 bbarreraPremium,MVM
join:2000-10-23
Sacramento, CA
kudos:1 | reply to dda
Re: Issues with new USG 50 quote:
- If I use the USG 50 for DNS queries, it correctly replies to all the "in LAN" addresses I've added but insists www.dantonio.net can't be found! I believe it decides that www.dantonio.net is the same as dantonio.net and punts rather than sending it along to Comcast. Attempting to add dantonio.net as a domain to forward results in an error (-14016 I believe). The upshot is that I can either get to LAN addresses or (by adding a rule to not use the USG for DNS) external addresses but not both.
Your router config must have something like this in it:
domainname dantonio.net
which I believe then causes the USG's DNS to think its authoritative for the zone.
On your Mac try this:
host -t soa dantonio.net 192.168.1.1
(assuming your USG50 is at 192.168.1.1
and then try:
host -t soa dantonio.net 4.2.2.1
(instead of 4.2.2.1 you may use another public DNS server) |
|
ddaPremium
join:2003-12-29
Bolton, MA | said by bbarrera:
Your router config must have something like this in it:
domainname dantonio.net
which I believe then causes the USG's DNS to think its authoritative for the zone. On your Mac try this: host -t soa dantonio.net 192.168.1.1
(assuming your USG50 is at 192.168.1.1 quote:
[DDAs-MBP:~] dda% host -t soa dantonio.net 192.168.1.1
Using domain server:
Name: 192.168.1.1
Address: 192.168.1.1#53
Aliases:
dantonio.net has SOA record dantonio.net. root.dantonio.net. 2013010123 10800 54000 259200 10800
and then try: host -t soa dantonio.net 4.2.2.1
(instead of 4.2.2.1 you may use another public DNS server) quote:
[DDAs-MBP:~] dda% host -t soa dantonio.net 4.2.2.1
Using domain server:
Name: 4.2.2.1
Address: 4.2.2.1#53
Aliases:
dantonio.net has SOA record ns1.secure.net. hostmaster.secure.net. 2012022119 86400 7200 2592000 86400
They certainly point to different things! I'll check the configuration when I get home. I did try removing the domain name from the host name section but it didn't really do anything. |
|
bbarreraPremium,MVM
join:2000-10-23
Sacramento, CA
kudos:1 | said by dda:They certainly point to different things! I'll check the configuration when I get home. I did try removing the domain name from the host name section but it didn't really do anything. Removing the domain name from System > Host should stop the router from being authoritative, although you might also have it configured in System > DNS section.
The problem is that once you've done it, then entries like "server 192.168.1.2" in System > DNS will fail to work, and you'll need to have entries like "server.dantonio.net 192.168.1.2" but that will fail if LAN computers aren't setup to default search for dantonio.net (depends on how your DHCP is setup). |
|
ddaPremium
join:2003-12-29
Bolton, MA | I solved the DNS issue the (sorta) hard way; I skipped the USG 50 entirely and added all my internal hosts as Master Zones to the Snow Leopard Server. I had originally tried what you had suggested and it didn't work; that might have been due to caching or other issues.
In any case, it is working now so thanks!  Now to try to address the VPN and torrent issues. |
|
bbarreraPremium,MVM
join:2000-10-23
Sacramento, CA
kudos:1 | said by dda:I solved the DNS issue the (sorta) hard way; I skipped the USG 50 entirely and added all my internal hosts as Master Zones to the Snow Leopard Server.
The easy way if you ask me, at least with OS X Server you have full control of BIND.
I gave up on using the router as IPSec endpoint for remote clients, and instead port forward to OS Server's L2TP Server. Works great with Mac and Windows and iOS. |
|
ddaPremium
join:2003-12-29
Bolton, MA | said by bbarrera:The easy way if you ask me, at least with OS X Server you have full control of BIND.
Well, it was a lot more clicking and data entry than just using the DNS page in the USG! But yes, I do have more control now.
said by bbarrera:I gave up on using the router as IPSec endpoint for remote clients, and instead port forward to OS Server's L2TP Server. Works great with Mac and Windows and iOS.
I got the USG because it could be an IPSEC endpoint. Is L2TP as secure as IPSEC? I know the iPhone does L2TP over IPSEC; does Mac OS X do the same thing? I suppose it would be nicer to use OS X Server to handle all of this but then I really don't need the power of the USG. |
|
| If you are running BT and exposing yourself [figuratively] to the rest of the world, you may want to run IDS at a minimum. This will use a fair amount of that "excess" power. I also run the Kasperski AV, but it doesn't usually report any detections.
I also see several TCP flag attacks per hour from all over the world that IDS drops. If sent deliberately, it is the result of my IP addresses being available to BT trackers.
I have heard of a queuing theory that is possibly relevant: The wait time is proportional to the reciprocal of (1 minus the fractional utilization). The implication is that one doesn't want to try to utilize all of the power available. If I had money to burn I would have already moved to the USG 300, which is more "powerful" than my dual FTTH connections. The USG50 cannot perform AV and IDS on dual 30/15 data streams. (Some types of data are not examined, but right now I'm not clear how that affects actual throughput in my context of BT and video streaming from Crunchyroll.)
kirby |
|
bbarreraPremium,MVM
join:2000-10-23
Sacramento, CA
kudos:1 | reply to dda
said by dda:I got the USG because it could be an IPSEC endpoint. Is L2TP as secure as IPSEC? I know the iPhone does L2TP over IPSEC; does Mac OS X do the same thing? I suppose it would be nicer to use OS X Server to handle all of this but then I really don't need the power of the USG. Its actually L2TP over IPSec (L2TP/IPSec), with IPSec used to secure L2TP traffic. |
|
ddaPremium
join:2003-12-29
Bolton, MA | said by bbarrera:Its actually L2TP over IPSec (L2TP/IPSec), with IPSec used to secure L2TP traffic.
While I have L2TP over IPSec working with the iPhone and iPad, it won't work when I use my work LAN, which is unfortunately double-NATted. It also doesn't work with the MacBook Pro at work, probably for the same reason. For the iDevices, it's easy; I switch to LTE but that doesn't cut it for the Macs. Any idea how to deal with double NATting? Or is that even an issue? |
|
bbarreraPremium,MVM
join:2000-10-23
Sacramento, CA
kudos:1 | I dunno, its something I haven't encountered. |
|
