--On Sunday, August 08, 2004 18:43:21 -0400 [EMAIL PROTECTED] wrote:
No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1
I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80.
Put another way, I have a FreeBSD server acting as a Router/Firewall. It has a public interface with an IP number of 1.2.3.4 and is assigned the DNS name www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a private address space of 192.168.1.0/255.255.255.0 and a third NIC that supports a private address space of 192.168.2.0/255.255.255.0
When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com they get redirected to 192.168.2.250 because I've included a redirect_port rule for NATD. This works fine. But, users on all private networks (I have two, but there could be 20) also need to be redirected to 192.168.2.250 when they try to go to www.ishouldhaveusedipfilter.com So the user sitting at 192.168.1.247 shouldn't have to worry about putting in the IP number of the company web server, they should just be able to put in the company domain name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 just like anyone coming from the outside.
It seems to me that the best way to handle this is through DNS. Hosts within your LAN should find www.ishouldhaveusedipfilter.com to 192.168.2.250 instead of 1.2.3.4.
Typically, you would have an externally visible DNS server which is authorititave for your domain; and which lists only the publicly visible machines and IP addresses. (It should -NOT- handle referrals at all.) Somewhere within your LAN you would have another DNS server that is authoritative for your internal domain and IP range. It may handle referrals; but it is safer to have a completely separate DNS server which just handles referrals (and possibly caches results) - it should be explicitly told to use your LAN's authoritative server for your domain and IP range.
With this setup, outside machines see the public address, which is redirected via your firewall/NAT rules; but internal machines see the internal address and access it directly.
-Pat _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
