[ previous ] [ next ] [ threads ]
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "'Mike Razavi'" <mike at havepc dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] can't access to a domain name which is hosted in my LAN
 Date:  Mon, 17 Jan 2005 10:15:53 -0500
Mike Razavi wrote:
> Thanks Jim.
> According to below faq the only way I can use the m0n0wall DNS
> forwarder is to set my workstation's DNS to m0n0wall's ip address!
> I correct? 
> 13.3. Why isn't it possible to access NATed services by the public
> address from LAN?
> Problem. It is not possible to access NATed services using the
> (WAN) IP address from within LAN (or an optional network). Example:
> you've got a server in your LAN behind m0n0wall and added a
> rule to allow external access to its HTTP port. While you can access
> it just fine from the Internet, you cannot access
> http://your-external-ip/ from within your LAN.
> Reason. This is due to a limitation in ipfilter/ipnat (which are
> in m0n0wall). Read the ipfilter FAQ for details. m0n0wall does not
> (and probably will not) include a "bounce" utility.
> Solution. If you use m0n0wall's built-in DNS forwarder for your LAN
> clients, you can add one or more overrides so that they will get the
> internal (LAN) IP address of your server instead of the external
> while external clients still get the real/public IP address.

Directing your workstation to use the m0n0wall as its DNS is one way
to use the forwarder. The other way (the way I am using it) is to
direct your workstation to use your local DNS and direct your local
DNS to use the m0n0wall as a forwarder. Client queries SBS, SBS
queries m0n0wall, m0n0wall queries ISP... This can cause a delay when
first visiting a obscure site for the first time. Using the m0n0wall
forwarder solution is the same idea as having dummy domains in your
SBS DNS with private IPs in the zones. 

But, this will not work in your situation. Your local DNS (on your
SBS) is already the authoritative DNS for your public domain
(domaina.com). Therefore, the SBS DNS will not ask the m0n0wall to
resolve www.domaina.com, it already knows the answer to the query:
"What is the IP for www.domaina.com?"! I believe that FAQ assumes that
there is not a local DNS on the LAN. If you move your authoritative
DNS to a separate box (or offsite completely) you can use local IPs on
the SBS and public IPs on the authoritative DNS.

This is similar to a problem that I have at a client site with SBS
2000. Another consulting firm set up the SBS. They used the public
domain name of the organization (domainz.org) for the AD domain. The
users could not reach the organization's web site (hosted offsite)
from the office. There was not an A record for www.domainz.org in the
DNS. Once I added it they could reach the site. When a new web site
built and moved to a new hosting company, there was a problem with
reaching the "old" site and not being able to reach the "new" site. I
changed the A record for www.domainz.org to point to the new IP and
bam it worked... 

The problem is that DNS will respond to a query with one of the
following: IPs from zones listed in locally, IPs from cache, and IPs
received from forwarders. Your DNS has zones listed locally with
public IPs. Your DNS will reply to queries with this data.

I suggest we take this off list - we are going way off the m0n0wall

James W. McKeand