[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] can't access to a domain name which is hosted in my LAN
 Date:  Mon, 17 Jan 2005 15:18:29 -0500
Dave Warren wrote:
> James W. McKeand wrote:
> 
>> It may not be a "problem" but a design limitation. The LAN/NAT
issue
>> causes problems with more than just m0n0wall. I cannot think of a
NAT
>> implementation that does not have a problem described in this:
>> http://www.m0n0.ch/wall/docbook/faq-lannat.html. It may be possible
>> to ping the public IP (as you state later...) but higher level
>> protocols will not work... 
>> 
>> 
> It's worth noting that $20 Linksys boxes have managed to lick this
> problem due to the user confusion it causes.

But, would you use a $20 Linksys box for an environment hosting
multiple domains and web sites? I don't think I would use one (or
recommend one) for a client that is doing more than sharing a DSL
connection between a few machines or maybe NATing minor SMTP traffic.
IMO, the inbound NAT those boxes provide is good for home users to
play games, not for businesses to host web pages.

> I still struggle with this here for a couple reasons, but biggest
> reason being that from the outside different ports forward to
> difference places inside my LAN, so a straight DNS mapping isn't an
> option. 

Not unusual. FTP to one box, SMTP to another, HTTP to both the FTP and
SMTP... No easy solution if you have a single IP. Server NAT works, if
you have multiple IPs. 
 
> I've ended up creating a DNS record of *.firewall.example.com (Where
> example.com is my domain name) which points to my firewall's
external
> IP, then I configure my internal clients to use
> machinename.firewall.example.com -- When they're internal, the DNS
> forwarder takes care of it, when they're external they get the
> firewall's external IP.
> 
> This works, but it means that when I move a service from one
internal
> IP to another, I not only have to update m0n0wall but also every
> internal machine.

I don't mean to sound thick, but say what? I don't get it...

Also, it is not a good idea to advertise to the world ***HERE IS MY
FIREWALL***. Security through obscurity.

_________________________________
James W. McKeand