Re: [m0n0wall] can't access to a domain name which is hosted in my LAN

From:	Dave Warren <maillist at devilsplayground dot net>
To:	"James W. McKeand" <james at mckeand dot biz>
Cc:	'Mike Razavi' <mike at havepc dot com>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] can't access to a domain name which is hosted in my LAN
Date:	Mon, 17 Jan 2005 10:14:44 -0700

James W. McKeand wrote:

>It may not be a "problem" but a design limitation. The LAN/NAT issue
>causes problems with more than just m0n0wall. I cannot think of a NAT
>implementation that does not have a problem described in this:
>http://www.m0n0.ch/wall/docbook/faq-lannat.html. It may be possible to
>ping the public IP (as you state later...) but higher level protocols
>will not work...
>  
>
It's worth noting that $20 Linksys boxes have managed to lick this 
problem due to the user confusion it causes.

I still struggle with this here for a couple reasons, but biggest reason 
being that from the outside different ports forward to difference places 
inside my LAN, so a straight DNS mapping isn't an option.

I've ended up creating a DNS record of *.firewall.example.com (Where 
example.com is my domain name) which points to my firewall's external 
IP, then I configure my internal clients to use 
machinename.firewall.example.com -- When they're internal, the DNS 
forwarder takes care of it, when they're external they get the 
firewall's external IP.

This works, but it means that when I move a service from one internal IP 
to another, I not only have to update m0n0wall but also every internal 
machine.

-- 
I know what "Cheese" is, and I know what "Whiz" is...