Best DNS records and firewall rules for a LAN

Hello World !

I’ve got a brand new Cady v.7.3.1611 that i want to put in prod at my home, 2 NICs.
But i am not familiar with dns and IT so i prefer to ask first (i didn’t understand all that i read).

I change my internet box to modem mode :

  • the red static nic got a 88.177.x.y ip / 88.177.x.254 gateway / 80.67.169.12 dns.
  • the green static nic is configured with 192.168.65.254 ip / 88.177.x.y gateway.
  • my lan use 192.168.65.254 as gateway.

I need a AD, so i hostname my nethserver neth01.myhome.lan
I have a domain name said myplace.com, with registrar’s dns that points to 88.177.x.y (mail and www).

No mail neither www module installed for now. But they will come soon.

Part 1.
Question 1 : What do i have to put in the DNS module to optimise my LAN ?
Question 2 : What do i have to put in the DNS module to make myplace.com seeable from Internet ?
Question 3 : Do i have to put neth01.myplace.com in my registrar dns server and why ?

Part 2. --DNS ++Firewall
Question 1 : What do i have to put in the Firewall module to optimise my LAN ?
I had to put a “Accept green -> red” rule in my firewall to let my lan go on Internet, is that right ?
Question 2 : What do i have to put in the Firewall module to make myplace.com working from/to Internet ?

What i am looking for is a kind of best practices for a good LAN.

Thanks in advance from Occitanie, France.
Rémy.

Hi @Remy,

many questions, I hope I can help, so let’s go…

You may put your devices with static IPs in the “Hosts” list, so they can be found by their name.
You may put alias names for your Nethserver in the “server alias” list so users may reach it by easytomemorize.myhome.lan.

Nothing, this is already done by your registrar as you wrote. You can check it on NS

or here: http://network-tools.com/nslook/. Just enter your domain and you should find your IP in the result.

It depends…if you want that neth01.myplace.com is seperately reachable, you may do it. You maybe want www.myplace.com pointing to server A and mail.myplace.com pointing to server B and so on. I assume for your home server it’s enough to let myplace.com point to your public IP.

The firewall is well optimized after installing. If you don’t have a special configuration or special devices, just enable it.

No, green to red is allowed by default.

Firewall policies allow inter-zone traffic accordingly to this schema:
GREEN -> BLUE -> ORANGE -> RED

See http://docs.nethserver.org/en/v7/firewall.html#policy

What should work on myplace.com? You may host a website on NS. Then you won’t need a firewall configuration, because httpd(web server) is allowed by default.

Please explain what was hard to understand because we want the docs to be useful and understandable. If you have ideas to improve the docs feel free to share them…

Greetings from Vienna, Austria.

3 Likes

Hello MrMarkuz and thanks for you kind response,

“Please explain what was hard to understand” : As i am not really gifted in english I didn’t understand that Policies are actually applied. to be applied said to me “they have to” not “they are”. Even if you say just after “Firewall policies allow …” i was a little puzzled.

I was convict of it has i lost my connection with my server when i enabled the firewall. After 10 mn i had to “sudo reboot” to gain access again. I gonna wipe the unneeded green->red rule i made.

Thanks for all your explanations, they clear & appease my mind.

Another thing, can i & how to “batch” import all my lan’s hosts hostname and ip in DNS service ? Must i use samba-tool dns add … or something else ?

Have a good day,
Rémy.

1 Like

If you use DHCP for giving IPs to your lan hosts, you don’t need to enter them in DNS list. How many lan hosts do you have? I don’t know an import tool, but maybe a script exists. Don’t use samba-tool, there’s no need for it.