Author Topic: Where should this sit on my network?  (Read 1857 times)

nunchukbop

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Where should this sit on my network?
« on: January 22, 2019, 02:57:20 pm »
I am debating on whether this should sit on my LAN or DMZ. LAN because I want easy file sharing, and active directory. DMZ because I need to expose the email server...
I only have one available public IP address so I am wondering if pointing mail.mydomain.com to this email server is even possible. I have a pfsense router. Any insight or help on this is appreciated.

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Where should this sit on my network?
« Reply #1 on: January 22, 2019, 03:19:17 pm »
My answer is both.

In my network I have a pfsense firewall with one interface for LAN and one DMZ;
The Zentyal Box has one interface to LAN and one to DMZ

The DMZ side has all the ports locked down except the ones I need ..... vpn, smtp, http/https (for the email webui).

In my pfsense, I have my SMTP port forwarded to zentyal on the DMZ interface
I also run HA reverse proxy on the pfsense firewall for the email webui of zentyal in DMZ.
- I have a wildcard certificate on pfsense which is used through the reverse proxy and provided certified SSL encryption for the zentyal email gui (SSL Labs A+ results)


nunchukbop

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Where should this sit on my network?
« Reply #2 on: January 22, 2019, 09:01:16 pm »
@vshaulsk,

Thank you very much for the reply. You have the setup that I am trying to achieve, and will take your advice. I have a followup question though, how are you handling DHCP & DNS? Are you using Zentyal for both or just DNS?

My research on pfSense tells me that I should probably do both on Zentyal server that way all the DCHP reservations get proper lookups? What do you think?

Thanks again!

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Where should this sit on my network?
« Reply #3 on: January 24, 2019, 05:08:43 pm »
Currently my DHCP server is my PF-Sense firewall, but Zentyal would also work.

My DMZ has no DHCP server as everything there is statically assigned

On my Lan the PFsense server handles DHCP
- Gateway = Pfsense
- DNS1 = Zentyal PDC
- DNS2 = Zentyal BDC
- DNS3 = Pfsense

All of my servers are static, with only client computers (Windows PC's, tablets, phones, TV's, etc...) receive a addresses through DHCP

I have a Proxmox 3 node cluster on 10Gb network using local SSD, NVME and central storage (ISCSI, SMB, NFS) via two Freenas Storage servers
- PFSense, Zentyal and all the other servers run virtually in the cluster with the important ones setup with High Availability

« Last Edit: January 24, 2019, 05:11:59 pm by vshaulsk »

nunchukbop

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Where should this sit on my network?
« Reply #4 on: January 24, 2019, 08:42:00 pm »
Thanks for the reply. I WANT pfSense to hand out DHCP leases, but I don't know how to configure that properly. On your system, how do new clients get registered with the DNS (Zentyal) when it gets a DHCP lease from pfSense?
How many adapters do you have in your pfSense server? My switch does not allow trunk ports so I think I need three (WAN, LAN, DMZ). Then, on my secondary server (no pfSense) I will have two adapters (DMZ, LAN). I also have two main servers running proxmox.

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Where should this sit on my network?
« Reply #5 on: January 25, 2019, 02:14:33 am »
The best would just use the Zentyal DHCP server and only use the zentyal DNS or backup BDC DNS.  My setup is probably not fully compliant, but it works.

each one of my proxmox servers has a intel quad NIC with one port for Wan, LAN, DMZ  + the Dell built in NIC which has two 1gig ports and 2 SFP+ ports.   

Since for me PFsense is virtual, I bridge the intel quad nic to the pfsense vm and this allows the vm to move the different nodes if one nodes goes down or reboots.

Zentyal PDC is replicated between two nodes and also moves if one node fails or restarts.  Now if both nodes fail the BDC is on the third node.

In general:  PFsense = 3 network interfaces and Zentyal = 2 network interfaces

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Where should this sit on my network?
« Reply #6 on: January 25, 2019, 08:17:23 pm »
I thought more about my setup last night and decided to move the DHCP server over to Zentyal.

Now
DHCP - Zentyal
- Gateway - PFsense
DNS1 - Zentyal PDC
DNS2 - Zentyal BDC

The clients are not longer using pfsense as the DNS server

nunchukbop

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Where should this sit on my network?
« Reply #7 on: January 25, 2019, 09:00:21 pm »
Right on. I installed my extra NIC on my primary server so I will run PFSense on that. I will put my DHCP on Zentyal server too.

nunchukbop

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Where should this sit on my network?
« Reply #8 on: January 29, 2019, 02:53:48 pm »
Ok, I installed the network as described. My router is working in the sense that my clients can get to the internet. My zentyal server is handing out DHCP addresses like it should but it is not registering local host in the dns? WHY? I want to ping a hostname on my LAN and get a response...what am I missing?