NAT-Enabled DNS/DHCP/LDAP/Email Server Environment

[dividschmivid]

Hello world!

This is my first post on virtualbox dot org!

I've been reading a lot of the tutorials and tips from all you posters on this and other sites on the awesomeness and shortcomings of VirtualBox(VB). I am a daily user. I usually use VB to put XP (aka Windows Light @ 150MB memory usage!) or Linux (the zen of BASH) Virtual Machines (VM) on my Win boxes. I use it to have access to web servers on my machine to test out AMP and wordpress and my web coding scribblings. But now I am A+ certified and working as an IT tech and am learning how real enterprise and SMB networks operate. Nice to meet you all.

I've been floudering around the net trying to piece this Linux-based enterprise testing network together, looking for the pieces that I think I need, kinda learning how to do them (or at least getting comfortable with the learning process), and trying to put them together, but it's just a pain because everyone has their own niche use for these technologies. No one seems to need what I need which is like everything in a box.

I have been working at this for about two weeks and only in the last week have I really started feeling comfortable configuring BIND and DHCP with the command line on the Ubuntu DC. However, I haven't gotten it clicking yet. I have gotten various parts of it working with NAT and the VB DHCP or with Host-Only (pinging other machines) and DHCP, but not static IP and not with NAT. I have tried switching the NIC from Host-Only to NAT when I need the Internet, which seems to work but that's a half-done solution. I am confident that I'll get this working soon, but gosh I hope you all can help me focus and get this going. It is the basis of a lot of my personal work and learning in the IT world. When I do get it all down and working and tested in a portable fashion to assure it is hardware independent I hope to write a thorough tutorial.

Long story short...

What I have:
1)I have a fresh install of Ubuntu Server 14.04LTS as the domain controller.
2)Ubuntu 12.04.04LTS desktop with LAMP as the web server and my happy space.
3)Debian in various desktop enviros as the users (luke, han, chewie)
4)Puppy user
5)XP Pro user
5)CentOS server for a future setup to take the place of the Ubuntu DC

My network settings are or would be something like:
1)Network named: debian.local
2)Ubuntu DC: server.debian.local
*.*.*.2
3)Web services: web.debian.local
*.*.*.3
4)Various Distros: luke.debian.local, han.debian.local, chewie.debian.local,
*.*.*.100 - *.*.*.200
5)IP range (desired or guessed):
A)10.0.2.2-10.0.2.200 with NAT
B)192.168.56.2-192.168.56.200 with Host-Only

What I want:
1) 1 Linux Domain Controller(DC) running: (preferably Ubuntu since I am learning Linux with it and it has good support)
A)DNS (BIND) to give internal DNS direction as well as external web caching to improve speed of internet use.
B)DHCP to give IPs to MAC addresses
C)LDAP to authenticate certain machines for email accounts and file/folder resource access.
D)Email (Postfix,Dovecot,Roundcube) only to learn how to setup and maintain an email server. It will be used only to test email communication between devices authenticated on the internal network.
2) 1 Web Server running:
A)LAMP for wordpress/wikimedia/handcoded site
B)CalDAV/CardDAV for tbird n my note3
C)Audio streaming/DLNA
D)SAMBA (would like it to defer to DC LDAP settings but give access to mini media libraries on the VM)
3) A bunch of Linux distros for learning how they act differently from the commandline and otherwise (CentOS/OpenSUSE/Debian/Mint/Ubuntu and other free candy).
4) My primary Ubuntu happy place.
5) My poor, out of date XP workhorses which I use as instant blow-up workspaces where I can install stuff, set it up, put it in the state I want, work til I drop, snapshot it, and open it back up without having to open a bunch of programs, resize/arrange windows, open files, navigate to the right part of the file, blah, blah, blah. Instant hit-the-ground-running workspace restore. Adding the network shares would be even better.
6) My Win 7 studs.
7) To have all these access the internet
8) For them to be invisible to my work domain
9) For them to be authenticated and reference the Ubuntu DC Virtual Machine(VM) for all network configuration and host-based queries
10) For my host machine to talk to them if needed, BUT NOT AS IMPORTANT AS THE PREVIOUS 3. A next step
11) To be able to export these appliances and duplicate the environment upon import into a VB install at home or wherever.

