Hi Joe,
I'm not sure if anyone has replied to you yet so if not, here's what I
think the issue might be. Based on your configuration, it looks as if
you're NAT'ing your DMZ server. This ends up placing the DMZ server on
the same network as your LAN hosts. Normally, this would be fine if you
were running a DNS server internally which would provide your LAN hosts
with the actual address of your DMZ server - 169.254.200.8. It looks
like you're using external DNS server addresses however which are most
likely providing your LAN hosts with the outside address of your DMZ
server - 66.76.75.98.
What happens here is that the internal LAN hosts hit your NAT rule 30
which changes the destination address of their packets to
169.254.200.8. These packets will reach the server with a source
address of 169.254.200.x and a destination address of 169.254.200.8.
The server will see that the packet is coming from a host on it's own
network and will reply directly to the LAN host (bypassing the router)
with a source of 169.254.200.8 and a destination of 169.254.200.x. The
problem is that the LAN host on 169.254.200.x is expecting a return
packet from 66.76.75.98, not 169.254.200.8. So the return traffic is
not as expected and gets dropped.
One of our developers, An-Cheng, came up with a solution for this which
is described below:
Try adding the following NAT rule to your configuration:
rule 5 {
type: "source"
translation-type: "dynamic"
outbound-interface: "eth+"
protocols: "all"
source {
network: 169.254.200.0/24
}
destination {
network: 169.254.200.0/24
}
outside-address {
range {
start: 10.254.200.1
stop: 10.254.200.254
}
}
}
This NAT rule will:
1. Cause packets from your LAN hosts to the DMZ server to have a source
address of 10.254.200.x and a destination address of 169.254.200.8 when
they reach the DMZ server
2. Because these packets are not sourced from the same network as the
DMZ server, the DMZ server will send the return traffic back to the
router with a destination of 10.254.200.x and a source of 169.254.200.8
3. The router will then associate this return packet with the original
SNAT and DNAT translations and will first change the destination address
of 10.254.200.x back to the original LAN host address of 169.254.200.x
4. Next it will change the source address of the return packet from
169.254.200.8 to the public address of 66.76.75.98
This should work if this is actually the issue you are running into. If
not, let me know some more details like how you are accessing your DMZ
server from your internal LAN, etc.
Thank you,
Robyn
With the additional NAT rule
Joe Bowen wrote:
> Hi,
>
> I am trying to implement the following:
>
> * My static IP is 208.180.116.242 gateway 208.180.116.241
> * Other static ip's can be issued in the block 66.76.75.97/28
> * My DMZ server is 66.76.75.98
> * My private network is 169.254.200.1
>
> Following is the config I have. It allows outside users access to my
> DMZ server but I am unable to connect from a computer on the same
> network. Is this setup right? What do I need to access the DMZ from a
> 169.254.200.xxx machine?
>
> Thanks,
> Joe Bowen
>
> [EMAIL PROTECTED] show
> protocols {
> static {
> route 0.0.0.0/0 {
> next-hop: 208.180.116.241
> }
> }
> }
> policy {
> }
> interfaces {
> loopback lo {
> }
> ethernet eth0 {
> hw-id: 00:10:DC:F0:C1:42
> }
> ethernet eth1 {
> description: "SkyNetLAN"
> hw-id: 00:1B:21:02:60:3B
> address 169.254.200.1 {
> prefix-length: 24
> }
> }
> ethernet eth2 {
> description: "SuddenLinkWan"
> hw-id: 00:1B:21:02:60:08
> address 208.180.116.242 {
> prefix-length: 30
> }
> address 66.76.75.98 {
> prefix-length: 28
> }
> }
> }
> firewall {
> }
> service {
> dhcp-server {
> name SkyNetLAN {
> start 169.254.200.10 {
> stop: 169.254.200.240
> }
> network-mask: 24
> dns-server 208.180.42.68
> dns-server 208.180.42.100
> default-router: 169.254.200.1
> interface: "eth1"
> domain-name: "skynetcountrynoc.com"
> }
> }
> telnet {
> }
> nat {
> rule 10 {
> type: "source"
> translation-type: "masquerade"
> outbound-interface: "eth2"
> protocols: "all"
> source {
> network: 0.0.0.0/0
> }
> destination {
> network: 0.0.0.0/0
> }
> }
> rule 20 {
> type: "destination"
> translation-type: "static"
> inbound-interface: "eth2"
> protocols: "tcp"
> source {
> network: 0.0.0.0/0
> }
> destination {
> address: 66.76.75.98
> port-name http
> }
> inside-address {
> address: 169.254.200.8
> }
> }
> rule 30 {
> type: "destination"
> translation-type: "static"
> inbound-interface: "eth1"
> protocols: "tcp"
> source {
> network: 0.0.0.0/0
> }
> destination {
> address: 66.76.75.98
> port-name http
> }
> inside-address {
> address: 169.254.200.8
> }
> }
> }
> }
> system {
> ntp-server "69.59.150.135"
> login {
> user root {
> authentication {
> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
> }
> }
> user vyatta {
> authentication {
> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
> }
> }
> }
> package {
> repository community {
> component: "main"
> url: "http://archive.vyatta.com/vyatta";
> }
> }
> }
> rtrmgr {
> config-directory: "/opt/vyatta/etc/config"
> }
> ------------------------------------------------------------------------
>
> _______________________________________________
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
