[ previous ] [ next ] [ threads ]
 From:  "Mike Razavi" <mike at havepc dot com>
 To:  "Dave Warren" <maillist at devilsplayground dot net>, "James W. McKeand" <james at mckeand dot biz>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] can't access to a domain name which is hosted in my LAN
 Date:  Tue, 18 Jan 2005 17:51:06 -0800
Problem is solved for me :)

I did 3 things:

1) On my server I added m0n0's ip address to top of DNS Forwarder list. 
2) Again on my server under DHCP I added m0n0's ip address as the first
DNS and my DNS server's ip as the second DNS.
3) I added my domain names to DNS Forwarder Services of m0n0 wall.

Now everything is working perfectly.



-----Original Message-----
From: Dave Warren [mailto:maillist at devilsplayground dot net] 
Sent: Tuesday, January 18, 2005 1:20 PM
To: James W. McKeand
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] can't access to a domain name which is hosted in
my LAN

James W. McKeand wrote:

>>It's worth noting that $20 Linksys boxes have managed to lick this
>>problem due to the user confusion it causes.
>But, would you use a $20 Linksys box for an environment hosting
>multiple domains and web sites? I don't think I would use one (or
>recommend one) for a client that is doing more than sharing a DSL
>connection between a few machines or maybe NATing minor SMTP traffic.
>IMO, the inbound NAT those boxes provide is good for home users to
>play games, not for businesses to host web pages.
No, I wouldn't suggest using a $20 Linksys box for those users.  I 
wouldn't even suggest a $20 linksys for my grandmother (at least not if 
she wants me to support it), I suggest m0n0wall for her too :)

It's just annoying that m0n0wall doesn't have all of the functionality 
of a $20 Linksys router.

>>I've ended up creating a DNS record of *.firewall.example.com (Where
>>example.com is my domain name) which points to my firewall's external
IP, then I configure my internal clients to use
>>machinename.firewall.example.com -- When they're internal, the DNS
>>forwarder takes care of it, when they're external they get the
>>firewall's external IP.
>>This works, but it means that when I move a service from one internal
IP to another, I not only have to update m0n0wall but also every
>>internal machine.
>I don't mean to sound thick, but say what? I don't get it...
Okay, I'll try to make more sense.

The problem is that firewall.example.com has one IP externally, but 
different ports point to different 192.168.x.x IPs internally.  PCs that

live outside my firewall for their whole lives (machines at other 
locations) can always use firewall.example.com without difficulty and 
m0n0wall gets the traffic to the right place.

Machines that always live inside my firewall for their whole lives 
(desktop machines here) can use mail.internal.example.com which always 
points to the correct LAN IP.

The problem is the laptops which roam between my network and the rest of

the world.  If they use the "internal" hostname, they can't get to mail,

the internal FTP, or any other resources when they're roaming unless 
they VPN.  Having them VPN seems like a big pain in the butt since the 
ports they need are already open without a VPN (and the VPN is yet 
another potential security hole)

As a workaround, I've come up with the following:

On my public DNS servers, I have a DNS record of *.firewall.example.com 
which points to my external IP address.

I have users use ftp.firewall.example.com to access my FTP server, 
mail.firewall.example.com to access the mail server, 
www.firewall.example.com to access the www server.  These all point to 
the same external IP (m0n0wall's IP).

So, why not just use firewall.example.com?

Well... When they're inside my network, the IP for FTP, mail, www are 
different internal IPs -- I use m0n0wall's DNS relay to "adjust" these 
known hostnames to their internal NAT'd IPs.

This is a slightly convoluted workaround, but to my knowledge it's the 
only way to handle machines which are sometimes inside and sometimes 
outside, at least until/unless m0n0wall gets some form of bounce or 
internal-NAT functionality.

>Also, it is not a good idea to advertise to the world ***HERE IS MY
>FIREWALL***. Security through obscurity.
I don't actually call it "firewall", but it's a better example then 
having to explain my naming scheme in addition to a potentially 
convoluted explaination.

They call it "PMS" because "Mad Cow Disease" was already taken

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch