[ previous ] [ next ] [ threads ]
 From:  Christoph Hanle <christoph dot hanle at leinpfad dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Accessing domains hosted on my LAN from the LAN
 Date:  Sun, 05 Mar 2006 01:19:28 +0100
Tortise schrieb:
> Hi List 
> I have studied the list emails I can find on this topic however am unable to solve my problem, on
Monowall 1.21  Has anything changed in 1.2x Monowalls to assist this?
> I planned to substitute an IPCOP firewall with the Monowall.  Using IPCOP I can access the
external domain addresses internally without problem.  
> I cannot seem to get this to work using Monowall, despite enabling the DNS forwarder.  I have an
apache server hosting multiple domains on the LAN.
>>From what I can gather from "official" monowall comments it is not intended to have Monowall
function in this way, although it is not made clear exactly why and it seems to be on the wishlist. 
Possibly it is because it might be seen to compromise the security of Monowall, but is this really a
concern?  Is there another reason?  Can I record a vote for priority for this?
> Often quoted is:
> http://doc.m0n0.ch/handbook/faq-lannat.html
> 16.3. Why isn't it possible to access NATed services by the public IP address from LAN?
> Problem. It is not possible to access NATed services using the public (WAN) IP address from within
LAN (or an optional network). Example: you've got a server in your LAN behind m0n0wall and added a
NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from
the Internet, you cannot access http://your-external-ip/ from within your LAN.
> Reason. This is due to a limitation in ipfilter/ipnat (which are used in m0n0wall). Read the
ipfilter FAQ for details. m0n0wall does not (and probably will not) include a "bounce" utility.
> Solution. If you use m0n0wall's built-in DNS forwarder for your LAN clients, you can add one or
more overrides so that they will get the internal (LAN) IP address of your server instead of the
external one, while external clients still get the real/public IP address.
> Note
> This will only work if you use m0n0wall as the primary DNS server on your LAN hosts. If you use
another DNS server, you need to use its functionality to resolve that host to the appropriate
private IP. See your DNS server documentation for more information.
> {end}
> Re "you can add one or more overrides " this is not clear to me how to do this.
> and also "if you use m0n0wall as the primary DNS server" - what do we do to enable this?   I
presume this means we somehow use the ISP DNS server for external lookups and Monowall for LAN DNS
however I do not see how to combine these.
> Any help would be appreciated.
1. Services -> DNS forwarder -> enable
2. after: "You may enter records that override the results from the 
forwarders below." add the internal IPs with the used FQNs
3. create a rule "allow DNS from inside to internal IP of the M0n0
4. force the internal Clients to use the internal IP of the M0n0 as 
primary DNS


> Kind regards
> David Hingston 
> PS From the IPCOP FAQ:
> How can I access my servers via their public domain names from the internal network?
> There are 3 options
> 1. On the IPCop Machine edit /etc/hosts (this is explained in the next question in the FAQ) and
define the local server name with the local (orange or green) address. Make sure that the clients
PCs that need to access the local servers are using the IPCop as their DNS Server.
> 2. On the local client machine HOSTS file on your Windows computers edit the local hosts file and
enter the local server name and its local address (%SYSTEMROOT%\SYSTEM32\DRIVERS\ETC\HOSTS on
Windows 2000/XP)
> 3. Setup an internal DNS server making it authoritative for the domain you host. Set your recusive
DNS Server (the one used by internal workstations) to check the internal DNS Server for domain that
you run, and the regular recursive route for all others.
> Non recursive DNS is not part of a firewall's role. Look at this security issues with BIND that
mixes RED and GREEN in this way. IPCop has a recursive DNS server and cache available only on Green
and Orange. If you want a DNS use djbDNS, Bind. If you want a pure DNS Server myDNS is a good (non
recusive) DNS server ideal for dynamic changes, great web interface and simple to use.
> To find out more about DNS and the technique outlined in step 3 read up on DNS and "split horizon
routing or DNS".
> -- SethR - 08 June 2003

last words:
"let's make the backup tomorrow"