What I think I have to do:
1)Set the NAT Network in VB settings to not use DHCP. Turn off DHCP on VB.
1.1)Set all machines including DC with the same static IPs that I will automatically assign to them once the DC goes live. Static IPs that are compatible with the NAT Network configs in VB.
1.2)PING around to asure I can reach all the machines on the network.
2)Install DHCP service in DC and set it to assign addresses in certain range. I have various questions about this. Primarly how should I address the IP addressing in order to meet the two main network access requirements of my setup.
3)Install BIND on DC and configure it to work within the network requirements I need.
4)Install and setup LDAP on DC to point to the domain and name server settings.
4.1)Add users and groups to the settings.
4.2)Configure the security and permissions aspects of LDAP.
4.3)Configure the clients to authenticate with LDAP.
5)Setup the email system in conjunction with DNS. This is definitely last and not integral to the importance of the primary domain controller setup. I think it would be ok for the email server to live on the same machine as the DNS/DHCP/LDAP server, but any disagreements would be ok. I'm new to the server world.

So my QUESTION is...
How would I configure this network to have the best of both worlds; access to the Internet (for updates and downloading new software AND the luxury of being self-contained (for IP control, directory authentication and DNS uniformity) and portable meaning I can use the DNS/DHCP/LDAP services to add new VMs and my existing Win VMs to a centrally- controlled VM intranet but still be able to access the internet with them wherever I take my setup. I want a portable authenticated enterprise testing environment.

1)How would I configure the Network adapters in VB prefs to allow me to use my own VM DC?
2)How would I configure the DHCP server in Linux to coexist with VB?
A)/etc/default/isc-dhcp-server
B)/etc/dhcp3/dhcpd.conf
C)service isc-dhcp-server restart, ip route, netstat -uap
3)How would I configure the DNS server in Linux to coexist with VB?
A)/etc/bind/named.conf
B)/etc/bind/named.conf.options
C)/etc/bind/named.conf.local
D)(the zone file) /etc/bind/server.debian.local
4)How would I configure the Virt NICs in the VMs to allow coexistance with DC and VB?
A)/etc/network/interfaces
5) What other clean up and prep work is needed to get the DC and users configured to talk to each other through the DC and access the internet through the VB gateway while getting DNS guidance from the DC's zone file and caching abilities?

What I do not need:
Another catch is that I need to be able to do this at work where I cannot just go putting a bunch of VMs on the domain using the Bridged Network setup. It needs to use the discrete existance of VB's NAT setup;for both the Internet/Repository use and the quietness of it.
1) I don't need remote desktop
2) I don't need VLAN or VPN, although I am very intent on setting up a VPN at home, this project is restricted to DNS/DHCP/LDAP/Email. I would of course love to setup VPN, but it seems that this would be near impossible considering how dificult it has been to just get all this set up. I think I would need something more dedicated and less portable for VPN to be happy considering it would be using my real FQDN.
3)I don't need email setup until I have authentication and IP/Host addressing good to go.
4) I don't need comments about Winedows or trolling about aesthetics.
5) I don't need SAMBA...yet.

My plans:
This is primarily for testing. Once I have the resources, I hope to run all these suckers on a single VM server, prob on a Lin box or ESXi. Using VMDK virt hard drives so shouldn't take much to port over to VMWare. After I feel I can master the setup of a VM network like this I'm sure it will be much easier to setup a hardware-based version using a bunch of R-Pis and my old WR54G, but that's all for another more luxurious day.

I hope to start working with virtual Windows server setups using hyper-v after I am able to get the Linux environment going. I also hope to be able to learn how to use all this knowledge to get a single, low-power Firewall/DC/VPN/Email/Web bare metal machine going at home to do some real work.

