Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 5740 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow Access to gitlab webserver without Port #

Vaidyanathan Balasubramanian

Hi

I am new to Sophos UTM and figuring my way around setting things up. So far everything is working fine. However I ran into couple of scenarios, that I am not able to figure out why, how etc. Any help would be appreciated.

My Setup:

Linux Machine - running opensuse 42.3

Windows Machine - running Windows 10

Sophos UTM is a VM in a third machine with two network cards. One connecting to WAN (external internet), other connecting to a switch (internal). Sophos is my DHCP server, with giving dhcp addresses in 192.168.100.0/24 range. Both linux and windows machine are in the same subnet. Linux 192.168.100.1 and Windows 192.168.100.2. 

I run samba, print server etc on my linux machines, windows can the samba shares etc. Both machines can go to internet, talk to each other and all,  so no issues there.  

I installed gitlab on the linux server. The gitlab is configured with URL gitlab.myserver.com listening on port number 9100 (default is 80 for nginix). To make gitlab accessible from my windows machine, I have done so far in Sophos:

a) I created a host definition for my gitlab domain under Definitions & Users

Name : GitLabServer

Type : Host

IPv4 address : 192.168.100.1

Hostname : gitlab.myserver.com

Additional Hostname : gitlab.myserver.com:9100

 

b) I created a service definition for my gitlab port under Definition & Users

Name : GitServicePort

Type of Definition : TCP

Destination Port : 9100

Source Port : 1:65535

 

Now from my windows machine (192.168.100.2), i am able to browse to giltab server using gitlab.myserver.com:9100. I can create repositories, git push etc with no problems. From windows cmd prompt I can ping gitlab.myserver.com, use git CLI commands with no issues at all. I tried to do couple of things, and I ran into issues.

a) from within the linux server where the gitlab is running, i am not able to ping gitlab.myserver.com. I can use browser on the linux machine and go to gitlab.myserver.com:9100 and manage my gitlab settings with no issues. I am not able to find gitlab server from the command line in the linux machine, especially git CLI from the linux box itself. git CLI fails saying cannot find gitlab.myserver.com

  • To solve this, i edited the /etc/hosts file in the linux server, added 192.168.100.1  gitlab.myserver.com. Now I am able to ping the domain from linux cmd windows and git CLI works

       Question : Is this the right way to do this? Why the linux server is not resolving gitlab.myserver.com through the UTM Gateway itself like the windows machine. Linux uses the same gw settings as well (192.168.100.250)

 

b) I tried to setup NAT rules to resolve/forward gitlab.myserver.com to gitlab.myserver.com:9100. I have tried various NAT combinations (DST NAT, Full NAT etc.), but i cannot browse using just domain name. I tried to understand and follow several suggestions from the following references, none of them seem to work my case. 

 

https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/77961/how-to-add-a-network-definition-dns-host-for-a-hostname-which-domain-has-already-existing-host-definitions-in-utm-dns

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/40997/access-local-werbservers

 

DNS Best Practice?

    

Can someone please walk me through how to make gitlab.myserver.com resolve to gitlab.myserver.com:9100?

Thanks for your time and help.

Regards



This thread was automatically locked due to age.
  • 0

    Vaidyanathan Balasubramanian said:

    a) from within the linux server where the gitlab is running, i am not able to ping gitlab.myserver.com. I can use browser on the linux machine and go to gitlab.myserver.com:9100 and manage my gitlab settings with no issues. I am not able to find gitlab server from the command line in the linux machine, especially git CLI from the linux box itself. git CLI fails saying cannot find gitlab.myserver.com

    Can you please check what DNS server is configured on your linux box? If it isn't using dnsmasq then cat /etc/resolv.conf should tell you.

    Vaidyanathan Balasubramanian said:

    b) I tried to setup NAT rules to resolve/forward gitlab.myserver.com to gitlab.myserver.com:9100. I have tried various NAT combinations (DST NAT, Full NAT etc.), but i cannot browse using just domain name. I tried to understand and follow several suggestions from the following references, none of them seem to work my case. 

    For this, the traffic from your Windows machine to your Linux machine does not even pass the UTM that's why your NAT rules isn't working. This is because both the machines are in the same subnet. If you want to hit the UTM, you have to put your linux box in a different network, ie. DMZ, so that the Windows machine hits the UTM when trying to access the Linux machine.

  • 0 in reply to Jevin Lizardo

    Thanks for your time and reply. Appreciate it.

    a) I am not running dnsmsaq. I did check /etc/resolv.cof. It is pointing to my internet router IP address as Name Server. It was not having UTM as name server. I think the opensuse/network manager installation did that as I was directly connected to internet first. After much thinking, I decided to leave that way and not change to UTM as the name server. My entry in /etc/hosts helps may to ping and use gitlab server from the host where it is running. For the time being, I am going to leave it that way. At least I now understand what the issue is. Thanks for pointing me in the right direction. -- closed

     

    b)  

    Jevin Lizardo said:

    For this, the traffic from your Windows machine to your Linux machine does not even pass the UTM that's why your NAT rules isn't working. This is because both the machines are in the same subnet. If you want to hit the UTM, you have to put your linux box in a different network, ie. DMZ, so that the Windows machine hits the UTM when trying to access the Linux machine.

     
     
    I am still not clear on this one. Why do you say my traffic from windows machine does not flow through UTM to the machine in the same subnet. On the windows machine everything goes via UTM as content filtering and other firewall rules are effectively applied. I am confused.
     
    Regards
  • 0 in reply to Vaidyanathan Balasubramanian

    Because they belong on the same broadcast domain.

    When your Windows machine tries to connect to the IP of your Linux machine, instead of sending the packet to the default gateway, the network stack will recognize that "Ohh, this IP is actually on the same subnet as me. This means I don't need to send this packet to the default gateway at all!". What it will do then is send an ARP request to the whole subnet asking "Hey guys, what is the mac address of 192.168.100.1?". Your Linux machine will receive the packet and will reply back to your windows machine saying "Hey Windows, that is me! Here is my mac address A8:00:00:00:00:AA". Your Windows machine will then put this in the ARP table. All this does not involve the UTM.

  • 0 in reply to Jevin Lizardo

    Thank you. Learned something new today about networking :) That makes sense. 

Unfiltered HTML