Hi Nate, If the problem you're seeing is caused by external vs. internal DNS problem (external access is fine, but internal hosts resolve the server to the external address and therefore cannot access it), you might be able to work around it using NAT. See the following message from the list archive for more details.
http://mailman.vyatta.com/pipermail/vyatta-users/2007-August/001741.html An-Cheng Nathan McBride wrote: > hmmm, guess i should make an internal dns server then... :D > > nate > > On Tue, 2008-01-29 at 22:34 -0500, Aubrey Wells wrote: >> Its been a while since I researched it, but I think there was >> something about the way netfilter_conntrac tracks the NAT sessions >> that prevents the hairpin nat from working. I never figured out a way >> around it and no one on google was helpful either. >> >> The usual solution is to put a dns entry in your internal dns server >> to point the domain name to the internal ip of the web site. >> >> ------------------ >> Aubrey Wells >> Senior Engineer >> Shelton | Johns Technology Group >> A Vyatta Ready Partner >> www.sheltonjohns.com >> >> On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote: >>> Can't I do another nat rule? >>> >>> On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote: >>>> It sounds like you're a victim of hairpin natting. Very frustrating. >>>> Iptables doesnt do it (that I know of.) I first encountered this on a >>>> PIX firewall years ago and thought it was an absurd limitation >>>> (then I >>>> found out my beloved linux couldn't do it either and was crushed). >>>> Cisco fixed it in v7 of the PIX software IIRC but iptables still >>>> can't >>>> do it. >>>> >>>> ------------------ >>>> Aubrey Wells >>>> Senior Engineer >>>> Shelton | Johns Technology Group >>>> A Vyatta Ready Partner >>>> www.sheltonjohns.com >>>> >>>> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: >>>> >>>>> John just told me he can get to the page too. >>>>>> From inside the lan I am going to a browser and typing >>>>> www.nombyte.com. And it doesn't work? >>>>> >>>>> Nate >>>>> >>>>> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: >>>>>> *shrug* same here >>>>>> >>>>>> Are you trying to hit the natted address from inside the LAN that >>>>>> is >>>>>> being natted to? Hairpin NAT doesnt work in iptables... >>>>>> >>>>>> ------------------ >>>>>> Aubrey Wells >>>>>> Senior Engineer >>>>>> Shelton | Johns Technology Group >>>>>> A Vyatta Ready Partner >>>>>> www.sheltonjohns.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: >>>>>> >>>>>>> I just connected and see the Apache 2 test page running on CentOS >>>>>>> >>>>>>> John >>>>>>> >>>>>>> >>>>>>> >>>>>>> Nathan McBride wrote: >>>>>>>> First off I appreciate help from everyone, this is a nice >>>>>>>> change to >>>>>>>> some >>>>>>>> mailing lists I'm used to. Unfortunately, I am still having the >>>>>>>> same >>>>>>>> problem. I'm giving out real information, probably shouldn't, >>>>>>>> but >>>>>>>> that's how frustrated I am. I just get an unable to connect >>>>>>>> error. The >>>>>>>> firewalls are fine I promise. I can see the page on >>>>>>>> 192.168.0.105 >>>>>>>> from >>>>>>>> inside the lan, and I can see and use the webgui of the router >>>>>>>> just >>>>>>>> fine. Altho I did disable it of course since I want the port >>>>>>>> forwarded. >>>>>>>> In the ssh example sent to me which is below, I notice that the >>>>>>>> address >>>>>>>> are just numbers where mine have "" around them. Does this >>>>>>>> matter? Can >>>>>>>> anyone please give any suggestions? >>>>>>>> >>>>>>>> Thanks alot, >>>>>>>> Nate >>>>>>>> >>>>>>>> My domain is: >>>>>>>> www.nombyte.com >>>>>>>> >>>>>>>> The IP is: >>>>>>>> 71.62.193.105 >>>>>>>> >>>>>>>> Full Nat is: >>>>>>>> >>>>>>>> nat { >>>>>>>> rule 1 { >>>>>>>> type: "destination" >>>>>>>> inbound-interface: "eth0" >>>>>>>> protocols: "tcp" >>>>>>>> source { >>>>>>>> network: "0.0.0.0/0" >>>>>>>> } >>>>>>>> destination { >>>>>>>> address: "71.62.193.105" >>>>>>>> port-name http >>>>>>>> } >>>>>>>> inside-address { >>>>>>>> address: 192.168.0.105 >>>>>>>> } >>>>>>>> } >>>>>>>> rule 2 { >>>>>>>> type: "masquerade" >>>>>>>> outbound-interface: "eth0" >>>>>>>> protocols: "all" >>>>>>>> source { >>>>>>>> network: "192.168.0.0/24" >>>>>>>> } >>>>>>>> destination { >>>>>>>> network: "0.0.0.0/0" >>>>>>>> } >>>>>>>> } >>>>>>>> rule 3 { >>>>>>>> type: "masquerade" >>>>>>>> outbound-interface: "eth0" >>>>>>>> protocols: "all" >>>>>>>> source { >>>>>>>> network: "192.168.1.0/24" >>>>>>>> } >>>>>>>> destination { >>>>>>>> network: "0.0.0.0/0" >>>>>>>> } >>>>>>>> } >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: >>>>>>>>> Here's what I use to port-forward ssh; just adjust for address >>>>>>>>> (where >>>>>>>>> destination address is the public IP) and change it to http. >>>>>>>>> >>>>>>>>> rule 2 { >>>>>>>>> type: "destination" >>>>>>>>> inbound-interface: "eth0" >>>>>>>>> protocols: "tcp" >>>>>>>>> source { >>>>>>>>> network: 0.0.0.0/0 >>>>>>>>> } >>>>>>>>> destination { >>>>>>>>> address: 1.2.3.4 >>>>>>>>> port-name ssh >>>>>>>>> } >>>>>>>>> inside-address { >>>>>>>>> address: 10.0.0.30 >>>>>>>>> } >>>>>>>>> } >>>>>>>>> >>>>>>>>> Best, >>>>>>>>> Justin >>>>>>>>> >>>>>>>>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> >>>>>>>>> wrote: >>>>>>>>>> Can someone please help me get this worked out? >>>>>>>>>> Nate >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Ok these are my nat rules now, I didn't see a command to >>>>>>>>>>> change >>>>>>>> the rule >>>>>>>>>>> numbers so i just redid them all by hand. It still doesn't >>>>>>>>>>> work. >>>>>>>>>>> >>>>>>>>>>> rule 1 { >>>>>>>>>>> type: "destination" >>>>>>>>>>> inbound-interface: "eth0" >>>>>>>>>>> protocols: "tcp" >>>>>>>>>>> destination { >>>>>>>>>>> address: "71.62.193.105" >>>>>>>>>>> port-name http >>>>>>>>>>> } >>>>>>>>>>> inside-address { >>>>>>>>>>> address: 192.168.0.105 >>>>>>>>>>> } >>>>>>>>>>> } >>>>>>>>>>> rule 2 { >>>>>>>>>>> type: "masquerade" >>>>>>>>>>> outbound-interface: "eth0" >>>>>>>>>>> protocols: "all" >>>>>>>>>>> source { >>>>>>>>>>> network: "192.168.0.0/24" >>>>>>>>>>> } >>>>>>>>>>> destination { >>>>>>>>>>> network: "0.0.0.0/0" >>>>>>>>>>> } >>>>>>>>>>> } >>>>>>>>>>> rule 3 { >>>>>>>>>>> type: "masquerade" >>>>>>>>>>> outbound-interface: "eth0" >>>>>>>>>>> protocols: "all" >>>>>>>>>>> source { >>>>>>>>>>> network: "192.168.1.0/24" >>>>>>>>>>> } >>>>>>>>>>> destination { >>>>>>>>>>> network: "0.0.0.0/0" >>>>>>>>>>> } >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> Nate >>>>>>>>>>> >>>>>>>>>>> On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: >>>>>>>>>>>> Hi Nate, >>>>>>>>>>>> >>>>>>>>>>>> The "inside-address" is the internal (private) IP address of >>>>>>>> your Web server, which in your case is 192.168.0.105. The >>>>>>>> "destination >>>>>>>> address" should actually be the public IP address that outside >>>>>>>> clients >>>>>>>> will use to access your server, so usually this is the public IP >>>>>>>> address >>>>>>>> of your router. >>>>>>>>>>>> An-Cheng >>>>>>>>>>>> >>>>>>>>>>>> Nathan McBride wrote: >>>>>>>>>>>>> I went and looked at the old docs. I thought I set them up >>>>>>>> correctly >>>>>>>>>>>>> but aparently I didn't. I'll im trying to do is to get >>>>>>>>>>>>> people >>>>>>>> on the >>>>>>>>>>>>> internet to view the website on my comp (192.168.0.105). >>>>>>>>>>>>> The >>>>>>>> only >>>>>>>>>>>>> difference that i noticed when I tried to commit the example >>>>>>>> in the old >>>>>>>>>>>>> docs was that vc3 requires an 'inside-address'. Could >>>>>>>>>>>>> someone >>>>>>>> please >>>>>>>>>>>>> help me correct this to get it working? >>>>>>>>>>>>> >>>>>>>>>>>>> rule 3 { >>>>>>>>>>>>> type: "destination" >>>>>>>>>>>>> inbound-interface: "eth0" >>>>>>>>>>>>> protocols: "tcp" >>>>>>>>>>>>> destination { >>>>>>>>>>>>> address: "192.168.0.105" >>>>>>>>>>>>> port-name http >>>>>>>>>>>>> } >>>>>>>>>>>>> inside-address { >>>>>>>>>>>>> address: 192.168.0.105 <-- didn't know what to put >>>>>>>> here >>>>>>>>>>>>> exactly... >>>>>>>>>>>>> } >>>>>>>>>>>>> } >>>>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Vyatta-users mailing list >>>>>>>>>>> Vyatta-users@mailman.vyatta.com >>>>>>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>>>>>>>>> _______________________________________________ >>>>>>>>>> Vyatta-users mailing list >>>>>>>>>> Vyatta-users@mailman.vyatta.com >>>>>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Vyatta-users mailing list >>>>>>>> Vyatta-users@mailman.vyatta.com >>>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Vyatta-users mailing list >>>>>>> Vyatta-users@mailman.vyatta.com >>>>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>>>> _______________________________________________ >>>>> Vyatta-users mailing list >>>>> Vyatta-users@mailman.vyatta.com >>>>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>> _______________________________________________ >>> Vyatta-users mailing list >>> Vyatta-users@mailman.vyatta.com >>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
