[ previous ] [ next ] [ threads ]
 
 From:  Anthony Paul <anthonypaul at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] can't access to a domain name which is hosted in my LAN
 Date:  Wed, 19 Jan 2005 10:28:08 -0330
I don't think this works if you are using AD on your network.

I appreciate there are a number of workarounds that work to varying
degrees, and have varying degrees of upkeep, varying degrees of
configuration complexity, but as one of the above posters said, it's
frustrating that every $20 router on the market can do this - no
configuration required.


On Tue, 18 Jan 2005 17:51:06 -0800, Mike Razavi <mike at havepc dot com> wrote:
> Problem is solved for me :)
> 
> I did 3 things:
> 
> 1) On my server I added m0n0's ip address to top of DNS Forwarder list.
> 2) Again on my server under DHCP I added m0n0's ip address as the first
> DNS and my DNS server's ip as the second DNS.
> 3) I added my domain names to DNS Forwarder Services of m0n0 wall.
> 
> Now everything is working perfectly.
> 
> Thanks,
> 
> Mike
> 
> 
> -----Original Message-----
> From: Dave Warren [mailto:maillist at devilsplayground dot net]
> Sent: Tuesday, January 18, 2005 1:20 PM
> To: James W. McKeand
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] can't access to a domain name which is hosted in
> my LAN
> 
> James W. McKeand wrote:
> 
> >>It's worth noting that $20 Linksys boxes have managed to lick this
> >>problem due to the user confusion it causes.
> >>
> >>
> >But, would you use a $20 Linksys box for an environment hosting
> >multiple domains and web sites? I don't think I would use one (or
> >recommend one) for a client that is doing more than sharing a DSL
> >connection between a few machines or maybe NATing minor SMTP traffic.
> >IMO, the inbound NAT those boxes provide is good for home users to
> >play games, not for businesses to host web pages.
> >
> >
> No, I wouldn't suggest using a $20 Linksys box for those users.  I
> wouldn't even suggest a $20 linksys for my grandmother (at least not if
> she wants me to support it), I suggest m0n0wall for her too :)
> 
> It's just annoying that m0n0wall doesn't have all of the functionality
> of a $20 Linksys router.
> 
> >>I've ended up creating a DNS record of *.firewall.example.com (Where
> >>example.com is my domain name) which points to my firewall's external
> IP, then I configure my internal clients to use
> >>machinename.firewall.example.com -- When they're internal, the DNS
> >>forwarder takes care of it, when they're external they get the
> >>firewall's external IP.
> >>
> >>This works, but it means that when I move a service from one internal
> IP to another, I not only have to update m0n0wall but also every
> >>internal machine.
> >>
> >>
> >I don't mean to sound thick, but say what? I don't get it...
> >
> >
> Okay, I'll try to make more sense.
> 
> The problem is that firewall.example.com has one IP externally, but
> different ports point to different 192.168.x.x IPs internally.  PCs that
> 
> live outside my firewall for their whole lives (machines at other
> locations) can always use firewall.example.com without difficulty and
> m0n0wall gets the traffic to the right place.
> 
> Machines that always live inside my firewall for their whole lives
> (desktop machines here) can use mail.internal.example.com which always
> points to the correct LAN IP.
> 
> The problem is the laptops which roam between my network and the rest of
> 
> the world.  If they use the "internal" hostname, they can't get to mail,
> 
> the internal FTP, or any other resources when they're roaming unless
> they VPN.  Having them VPN seems like a big pain in the butt since the
> ports they need are already open without a VPN (and the VPN is yet
> another potential security hole)
> 
> As a workaround, I've come up with the following:
> 
> On my public DNS servers, I have a DNS record of *.firewall.example.com
> which points to my external IP address.
> 
> I have users use ftp.firewall.example.com to access my FTP server,
> mail.firewall.example.com to access the mail server,
> www.firewall.example.com to access the www server.  These all point to
> the same external IP (m0n0wall's IP).
> 
> So, why not just use firewall.example.com?
> 
> Well... When they're inside my network, the IP for FTP, mail, www are
> different internal IPs -- I use m0n0wall's DNS relay to "adjust" these
> known hostnames to their internal NAT'd IPs.
> 
> This is a slightly convoluted workaround, but to my knowledge it's the
> only way to handle machines which are sometimes inside and sometimes
> outside, at least until/unless m0n0wall gets some form of bounce or
> internal-NAT functionality.
> 
> >Also, it is not a good idea to advertise to the world ***HERE IS MY
> >FIREWALL***. Security through obscurity.
> >
> >
> I don't actually call it "firewall", but it's a better example then
> having to explain my naming scheme in addition to a potentially
> convoluted explaination.
> 
> --
> They call it "PMS" because "Mad Cow Disease" was already taken
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>