I'm doing some experiments with putting an existing Virtualmin installation behind a NAT. The process should be quite straight-forward, but there's an issue.
So I changed the system's IP address, all is fine. I edited "System Settings -> Virtualmin Configuration -> Networking Settings -> Default IP Address for DNS Records" properly. I know this setting only applies to newly created domains, not to existing ones.
So, when I go to "Change IP Addresses" and have Virtualmin replace the old IP with the NATed one, it replaces them also in the DNS records.
To prevent that, I have to go to all of the existing virtual servers manually and modify the setting "External IP Address" to prevent that from happening.
I know there's the API command virtualmin modify-domain --domain ... --dns-ip ..., but it seems that I still need to call that for all domains individually, since there's no "all-domains" parameter.
Suggestion would be to allow the user to make this modification to all domains at once, and to put a warning on the "Change IP Addresses" page that the change will be made to the DNS zones too for all existing domains that don't presently have an "External IP Address" set.
Comments
Submitted by JamieCameron on Sat, 03/08/2014 - 12:06 Comment #1
So I think the issue here is that you did the change in the wrong order.
The correct method is to go to Addresses and Networking -> Change IP Address, and change from the old external address to the internal one. This will update the Apache config and DNS records.
Then you need to switch your domain's external IP to the external address. Unfortunately this can only be done with the API command
virtualmin modify-dns --all-domains --dns-ip x.x.x.xI think we need to add a way in the web UI to mass change the external IP, just like you can for the real IP. Agreed?
Submitted by Locutus on Sat, 03/08/2014 - 12:28 Comment #2
Hmmm!
You know why I didn't do the "modify-dns" thing in my test? Because the help text for "modify-dns" does not list "--dns-ip" as an option!! :D
So I wouldn't say I used the wrong order... I was just under the impression that there is no way of mass-updating the external IP, neither in the web UI, nor in the API!
But yes, I agree that a web UI external IP mass update is one important aspect of the matter. Furthermore, I think the steps necessary to switch between NAT/non-NAT operation are a bit too spread out.
I think the "Change IP Address" screen should also get that warning about DNS records getting changed for servers that don't have the fixed external IP set.
Even better would be to give Virtualmin a few wizards, while the big (necessary) "intuitive design overhaul" is still underway (for the next years ;) ). Switching between NAT and non-NAT with the required steps would make for a nice wizard I think, among other stuff that will certainly come up bit by bit.
Submitted by JamieCameron on Sun, 03/09/2014 - 01:04 Comment #3
Ok, I'll look into making that page capable of changing the DNS IP as well.
BTW, I generally recommend against running a production Virtualmin webserver behind NAT if possible, as it adds complexities when setting up SSL,introduces another potential point of failure and can be confusing to domain owners.
Submitted by Locutus on Sun, 03/09/2014 - 05:20 Comment #4
Yeah I sure know about the NAT issue. In my case, I'm pondering to use a 1:1 NAT setup, because in my specific situation that helps save IPv4 addresses. They're expensive and limited at my hoster, and with NAT I can use all 16 IPs of my subnet as opposed to losing 3 of them in a classic routed setup.
Submitted by Locutus on Sun, 03/09/2014 - 10:00 Comment #5
Oh by the way, what kind of complexities in regards to SSL exactly does NAT introduce?
In my case, the "point of failure" exists anyway, since my IPv4 /28 subnet is piped through a router VM on my VMware server. That's necessary due to the way my hoster has laid out their network. So it doesn't really make a difference in terms of point of failure whether the router does conventional routing, or a 1:1 NAT.
Note that I'm not using NAT in the classical sense of "port forwarding", but as 1:1 NAT, i.e. one external IP is fully mapped to one internal.
In the near future I'm going to reduce my number of VMware servers from 2 to 1 due to receding number of customers, so I need to consolidate all my VMs to one server. Since I only have one /28 IPv4 network available, the IP addresses are running short. So not losing these 3 IPs for a conventional routing helps mitigate matters. :)
Submitted by JamieCameron on Sun, 03/09/2014 - 18:59 Comment #6
The SSL complexity I was referring to is the need for 1:1 NAT to be setup for each domain with a private IP on the Virtualmin system, to a corresponding separate external IP.
Submitted by JamieCameron on Wed, 03/12/2014 - 00:33 Comment #7
An option to mass change the DNS IP will be included in the next release.
Submitted by Issues on Wed, 03/26/2014 - 01:21 Comment #8
Automatically closed -- issue fixed for 2 weeks with no activity.