help cpanel nat 1: 1 setup

[helpdesk]

Dear all,

We have just brought and setup our cpanel.

We set it up behind a NAT firewall 1: 1

On WHM, the main shared IP is a local ip 192.168.1.x

We use a third party DNS server and set the server as a local dns.

For new account creation,

Mail / FTP work but we are unable to do virtual host

http://www.domain.com/cgi-sys/defaultwebpage.cgi

Any guru that have setup cpanel behind NAT 1:1, please provide some guidance. thank you in advance.

 

[thewebhosting]

Are you receiving any error message?

 

[wills]

We're running cPanel on a 1:1 NAT with no issues. That includes DNS. I'm not sure what you meant about the third party DNS or virtual host setup. Can you give us some real-world examples?

 

[ALL]

We're running cPanel on a 1:1 NAT with no issues. That includes DNS. I'm not sure what you meant about the third party DNS or virtual host setup. Can you give us some real-world examples?

I am actually having a similar problem.

I am behind a 1:1 NAT firewall of:

65.123.120.x->192.168.111.x

The problem i'm running into is, when i setup a user in WHM and it sets up the DNS it auto assigns the A records to 192.168.111.x rather than the public ip address. Is there a way, or how did you get around it auto assigning the internal ip address instead of the external ip address?

 

[ALL]

i'm not trying to be a pain, but i'd really like to get this setup...

all i really need to do is know how i can set it up so when someone adds a domain to their account that it assigns it to the external ip address and not the internal ip address...

exmaple:
someone adds a domain, their ip is 65.123.120.55 it assigns their dns records to 192.168.111.55. I need it to set the dns records to the external ip address, not internal.

 

[Spiral]

You are not getting many answers mainly because not too many have much experience with NAT and Cpanel and it is generally avoided for very good reason as setting up and maintaining that kind of a configuration can often be much more than a pain than it's worth.

Nearly all cable modem and DSL providers officially prohibit running web servers per usage policies (though yes a lot of people do it anyway) and that is where you find the bulk of NAT type deployments most of the time.

Aside for technical difficulties keeping things lined up especially after Cpanel updates, licensing matching up, and other operational items, there is also certain aspects of running Cpanel inside a NAT local network that would open up major security holes to the rest of your NAT network just simply by the act of running Cpanel inside the local NAT network and there are much better ways to deploy such a configuration than putting it behind the NAT router.

Unless it is really your absolute only choice, I really strongly would not recommend putting Cpanel behind a NAT. It can be done and I have personally done that for clients on a few occasions where the circumstances dictated doing that but it's really not recommended.

Regarding your IP question, you **MUST** use the NAT IP for the hosting accounts and network card details but then you will use the external IP for the DNS records and this is generally where the headaches first begin and does require a bit of manual finger work as this can be done very easily from SSH but there is no real happy way of doing this from WHM or more accurately --- keeping it all in sync.

 

[ALL]

Well, I don't have much of a choice about running behind a NAT firewall. I called the company that makes our firewall (Watchguard) and they said that "it cannot be done"...

I find it a little hard to believe, but w/e. I am a software developer not a network engineer, so I figured that they'd know best.

here's what they said:

I checked and also confirmed with another person here. It is not possible to achieve what you want. The packet information if changed to show that it is coming from the external interface of the firewall will then not be able to get out once it comes in. The packet needs to show that it is coming from the outside world so it know how to get back once it comes in. If we change the ip, then the packet on its way out to the world will drop and not get past the firewall external ip going outbound.

But what I have been playing with and believe have it mostly setup is a script that monitors the dns files and once modified it looks though them and changes any internal ips to it's associative external ip. It's written in PHP, because it's a small script and ez to develop, but it gets the job done, granted it will take up to 5 seconds for the dns to be changed again, but I find that reasonable. I am not sure how it'd scale with large number of domains, but it should work regardless.

I am going to make an article on what I did and give the code I used in the future when I know everything works.

 

[Spiral]

Well, I don't have much of a choice about running behind a NAT firewall. I called the company that makes our firewall (Watchguard) and they said that "it cannot be done"...

As an incidental footnote to that .....

Can you place the Cpanel server IN FRONT of your firewall instead of behind it where you are located?

It would make a lot more logical sense to put the Cpanel server in the front ahead of your firewall or NAT translation and actually make your local network more secure doing it that way.

If you don't have any means to access the outside world where you are located other than going through the NAT firewall, I would actually then recommend not run a local Cpanel server at all and instead host in any of the remote data centers out there around the world all of which would probably give you substantially better performance than running it locally where you are at primary because of bandwidth availability differences.

If you are really dead set on running the server locally and are unable to get around having it behind the firewall then yes you'll need to do the things I said earlier and yes as you pointed out most of those items can in fact be scripted to minimize the manual labor but still can be a pain and you might find it easier or better for you looking into another solution

 

[evp]

Possible Solution

Hi I have it working, but lately have been having some issues. If you are getting http://www.domain.com/cgi-sys/defaultwebpage.cgi, than it seems to be routing correctly (I am not a network specialist though). What I think is going on is that cpanel is configuring the virtual hosts incorectly. I have to go in manually and modify the httpd.conf file every time that I add an account ("NameVirtualHost *:80" and "VirtualHost *:80") should do it.

My Issue recently (after an ip migration) is that a VirtualHost entry with my internal ip and no port (VirtualHost 10.xxx.xxx.xxx). I now have to go in and manually remove this entry every morning or I get the same page served,

http://www.domain.com/cgi-sys/defaultwebpage.cgi

Hope this helps, and if anyone knows or has any idea what might be auto generating this entry I would really appreciate it.

 

[cPanelDavidG]

Hi I have it working, but lately have been having some issues. If you are getting http://www.domain.com/cgi-sys/defaultwebpage.cgi, than it seems to be routing correctly (I am not a network specialist though). What I think is going on is that cpanel is configuring the virtual hosts incorectly. I have to go in manually and modify the httpd.conf file every time that I add an account ("NameVirtualHost *:80" and "VirtualHost *:80") should do it.

My Issue recently (after an ip migration) is that a VirtualHost entry with my internal ip and no port (VirtualHost 10.xxx.xxx.xxx). I now have to go in and manually remove this entry every morning or I get the same page served,

http://www.domain.com/cgi-sys/defaultwebpage.cgi

Hope this helps, and if anyone knows or has any idea what might be auto generating this entry I would really appreciate it.

During the IP migration, did you run the IP migration wizard, or did you only change the IP of a single site?

 

[evp]

During the IP migration, did you run the IP migration wizard, or did you only change the IP of a single site?

Thanks a good question. My ISP (Vodafone Portugal) was having tech problems issuing my a static ip and we ended up changing ip's 4 or 5 times in a 2 week period. I know I used the wizard most of the times, but I also remember manually going in and configuring. I just can't recall what I actually did last.

 

[cPanelDavidG]

Thanks a good question. My ISP (Vodafone Portugal) was having tech problems issuing my a static ip and we ended up changing ip's 4 or 5 times in a 2 week period. I know I used the wizard most of the times, but I also remember manually going in and configuring. I just can't recall what I actually did last.

If you can bring the server outside of NAT, you can let our technical analysts take a look at the server. At this time, we do not provide assistance for NAT.