[ previous ] [ next ] [ threads ]
 
 From:  dave <dave at rodrig dot com>
 To:  Hilton Travis <Hilton at QuarkAV dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Custom RDR NAT rules: How to add?
 Date:  Sun, 15 Feb 2004 23:54:49 -0500
On Mon, Feb 16, 2004 at 02:06:00PM +1000, Hilton Travis wrote:
> Hi Dave,
> 
> On Mon, 2004-02-16 at 12:11, dave wrote:
> > Now my question:
> > 
> > We all know about the DNS overrides that need to be in place in order 
> > for LAN hosts to be able to access DMZ hosts by hostname. On OpenBSD, I 
> > overcame this problem with RDR NAT rules which said basically:
> > 
> > rdr xl0 <public ip address> port 80 -> 192.168.95.5 port 80 tcp
> > 
> > Where xl0 is my LAN interface and the public ip address is whatever 
> > dmz.host.com resolves to. This worked beautifully.
> > 
> > How would I go about adding a similar rule using exec.php?? Is it 
> > possible?
> 
> Using the features available in the webGUI, go to the "DNS Forwarder"
> page, and down the bottom you'll see the "overrides" section.
> 
> Add an entry such as:
> Host	Domain		IP		Description
> Virgil	example.com	10.0.0.5	Virgil (in the DMZ)

Yes, I know about the DNS overrides, that's how I started my post. :-)


> 
> > Also, is there a chance we might someday see a checkmark in the webgui 
> > along the lines of "Add Server/1:1 NAT RDR rules from LAN" to accomplish 
> > the same thing?
> 
> The functionality you need - DNS overrides for DMZ machines - is already
> in the webGUI.

No, this is not the same thing. The DNS forwarder override causes m0n0wall to return a DMZ address
for 
the requested hostname. Once set up correctly, if I type www.rodrig.com, it will be *resolved* to a
dmz 
address. What I'm talking about is a bit different. I want name resolution to happen normally,
www.rodrig.com 
resolves to 68.164.137.58 (an external address), and packets are sent to that address. Once those
packets 
hit m0n0wall, they'd then be *redirected* (ipnat) to 192.168.95.5. If this happens, the DNS
forwarder 
overrides are unnecessary. 

I much prefer this solution because I host 4 domains on the server in my dmz, and within each domain
I 
have several subdomains (i.e. pics.rodrig.com, dave.rodrig.com, etc.). Using the overrides means I
have 
to enter each of these manually, but with only the one RDR rule all of these are taken care of,
since 
they all resolve to the same address. 

I realize this would be of limited use to most people, since the overrides already address this as
it 
would apply in most situations. This isn't a feature request, the webgui comment was an
afterthought. If 
I can take care of this by adding a RDR rule using exec.php, that'd be great.

thanks
dave