Topic: PLEASE HELP... SME Server Not Connecting to the Net

[guhappy]

Hello,

First of all, I'm a complete noob to SME Server 6.0.1, so let me explain my problem the best way I can. I brought a domain name akinminds.com from godaddy.com. I set the nameservers for the domain to use the free domain name forwarding services from mydomain.com (i.e. ns1-4.mydomain.com). On mydomain.com I have set the A Record of akinminds.com to the IP address of my Comcast internet connection. I have a Linksys WRT54GS router with the Local DHCP server enabled and have setup Port-Forwarding of both TCP and UDP for port 80 to the local IP address of the SME Server (i.e. 192.168.1.10). I can access the starter site I created from the local network using the SME Server name (Ex. http://myservername) but the webpage doesn't work when using akinminds.com. By the way, the SME server is also using DHCP and I read from another post that this double DHCP configuration may cause conflicts. So, will disabling DHCP from the SME Server and giving it a static IP address resolve this issue? Also I would like to setup FTP, email, and etc, so do I need to forward the ports provided here (http://no.longer.valid/phpwiki/index.php/InstallationFAQ#portslist) on my router to the SME server? Please help.

Thanks in advance,
guhappy

[MSmith]

OK complete noob, time to tear down your network and redo.  Your SME server will work best as a server/gateway if it is directly exposed to the Internet, i.e. it takes the place of your Linksys WRT54G.  As noted in other posts, you can get hacked firmware for the WRT54G that will allow you to configure it as an access point for your network; get yourself an inexpensive switch for everything else.  So your network should go like this:  Comcast <--> SME server WAN (external) interface :: SME server LAN (internal) interface <--> switch (I use a 16-port Netgear I got inexpensively) <--> all other devices (PCs and Linksys set up as AP).  If your setup doesn't work in this configuration you've messed up your domain's DNS.

And yes, two DHCP servers on one subnet is a Bad Thing.

[guhappy]

OK complete noob, time to tear down your network and redo.  Your SME server will work best as a server/gateway if it is directly exposed to the Internet, i.e. it takes the place of your Linksys WRT54G.  As noted in other posts, you can get hacked firmware for the WRT54G that will allow you to configure it as an access point for your network; get yourself an inexpensive switch for everything else.  So your network should go like this:  Comcast <--> SME server WAN (external) interface :: SME server LAN (internal) interface <--> switch (I use a 16-port Netgear I got inexpensively) <--> all other devices (PCs and Linksys set up as AP).  If your setup doesn't work in this configuration you've messed up your domain's DNS.

And yes, two DHCP servers on one subnet is a Bad Thing.

Well, I guess I will have to rethink this home server approach. So, I need another ethernet card for my server and a switch. I'm probably better off URL forwarding for now until I research this more. But, I would like to get this running, so are there any other options I can take?

[guhappy]

MSmith thanks a lot for the info. I will do what you mentioned and get the gear needed i.e. another ethernet card and switch. I will hopefully set it up successfully for early Jan 2006. But, I know if I run into trouble I can find help.  :-)

[MSmith]

You're welcome.  Glad I could be of service!

[djhomeless]

I've got a similar setup, the only difference being that I have one of those all-in-one Netgear devices (Router, Firewall, Wifi AP, Modem). My SME works quite happily in this setup (server-only mode), so in theory I don't see why you would have a problem with your Linksys AP.

Instead of forwarding individual ports to my SME box, I just setup a DMZ rule in my Netgear Firewall. Ergo, every port that I don't have a rule against, goes to my SME box. This is really not a good idea if you are concerned about security, a better approach would be to forward just the ports you need and ignore the rest (I am just being lazy).

Back to your problem, is your home IP 68.36.174.236? If not, then that's what the name servers think it is. If this is correct, and you still don't see your domain externally, did you make sure to setup the domain on your server?

Good Luck

[guhappy]

Yes that is my IP. I think I haven't setup the domain on the server. Can you show me the way? But, I think I'm going with the first solution that MSmith suggested. I buying a cheap Linksys 5-port switch. I might need help so please stand by. Thanks for the help.

[djhomeless]

Don't buy HW unless you really need it. Again, it would be great to have the switch, but its not needed either.

In your SME Server panel, there is an option for "domains". Simply add your domain name there, and define an Ibay for it. Then, you should be in business.

[cc_skavenger]

I wouldn't buy the hardware unless you really want to.  You can use the dmz approach or you could port forward the needed ports to the IP of your server.  I would not have the server on DHCP, give it an IP.  I use this setup currently for several sites that I maintain, they all work fine.  I tried to browse to  the IP listed above, but it would not display anything.  Does comcast allow web hosting and mail servers?

The typical ports needed should be:
Port 20 & 21 for ftp
Port 22 for ssh
Port 25 for smtp
Port 80 for http
Port 110 for pop3
Port 443 for https

[boss_hog]

Hey yall,
my setup here is very similar to cc_skavenger.
ISP supplied modem
WRT54G (router/switch/AP)
Hawking Tech' 24 port switch

WRT54 feeds my SME6.5 ports 25, 110, 80, 81, 443
(no ftp in my setup)
DHCP is in 192.168.1.10-50 range
All my servers(SME6.5, testbeds SME 6.01, SME7b* and CentOS4.2 etc.) live in the 192.168.1.2-10

The SME will not get the proper WAN IP from the modem, which causes problems for my DynDNS account.
The WRT54 takes care of gettin the WAN IP and DynDNS updating is built into it.

