[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  David Cavanaugh <dcavanaugh at thewebpros dot net>
 Cc:  JSimoneau at lmtcs dot com, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Accessing internal hosts via external IP
 Date:  Thu, 31 Mar 2005 17:03:55 -0500
We have two webservers currently on our LAN. These will eventually be
moved to the DMZ when I get a chance.

Anyway... If you have a webserver on the LAN and you setup NAT 1:1 for
a given Public IP to translate to the Private IP, all inbound requests
should go to the server.

We ahad to enable ProxyArp to get this to work.

Now from the LAN, if you want to get to a webserver or webpage for a
server on the LAN, make an entry to your internal DNS.

example
FQDN www.somedomain.com 10.0.0.10
setup NAT 1:1 for 10.0.0.10 to got to 192.168.1.10
setup Proxy ARP
The known issue with m0n0wall at this point is you can't type
www.somedomain.com in a browser. I don't understand the technical
"why"
What I did to work-around this was to add an entry in our internal DNS
for the domain somedomain.com to resolve www to 192.168.1.10

Now browsing to the webpage works.

- Don

On Thu, 31 Mar 2005 16:33:13 -0500, David Cavanaugh
<dcavanaugh at thewebpros dot net> wrote:
> Josh:
> 
> Hmm. . .
> 
> It just seems strange to me that iptables can do something ipfilter/ipfw
> cannot. As I said, I'm no BSD anything. Hell, I barely know linux. Even
> so, it would be nice to know if such a thing is physically impossible (I
> really don't need to know why) with the software that m0n0wall uses--
> before I Google myself silly looking for an analogue to the iptable
> commands I posted earlier.
> 
> Thanks,
> 
> Dave
> 
> -----Original Message-----
> From: JSimoneau at lmtcs dot com [mailto:JSimoneau at lmtcs dot com]
> Sent: Thursday, March 31, 2005 3:29 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Accessing internal hosts via external IP
> 
> Dave,
> 
> I'd like to see it. A lot of other people would like to see I, toot.
> But,
> I'm not exactly sure where the issue lies. If I'm remembering correctly
> from earlier posts, it's not an easy problem to solve.
> 
> Regards,
> Josh Simoneau
> 
> -----Original Message-----
> From: David Cavanaugh [mailto:dcavanaugh at thewebpros dot net]
> Sent: Thursday, March 31, 2005 2:58 PM
> To: Josh J Simoneau
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Accessing internal hosts via external IP
> 
> Right.
> 
> So it's a known issue. Does that mean such a thing would be possible in
> the future?
> 
> Thanks,
> 
> Dave
> 
> -----Original Message-----
> From: JSimoneau at lmtcs dot com [mailto:JSimoneau at lmtcs dot com]
> Sent: Thursday, March 31, 2005 2:44 PM
> To: David Cavanaugh
> Subject: RE: [m0n0wall] Accessing internal hosts via external IP
> 
> Dave,
> 
> This is a known issue with monowall. From the LAN you need to access
> systems using their LAN IP address. NAT only works from the WAN
> interface.
> 
> The solution to this is the DNS Forwarder, but that might not be what
> you're looking for if you're doing everything by IP address.
> 
> Regards,
> Josh Simoneau
> 
> -----Original Message-----
> From: David Cavanaugh [mailto:dcavanaugh at thewebpros dot net]
> Sent: Thursday, March 31, 2005 1:13 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] Accessing internal hosts via external IP
> 
> Using iptables we were able to access internal machines via their public
> IPs using commands similar to:
> 
> iptables -t nat -A PREROUTING -i $INTERNAL_INTERFACE -d
> $EXTERNAL_ADDRESS
> -j DNAT --to $INTERNAL_ADDRESS
> 
> iptables -t nat -A POSTROUTING -o $INTERNAL_INTERFACE -d
> $INTERNAL_ADDRESS
> -s $DMZ_NETWORK -j SNAT --to $DMZ_GATEWAY
> 
> And it worked for years-- no problems.
> 
> Now, since I am totally ignorant concerning ipfilter and ipfw, can
> anyone
> unequivocally say that is impossible in m0n0wall?
> 
> I'm only curious.
> 
> Thanks,
> 
> Dave
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>