|
||||||||
Dave Warren wrote: > James W. McKeand wrote: > >> It may not be a "problem" but a design limitation. The LAN/NAT issue >> causes problems with more than just m0n0wall. I cannot think of a NAT >> implementation that does not have a problem described in this: >> http://www.m0n0.ch/wall/docbook/faq-lannat.html. It may be possible >> to ping the public IP (as you state later...) but higher level >> protocols will not work... >> >> > It's worth noting that $20 Linksys boxes have managed to lick this > problem due to the user confusion it causes. But, would you use a $20 Linksys box for an environment hosting multiple domains and web sites? I don't think I would use one (or recommend one) for a client that is doing more than sharing a DSL connection between a few machines or maybe NATing minor SMTP traffic. IMO, the inbound NAT those boxes provide is good for home users to play games, not for businesses to host web pages. > I still struggle with this here for a couple reasons, but biggest > reason being that from the outside different ports forward to > difference places inside my LAN, so a straight DNS mapping isn't an > option. Not unusual. FTP to one box, SMTP to another, HTTP to both the FTP and SMTP... No easy solution if you have a single IP. Server NAT works, if you have multiple IPs. > I've ended up creating a DNS record of *.firewall.example.com (Where > example.com is my domain name) which points to my firewall's external > IP, then I configure my internal clients to use > machinename.firewall.example.com -- When they're internal, the DNS > forwarder takes care of it, when they're external they get the > firewall's external IP. > > This works, but it means that when I move a service from one internal > IP to another, I not only have to update m0n0wall but also every > internal machine. I don't mean to sound thick, but say what? I don't get it... Also, it is not a good idea to advertise to the world ***HERE IS MY FIREWALL***. Security through obscurity. _________________________________ James W. McKeand |