The modem that the ISP has given me is very powerful (router, firewall, nat, dhcp etc.) but it is setup with their firmware and no formal documentation for using it. So.... the WRT54 does most of the work in my setup.
Hope this helps.
Joe

[djhomeless]

The SME will not get the proper WAN IP from the modem, which causes problems for my DynDNS account.
The WRT54 takes care of gettin the WAN IP and DynDNS updating is built into it.
Joe

The SME box doesn't need the WAN IP to function. It just needs to have the correct services (ports) forwarded to it so it can listen. As you host domains on the box, did you make sure to forward port 53 (DNS)?

Try pluggin in your domain to dnsreport.com, its a great tool for debugging dns problems.

[cc_skavenger]

As you host domains on the box, did you make sure to forward port 53 (DNS)?

??
Port 53 does not need to be forwarded.  It is making outbound connections only for dns.  It would need to be forwarded if it was a dns server for a network/workstation.

[guhappy]

Okay, good thing I didnt buy the switch today. Well I appreciate you guys explaining your setups. I will prob do a similar or exact copy of boss_hog's configuration . So I guess I have to give my server a static IP address and forward ports to the server. BTW, do I need to hack my firmware still and if so which one should I choose for a version 4 WRT54GS router? I was thinking of using the DD-WRT firmware... I can't wait to have this up and running. Thanks again.

[MSmith]

You guys who are putting a server-only SME box in a "DMZ" and thus exposing it wholly to the Internet are completely bypassing its firewalling capabilities and committing a fundamental security configuration error.

[cc_skavenger]

You guys who are putting a server-only SME box in a "DMZ" and thus exposing it wholly to the Internet are completely bypassing its firewalling capabilities and committing a fundamental security configuration error.

This is true.  That is why port forwarding should be used.  DMZ exposes all ports below 1024 to the wan.  Not a wise decision.

[boss_hog]

Hey yall,
two things I would like to clarify quickly.

djhomeless wrote:
The SME box doesn't need the WAN IP to function....

This is true, but my domain name on a dynamic IP does.

My DynDNS account needs to be monitored for IP changes. If my modem was set to "bridge mode" all would be fine, but, this is not a viable option.

MSmith wrote:
You guys who are putting a server-only SME box in a "DMZ" and thus exposing it wholly to the Internet are completely bypassing its firewalling capabilities and committing a fundamental security configuration error.

Also true, but my setup made no mention of DMZ. Just forwarding specific ports to the SME.
Hope this helps.
Joe[/quote]

[MSmith]

My DynDNS account needs to be monitored for IP changes. If my modem was set to "bridge mode" all would be fine, but, this is not a viable option.

I've never been satisfied with SME's DynDNS updating and have always resorted to a client on an always-on LAN host; I've had excellent results with older versions of DirectUpdate (no later than 2.7).

MSmith wrote:
You guys who are putting a server-only SME box in a "DMZ" and thus exposing it wholly to the Internet are completely bypassing its firewalling capabilities and committing a fundamental security configuration error.

Also true, but my setup made no mention of DMZ. Just forwarding specific ports to the SME.
Hope this helps.
Joe

Yours didn't; another's did.  I'm speaking specifically of djhomeless here, who has apparently set up a server that has all ports open to the Internet except those specifically excluded at his Netgear router.  Quite unsafe, IMHO.  Far better to deny all, then enable only what you need.

[djhomeless]

Yours didn't; another's did.  I'm speaking specifically of djhomeless here, who has apparently set up a server that has all ports open to the Internet except those specifically excluded at his Netgear router.  Quite unsafe, IMHO.  Far better to deny all, then enable only what you need.

...which is why I said in my post that it is not a good idea if your concerned about security. The poster was having fundamental problems getting his domain traffic routed to his SME. In a case like that, it is best to get the problem fixed first, then backtrack to a safer configuration than try to do it right from the start (especially since the poster was a self-described noob).

My setup is only short term because I've recently rebuilt my home infrastructure. Hey, its Christmas. My wife would divorce me if I was spending a lot of time reconfiguring everything right now.

[guhappy]

Hey self-described noob here. I was reading the manual and it helped alot esp the info on i-bays since I didnt configure that. Thanks to everyone for pointing me in the right direction. Finally, Happy Holidays to all.

[woyzeck]

I was reading the manual and it helped alot

Always a good idea  


IMHO....

Putting an SME server in a DMZ that is configured for server only mode is a bad idea.

Port forwarding in a router is a bad idea also.

My personal preference would not to use sme as a file server and also a public server, I have never understood why people do this.  My personal preference is to have a firewall such as ipcop act as the gateway/firewall and sme server as a file server.  If you have a second ip address set up your public server on that, separate from your internal network.  If you don't set up the ipcop machine with an external card, trusted network card and a public network card.

See:
http://www.ipcop.org/1.4.0/en/install/html/decide-configuration.html#network-configurations


What you want to do,  and the way you have it set up now will work, but is certainly not best practices.

If you are not going to use sme as a file server, set it up in gateway/server mode and you should be set.  Of course, after you call comcast to have the reset the mac address that is registered with them.

Woyzeck

[cc_skavenger]

Port forwarding in a router is a bad idea also.
Woyzeck

Just out of curiosity, why is this bad?  How is it any different then the firewall built into the server?  If port 22 in the iptables firewall is open, it is open.  If you port forward port 22 in a router, it is open.  If you are using a good firewall, both allow for ACLs.

What is the difference?