Re: [m0n0wall] can't access to a domain name which is hosted in my LAN

From:	Dave Warren <maillist at devilsplayground dot net>
To:	"James W. McKeand" <james at mckeand dot biz>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] can't access to a domain name which is hosted in my LAN
Date:	Tue, 18 Jan 2005 14:19:30 -0700
James W. McKeand wrote:

>>It's worth noting that $20 Linksys boxes have managed to lick this
>>problem due to the user confusion it causes.
>>    
>>
>But, would you use a $20 Linksys box for an environment hosting
>multiple domains and web sites? I don't think I would use one (or
>recommend one) for a client that is doing more than sharing a DSL
>connection between a few machines or maybe NATing minor SMTP traffic.
>IMO, the inbound NAT those boxes provide is good for home users to
>play games, not for businesses to host web pages.
>  
>
No, I wouldn't suggest using a $20 Linksys box for those users.  I 
wouldn't even suggest a $20 linksys for my grandmother (at least not if 
she wants me to support it), I suggest m0n0wall for her too :)

It's just annoying that m0n0wall doesn't have all of the functionality 
of a $20 Linksys router.

>>I've ended up creating a DNS record of *.firewall.example.com (Where
>>example.com is my domain name) which points to my firewall's external IP, then I configure my
internal clients to use
>>machinename.firewall.example.com -- When they're internal, the DNS
>>forwarder takes care of it, when they're external they get the
>>firewall's external IP.
>>
>>This works, but it means that when I move a service from one internal IP to another, I not only
have to update m0n0wall but also every
>>internal machine.
>>    
>>
>I don't mean to sound thick, but say what? I don't get it...
>  
>
Okay, I'll try to make more sense.

The problem is that firewall.example.com has one IP externally, but 
different ports point to different 192.168.x.x IPs internally.  PCs that 
live outside my firewall for their whole lives (machines at other 
locations) can always use firewall.example.com without difficulty and 
m0n0wall gets the traffic to the right place.

Machines that always live inside my firewall for their whole lives 
(desktop machines here) can use mail.internal.example.com which always 
points to the correct LAN IP.

The problem is the laptops which roam between my network and the rest of 
the world.  If they use the "internal" hostname, they can't get to mail, 
the internal FTP, or any other resources when they're roaming unless 
they VPN.  Having them VPN seems like a big pain in the butt since the 
ports they need are already open without a VPN (and the VPN is yet 
another potential security hole)

As a workaround, I've come up with the following:

On my public DNS servers, I have a DNS record of *.firewall.example.com 
which points to my external IP address.

I have users use ftp.firewall.example.com to access my FTP server, 
mail.firewall.example.com to access the mail server, 
www.firewall.example.com to access the www server.  These all point to 
the same external IP (m0n0wall's IP).

So, why not just use firewall.example.com?

Well... When they're inside my network, the IP for FTP, mail, www are 
different internal IPs -- I use m0n0wall's DNS relay to "adjust" these 
known hostnames to their internal NAT'd IPs.

This is a slightly convoluted workaround, but to my knowledge it's the 
only way to handle machines which are sometimes inside and sometimes 
outside, at least until/unless m0n0wall gets some form of bounce or 
internal-NAT functionality.

>Also, it is not a good idea to advertise to the world ***HERE IS MY
>FIREWALL***. Security through obscurity.
>  
>
I don't actually call it "firewall", but it's a better example then 
having to explain my naming scheme in addition to a potentially 
convoluted explaination.

-- 
They call it "PMS" because "Mad Cow Disease" was already taken