ipa server with two network adapters in a separate vlan each

Issues related to configuring your network
Post Reply
veksell
Posts: 2
Joined: 2022/03/15 10:07:41

ipa server with two network adapters in a separate vlan each

Post by veksell » 2022/03/15 11:30:31

Quick overview of setup first:
  • VLAN1:
    • ipaserver-eth0:
      • ip: 192.168.15.252/24
      • gateway: 192.168.15.254
    • ipareplica-eth0:
      • ip: 192.168.15.251/24
      • gateway: 192.168.15.254
  • VLAN2:
    • ipaserver-eth1:
      • ip: 192.168.10.252/24
      • gateway: N/A
      • Ignore automatically obtained routes: True
      • Ignore automatically obtained DNS Parameters: True
      • Never use this network for default route: True
    • ipareplica-eth1:
      • ip: 192.168.10.251/24
      • gateway: N/A
      • Ignore automatically obtained routes: True
      • Ignore automatically obtained DNS Parameters: True
      • Never use this network for default route: True
So the issue is when i am in VLAN2 on another machine and i try to access the https://ipaserver.example.com/ it resolves to 192.168.15.252 but it isn't able to connect, i can set the /etc/hosts file to 192.168.10.252 ipaserver.example.com and it works.

Anyone know why it doesnt want to work with the .15 range ip address?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: ipa server with two network adapters in a separate vlan each

Post by jlehtone » 2022/03/15 13:35:58

First a note: When you say "VLAN", you really mean a LAN (aka subnet) that has "special wires".

Your LAN1 has:
* network address 192.168.15.0/24
* subnet member 192.168.15.254 acts as router between this LAN and other subnets

Your LAN2 has:
* network address 192.168.10.0/24

You have a machine on LAN2.
We don't know which DNS servers it does call to resolve names.
We don't know whether it has any route to outside of LAN2.

We do know that a name resolves to 192.168.15.252 when queried by that machine.
When you attempt to connect, the attempt is either routed from LAN2 to LAN1 (via other subnets in between?) and thus to 192.168.15.252,
or there is no such route.
If traffic from member of LAN2 arrives to ipaserver-eth0 (via eth0), it should send reply to LAN2 via eth1. That is forbidden by default.
Even if it could reply, what would your machine when some 192.168.10.252 sends a "reply", while you only expect a reply from 192.168.15.252?


Obviously, when your LAN2 member sends a query to DNS, the DNS should answer: "192.168.10.252"
and when LAN1 member sends a query to DNS, the DNS should answer: "192.168.15.252".

I have set up such DNS servers (LAN1 and LAN2 do not have to have same machine as DNS server),
but I have never used IPA and I suspect that IPA has something to say about DNS.

veksell
Posts: 2
Joined: 2022/03/15 10:07:41

Re: ipa server with two network adapters in a separate vlan each

Post by veksell » 2022/03/15 13:49:52

To answer your questions:
"We don't know which DNS servers it does call to resolve names" The DNS servers configured on this machine are 192.168.10.252 & 192.168.10.251
"We don't know whether it has any route to outside of LAN2." This machine has a default gateway/route of 192.168.10.254, on the router all traffic between the two LANs is allowed (this will be restricted one day hence the need to setup secondary interfaces but that is an issue for another topic.)

The reason i am trying to set this up this way is i have just moved of Microsoft AD on to IPA and i am trying copy my old setup which worked on windows.

Is there a way then in ipa if a dns query comes in on eth1 for ipa.example.com it responds with the eth1 IP and when a request for the same DNS entry comes in on eth0 it responds with eth0 IP?

If there is a better way of doing this i am also open to other setups my main criteria is on both LANs to have a primary and secondary DNS server and i would like to avoid having 4 ipa servers if possible.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: ipa server with two network adapters in a separate vlan each

Post by jlehtone » 2022/03/15 14:11:16

BIND 9 (package 'bind', service 'named') has "views": https://kb.isc.org/docs/aa-00851
dnsmasq ... one can run multiple instances, one per interface.

I presume that IPA sets up DNS server and I have no idea whether it uses BIND, dnsmasq, or something else nor how complex config you can do with it.

Post Reply