[ previous ] [ next ] [ threads ]
 From:  edward mzj <edward dot mzj at gmail dot com>
 To:  Justin Reid <justinreid at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Accessing NATed service from LAN - is it coming?
 Date:  Wed, 3 Aug 2005 10:39:18 +0800
it's said ipfilter can not do this kind of work. that's wrong.

here is an example. let's say A.B.C.D1 is the LAN address and E.F.G.H
is WAN address and A.B.C.D2 is the address of the internal web server
which is published to the outside world.


rdr WAN 0/32 port 80 -> A.B.C.D2 port 80 tcp
rdr LAN E.F.G.H/32 port 80 -> A.B.C.D2 port 80 tcp
map LAN from A.B.C.D/24 to A.B.C.D2/32 port = 80 -> E.F.G.H/32 portmap tcp auto

now http://E.F.G.H is accessible to the LAN users. 

quite simple, isn't it. but 2 problems arise. 
first, performance. m0n0 might be overloaded, because those packets
need to be rewritten twice.
second, WAN ip address. WAN ip address must be hard coded into the
last two rules. when the WAN ip address is statically allocated, it's
not a problem. however, for those who using dhcp/pptp/pppoe, their WAN
ip address will change. that change must be tracked and ipnat rules
must be modified upon that change. thus a script should be put into
the mini-crontab to monitor the change, or somebody knows a better

sorry for my poor english