I realized i repeated myself a bunch in there. For the sake of rephrasing to allow you guys to understand exactly what it is i'm trying to achieve as well as kind of helping myself understand what i need to do to accomplish this task. thanks so much in advance for any solid guidance you all can provide.

[Perryg]

What is not clear to me is do you also need to communicate with these guests for a local LAN and or the outside (public side)? Also does the host need to be in this network?

[dividschmivid]

Thank you for your quick response.

You are right I did not specify if I need access to this network from the WAN.

Currently I do not need to be able to access this network from the public side.

Eventually I will configure this to work, but I will likely be switching to use a bridged connection to accomplish this. I would also be establishing a publicly accessible server network to exist at home only. This particular setup is to merely allow myself to setup as many servers as I can manage in a hidden network that can talk to itself and through VB to the internet for accessing websites and downloading needed repository-based resources.

As for the host, I think it would be an extra convenience for me to be able to telnet in from the host. It would be ideal and the way I've kinda configured it now. But I see there is an internal network option.

[Perryg]

Excluding the host and the public side from the equation I would us the internal network (intnet) and a software router/firewall (pFsense) to achieve this myself.
This way you will not be required to have an Internet connection at all to be able to use the virtual network.

Now adding the host adds complexity and even more by adding the public side. Your network experience will need to be advanced as well as the routing that will need to be done. The best advise I can give you at this point is look at these guests a real machines. How would you do this on metal? Then see what you need to do to make it work. As for the exact howto ( tutorial ) with the exception of the type of network adapter is outside the scope of the forum I am afraid but I have as others achieved exactly what it is you are wanting to do, albeit not an easy task.

[dividschmivid]

As I go through this process I will be happy to post snippets of the config files for the dhcp, dns, ldap settings. Right now I'm obviously stuck on getting dhcp and dns working withing the restrictions of VBs network settings.

[Perryg]

As I go through this process I will be happy to post snippets of the config files for the dhcp, dns, ldap settings. Right now I'm obviously stuck on getting dhcp and dns working withing the restrictions of VBs network settings.

That's exactly why you need to isolate the network. Try setting up in internal as suggested.

[dividschmivid]

I thought about using pfsense, but wanted to be able to learn how to configure the dhcp service as it exists in a normal linux os. i am guessing that pfsense still keeps its dhcp config files in the same place as other distros? can pfsense do dns?

could i somehow setup pfsense to act as a gateway to the internet? like set it up with two nics, one as a nat, bridged to the wan and the other internal? i may be missing something there, but brainstorming.

i agree that the internal, isolated situation is the best setup. even yesterday at the end of the day, i took all my hosts and one of the servers, put them on one nic set to host-only and did a ping test all around the mesh. i also agree that some of this is beyond the scope of this forum. i will learn as i go how to ask for the best advice available on this particular forum, just setting out the breadth of the whole project to let others know what some people like doing with virtualbox and also to solidify how i might lock down the VB side ofthe project as well as the general structural setup of the VMs in the network. if anyone can help with linux configs, though that would be cool too. but it's more important for me to get the theory and structure of the dedicated dhcp/dns server on a VB net setup.

[Perryg]

You don't have to enable the DHCP server in pFsence. You can use any of the virtual LAN guests for that or none if you want to really push the envelope.

[dividschmivid]

Ok. good to know. how would i configure pfsense in VB? with two nics; NAT and Host Only/Internal? like on the back of a typical router, you would have a wan port and a bunch of lan ports.

sounds like you're having me setup a more realistic environment within VB that has it's own router. that sounds like awesome, but i'm not sure how it will work. can't wait to see.

[Perryg]

You configure pFsence to use a WAN side ( I use NAT ) to isolate it further, and you would attach the second nic to the intnet adapter ( LAN side ) that you would use on all of the other guests. This way pFsense looks and acts like a switch and a router.

