[ previous ] [ next ] [ threads ]
 From:  Dave Warren <maillist at devilsplayground dot net>
 To:  "James W. McKeand" <james at mckeand dot biz>
 Cc:  'Mike Razavi' <mike at havepc dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] can't access to a domain name which is hosted in my LAN
 Date:  Mon, 17 Jan 2005 10:14:44 -0700
James W. McKeand wrote:

>It may not be a "problem" but a design limitation. The LAN/NAT issue
>causes problems with more than just m0n0wall. I cannot think of a NAT
>implementation that does not have a problem described in this:
>http://www.m0n0.ch/wall/docbook/faq-lannat.html. It may be possible to
>ping the public IP (as you state later...) but higher level protocols
>will not work...
It's worth noting that $20 Linksys boxes have managed to lick this 
problem due to the user confusion it causes.

I still struggle with this here for a couple reasons, but biggest reason 
being that from the outside different ports forward to difference places 
inside my LAN, so a straight DNS mapping isn't an option.

I've ended up creating a DNS record of *.firewall.example.com (Where 
example.com is my domain name) which points to my firewall's external 
IP, then I configure my internal clients to use 
machinename.firewall.example.com -- When they're internal, the DNS 
forwarder takes care of it, when they're external they get the 
firewall's external IP.

This works, but it means that when I move a service from one internal IP 
to another, I not only have to update m0n0wall but also every internal 

I know what "Cheese" is, and I know what "Whiz" is...