[ previous ] [ next ] [ threads ]
 
 From:  Paulo Meireles <paulo dot meireles at exxpert dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] the meaning of FAQ 16.3
 Date:  Wed, 17 Jan 2007 07:31:30 +0000 
-------- Original Message --------
Subject: Re:[m0n0wall] the meaning of FAQ 16.3
From: Lee Sharp <leesharp at hal dash pc dot org>
To: m0n0wall at lists dot m0n0 dot ch
Date: Wed Jan 17 2007 04:40:40 GMT+0000 (GMT Standard Time)
> From: <rlpumphrey at comcast dot net>
>
>> Sorry I´m sure this has been covered many times.  But then I´m still
>> driven to ask.
>> I believe that I´m fighting this problem.
>> 16.3. Why isn't it possible to access NATed
>> services by the public IP address from
>> LAN?
>> Problem. It is not possible to access NATed services using the public
>> (WAN) IP
>> address from within LAN
>
> Let me put this in cartoon script form...
>
> Cast:
>
> 192.168.1.125 - A nice client PC from the upper east side.
> 192.168.1.10 - A nice web server from mid-town
> 65.20.65.20 - The public address of the web server
> www.myservice.com - The web name of the web server.
> Bob - A DNS server
> 25.60.25.60 - The Mysterious Stranger...  (Oooooo)
>
> The Internet - Night.
>
> 25.60.25.60 - Hi Bob.  I need to talk to www.myservice.com.
> Bob - OK, 25.60.25.60, you need to call 65.20.65.20.
> 25.60.25.60 - ack.
>
> 25.60.25.60 - Hi 65.20.65.20.  I need web services.
> (Sound off stage...) Hey 192.168.1.10, 25.60.25.60 says "Hi 
> 65.20.65.20.  I
> need web services."
> 65.20.65.20 - Hi 25.60.25.60.  I have web services.
> 25.60.25.60 - Send me this page...
>
>
> 192.168.1.125 - Hi Bob.  I need to talk to www.myservice.com.
> Bob - OK, 192.168.1.125, you need to call 65.20.65.20.
> 192.168.1.125 - ack.
>
> 192.168.1.125 - Hi 65.20.65.20.  I need web services.
> (Sound off stage...) Hey 192.168.1.10, 192.168.1.125 says "Hi 
> 65.20.65.20.
> I need web services."
> 192.168.1.10 - Hi 192.168.1.125.  I have web services.
> 192.168.1.125  - Who are you?  I want 65.20.65.20.  Go away...
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
Hilarious...  :D
This is why we should use a "split DNS" configuration, which means to 
have a public DNS server for public addresses, and an internal DNS for 
private addresses. Internals clients point to the internal server, which 
then uses some upper DNS server as its resolver. The external DNS has 
recursion disabled (i.e.: only resolves our domain/zone, refusing 
requests for others). Finally, the same zones (and the same names) that 
exist on the external DNS also exist in the internal DNS, but they 
resolve to the internal addresses.

Complementing the above script, it would be like:

Cast:

192.168.1.125 - A nice client PC from the upper east side.
192.168.1.10 - A nice web server from mid-town
Joe: an internal DNS server
www.myservice.com - The web name of one of our web servers


192.168.1.125 - Hi Joe.  I need to talk to www.myservice.com.
Joe - OK, 192.168.1.125, you need to call 192.168.1.10.
192.168.1.125 - ack.

192.168.1.125 - Hi 192.168.1.10.  I need web services.
192.168.1.10 - Hi 192.168.1.125.  I have web services.
192.168.1.125  - Send me this page...


Notice how there is no "off stage" voice? The firewall is not involved, 
as all the action happens in the internal network... Search Google for 
"Split-DNS" and you'll get the broader picture.

Paulo