[dividschmivid]

currently i am able to have 2 client hosts, 2 server hosts (by hosts i mean internal hosts as guests on my T530 host) all configured to DHCP from the VB host-only settings. the two debian desktop guests(1 on gnome, the other on xfce) are configured with both nat and host-only nics and ifconfig gives me IPs for both nics. unfortunately both debian guests are getting the same IP of 10.0.2.15.

the ifconfig of the debian guests looks like this:

Code: Select all

eth0      Link encap:Ethernet  HWaddr 08:00:27:12:dd:99  
          inet addr:10.0.2.15  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe12:dd99/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9 errors:0 dropped:0 overruns:0 frame:0
          TX packets:87 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2080 (2.0 KiB)  TX bytes:11007 (10.7 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:7a:b8:22  
          inet addr:192.168.56.114  Bcast:192.168.56.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe7a:b822/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39 errors:0 dropped:0 overruns:0 frame:0
          TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7409 (7.2 KiB)  TX bytes:10484 (10.2 KiB)

i am able to ping the guests from each other in the host-only network. i am able to ping the guests from the host using the "ping -S 192.168.56.1" switch.

my /etc/network/interfaces files look something like this:

Code: Select all

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

# auto eth0
# iface eth0 inet static
#	address 192.168.56.151
#	submask 255.255.255.0
#	gateway 192.168.56.1
#	network 192.168.56.0
#	broadcast 192.168.56.255

auto eth1
iface eth1 inet dhcp

the static ip bit is commented out so i can easily switch between static and dhcp in vi/nano.

my next step is to set all of them to static IPs and to turn off dhcp on the VB host-only network settings. then restart the machines and see if i can ping them from each other and from the host.

when that is successful i will attempt to configure dhcp on the ubuntu dhcp server and set all the interfaces back to dhcp by commenting out the static ip bit.

[dividschmivid]

You configure pFsence to use a WAN side ( I use NAT ) to isolate it further, and you would attach the second nic to the intnet adapter ( LAN side ) that you would use on all of the other guests. This way pFsense looks and acts like a switch and a router.

that's so awesome. i am really excited about trying it out. just dl'ed pfsense 2.2 and am creating VM now.

by "attach the second nic to the intnet adapter" you mean enable a second nic on the pfsense VM that is configured as an internal network, selecting the "intnet" name field? that would make sense.

like that i could disable the NAT NICs on the debian desktop guest clients and just point them to the network established by pfsense.

[Perryg]

First you only have one host and one or more guests per installation.

Next with all of the information I have given you why are we still talking about VBox NAT and Host-only connections?

[dividschmivid]

yes,i understand the host guest thing. i started writing it like that because i've been configuring the hostname and whatnot within the linux installs so i got stuck in the wrong convention.

about the nat/host only thing. i'm just getting things out on paper to help myself weed through things. i sometimes write things like that to help myself see things more clearly.

anyway, moving forward.

i followed a youtube tutorial for installing pfsense on VB. i didn't even have to configure the NICs. i just:

enabled a NAT and a Internal Network adapter on pfsense. it autoconfigured them with correct IPs.
shutdown luke.debian.local guest
reduced it to one internal network NIC
booted it up
opened iceweasel
typed in 192.168.1.1
and now i am met with a pfsense login screen.
opened up another tab and navigated to google.com
AND IT WORKS! JUST LIKE THAT!

talk about turnkey! now because lots of folks run into little issues setting these things up i should note that today is may 21, 2015 and i'm running pfsense 2.2 and virtualbox 4.3.6. this probably matters. the tut i saw had the guy setting up his NICs manually on pfsense 2.0 something or other, so the little things, the little things.

now i can reduce my VMs to one NIC directed to the pfsense router AND have internet AND be able to find each other in a LAN-like environment.

once i have all 4 guests talking to pfsense and the googlesphere i can focus on getting my services up and running within the LAN.

thanks so much even for this little bit, PerryG!

i'll keep posting my progress as i get to my goal.