bridge an interface for cPanel

[canalian]

Hi,

I recently set up Untangle to handle our local network access with Open VPN. The topography looks like this:
I can't add the images because I haven't made enough posts.

WAN1 --> Untangle --> LAN
--> LAN2 (DMZ)

sorry the html is removing the spaces...

The mail server was recently added and I had thought to simply NAT it to a subnet 192.168.4.0/24 with port forwarding from the aliased IP on the WAN.

It all seemed OK until the people setting up the mail server reported issues with cPanel calling home and reporting the x.x.x.30 IP rather than the 192.168..4.5 it thinks it is. Normally I's want this so it resolves through DNS etc but I've discovered that cPanel won't support a config that uses NAT this way.

My proposed solution is to bridge a second WAN NIC to the mail server so it can use x.x.x.30 without any NAT.
I can't add the images because I haven't made enough posts.

Switch --> WAN1 --> Untangle NAT --> LAN
--> WAN2 --> Untangle bridged -->LAN2 (DMZ)

My question is "Do I need the second NIC and switch?" I can't see how I could bridge the aliased IP only. Seems to me I need to bridge a physical interface or can I NAT eth0 and bridge eht0:1?

Hope this makes sense.

[dmorris]

Hi, just make 5 posts in this thread and then post the images.

You can add a NIC and bridge it to your WAN and give it a public IP (on the same subnet as untangle's external IP) if that is your question. This is how the DMZ is setup by default.

[canalian]

well

[canalian]

that's how I read the docs

[canalian]

but I wanted to know if bridging can be done to an aliased IP

[canalian]

or can I only bridge a physical interface - ie do I need the second NIC on the WAN?
Current set up:


proposed set up:


I guess the answer was in your reply - I have to add the second WAN NIC.

Thanks

[dmorris]

I don't think I understand, but having two separate NICs both being the same WAN won't work, much less sharing that same IP with an internal server.

You want to bridge the DMZ to the external and give the mail server the .30 IP.

[canalian]

To be honest - I think I have the answer in your original reply and this thread is getting messy, but I will explain even if this is just to get it clear this in my head...

I have 2 static IPs available x.x.x.30 and x.x.x.26. They are on different subnets and have different gateways. I want a mail server on one and access to my LAN on the other.

Currently I have both IPs bound to the one WAN interface on the Untangle box. Each has address to host port forwarding in place:

x.x.x.26 is the primary IP and has OpenVPN and a a few port forwards to the LAN. (192.168.0.0/24)

x.x.x.30 is an alias on the same NIC and has another series of port forwards to another network I am arbitrarily calling my DMZ (192.168.4.0/24)

So far so good. Setting up a mail server on 192.168.4.5 seems to work fine with just the appropriate port forwards. It could have been achieved with the mail server on the LAN but I need a lot of ports to be open and didn't want to have them all open to the LAN so I used a different subnet.

The problem arose when the decision was made to install cPanel on that mail server. cPanel licensing requires it to report itself to their system periodically. It was complaining about the mismatch between the 192.168.4.5 IP it knows it is running on and the x.x.x.30 IP it resolves to. While a work around was found it raised the issue that cPanel would not support the installation (support was paid for) in this NAT environment. The server on which cPanel runs must run the x.x.x.30 IP.

I had thought to use bridging to the DMZ as you pointed out but now realised I cannot do that and still have my LAN services as I want them if I use only the one WAN NIC

My question was originally whether I could use an alias on a single WAN NIC bridging the aliased IP to the mail host as per a default DMZ and still use NAT on the other IP?

I believe I could achieve such a think using a Linux box and iptables but couldn't figure out how to do this in Untangle. I now believe that in Untangle bridging must be done to a physical interface not an alias.

For the sake of a $15 NIC I will make:

x.x.x.26 the primary NIC and use the current NAT rules and OpenVPN to my LAN.

and

x.x.x.30 the secondary NIC bridged to the mail server so it can use x.x.x.30

I'm quite sure I have turned a simple question into something entirely more difficult that it needed to be. Sorry for the confusion.

[mrunkel]

Nope. You can not plug two NICs into the same physical network with doing some bonding. It just won't work. This has to do with how the Linux networking code handles ARP.

In order for the untangle to bridge, it must have an IP in the subnet, so unless the two IPs you have are close enough so that you can expand the mask, this won't work.

Lastly, I'm shocked that cPanel would throw a hissy at being natted. This is pretty freaking common.

[canalian]

Nope. You can not plug two NICs into the same physical network with doing some bonding. It just won't work. This has to do with how the Linux networking code handles ARP.

So even though these 2 IPs are on different subnets 184.71.0.30/30 and 184.71.0.26/30 because they are coming from a single cable modem I am hooped?

In order for the untangle to bridge, it must have an IP in the subnet, so unless the two IPs you have are close enough so that you can expand the mask, this won't work.

I'm sorry I don't completely understand this. Can you elaborate? The 2 IPs are right next to each other, as I understand the subnet mask I have then:

Address: 184.71.0.26
Netmask: 255.255.255.252 = 30
Network: 184.71.0.24/30
Broadcast: 184.71.0.27
HostMin: 184.71.0.25
HostMax: 184.71.0.26
Hosts/Net: 2

and

Address: 184.71.0.30
Netmask: 255.255.255.252 = 30
Network: 184.71.0.28/30
Broadcast: 184.71.0.31
HostMin: 184.71.0.29
HostMax: 184.71.0.30
Hosts/Net: 2

on each subnet I have my host and the ISP gateway. Can I make use of that with the expanded mask you referred to?

Lastly, I'm shocked that cPanel would throw a hissy at being natted. This is pretty freaking common.

I was shocked too. I was fairly sure I should be able to run the mail server, cPanel and all behind NAT. Perhaps I'll go back to them and push this some more...

your help has been most appreciated thus far.

One more question. I'm feeling a little uncomfortable at posting the actual external IPs. Perhaps those should be removed from the forum once you've read this?