on the 1-to-1 NAT.It works as expected on the default masquerade.
https://i.imgur.com/7IW606s.jpg. -
I use name.local here myself... works fine
I just create A-records
to do internal DNS-A record within Windows Server DNS, there is a guide out there
Essentially need to create an internal DNS A-Record to point to the internal IP address of the own cloud server.
Then on the domain Registrar website; create an external DNS A-record and point it to your External WAN address 12.12.12.12 as given in example.
Be sure to have appropriate firewall rule and port forwarding configured to accept traffic on interface for 12.12.12.12 and redirect the requests on destination ports to the internal owncloud IP address
-
@Dashrender said:
In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.
.local had no problems and routes fine. It can't be looked up by public DNS servers, which is a good thing not a bad one. Yes, MS made the split horizon mistake in 2000, that was a decade and a half ago and has long since not done that. It's a horrible practice with endless problems.
Any problems with .local I'm confident were myths. Like that it could not route. It works flawlessly until you have Macs which use .local specifically to break AD as part of an MS / Apple feud from long ago.
The recommendation since .local is to have a unique domain that you own but is not .local.
Split horizon has not been considered remotely acceptable since 2003 era or earlier. There's really no upside. And as there is everything warning against it and nothing recommending it, it's quite shocking that it happens. It's the most basic thing that they have always warned about in AD training.
-
@JaredBusch said:
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.
That makes sense. Very different from "doesn't support it"
-
@scottalanmiller said:
@JaredBusch said:
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.
That makes sense. Very different from "doesn't support it"
It is also a slowdown that is not needed.
-
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.
That makes sense. Very different from "doesn't support it"
It is also a slowdown that is not needed.
Have you tested it? is it really slower?
-
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.
That makes sense. Very different from "doesn't support it"
It is also a slowdown that is not needed.
Yup, uses extra CPU and whatever. Shouldn't be dramatic, but it's there.
-
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.
That makes sense. Very different from "doesn't support it"
It is also a slowdown that is not needed.
Have you tested it? is it really slower?
Yes Pertino is slow. Always has been. Not horrible, but slower than direct.
-
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.
That makes sense. Very different from "doesn't support it"
It is also a slowdown that is not needed.
Have you tested it? is it really slower?
Has to be slower, latency is unavailable. Is it noticeably slower? That may or may not be. It will use more CPU for sure.
-
@JaredBusch said:
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.
That makes sense. Very different from "doesn't support it"
It is also a slowdown that is not needed.
Have you tested it? is it really slower?
Yes Pertino is slow. Always has been. Not horrible, but slower than direct.
Kind of an average, but our Pertino would pretty typically add 50ms, which for storage can be noticed in many cases. We've seen 400ms happen a lot, but not an average. It's enough to feel for storage.
-
@scottalanmiller said:
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.
That makes sense. Very different from "doesn't support it"
It is also a slowdown that is not needed.
Have you tested it? is it really slower?
Has to be slower, latency is unavailable. Is it noticeably slower? That may or may not be. It will use more CPU for sure.
Thank you for asking the question I meant to ask
-
@scottalanmiller said:
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.
That makes sense. Very different from "doesn't support it"
It is also a slowdown that is not needed.
Have you tested it? is it really slower?
Has to be slower, latency is unavailable. Is it noticeably slower? That may or may not be. It will use more CPU for sure.
When I misconfigured Pertino once after first getting it, and the entire office was routing a single application over Pertino, it killed connections. The latency is what killed it.
-
@scottalanmiller said:
@Dashrender said:
In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.
.local had no problems and routes fine. It can't be looked up by public DNS servers, which is a good thing not a bad one. Yes, MS made the split horizon mistake in 2000, that was a decade and a half ago and has long since not done that. It's a horrible practice with endless problems.
Any problems with .local I'm confident were myths. Like that it could not route. It works flawlessly until you have Macs which use .local specifically to break AD as part of an MS / Apple feud from long ago.
The recommendation since .local is to have a unique domain that you own but is not .local.
Split horizon has not been considered remotely acceptable since 2003 era or earlier. There's really no upside. And as there is everything warning against it and nothing recommending it, it's quite shocking that it happens. It's the most basic thing that they have always warned about in AD training.
There are still people touting this stuff all over the place.
http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html
This site says ICANN is selling .local, but I can't find anything on that at all.
http://blog.varonis.com/active-directory-domain-naming-best-practices/