dns, LAN and firewall

Hi,

I've a few machines on LAN behind a firewall. Inside the LAN, I've a
bind server that manages a domain 'localdomain' for the machines on
the LAN. It forwards all other dns queries to our ISP dns server.

I've also a fqdn managed by a machine not on the LAN. One of the
entry, say lan.mydomain.com is pointing to the external interface of
my firewall. The firewall redirect port 80 onto a machine of the
internal network. Access from outside works fine. Access from inside
don't.

The DNS query succeed and I'm able to ping from inside
lan.mydomain.com. But I'm not able to access lan.mydomain.com on port
80 from inside.

What is the problem and how to resolve it?

Thanks for your reply,
-AJ

Hello,

Antoine Junod a écrit :
>
> I've a few machines on LAN behind a firewall. Inside the LAN, I've a
> bind server that manages a domain 'localdomain' for the machines on
> the LAN. It forwards all other dns queries to our ISP dns server.
>
> I've also a fqdn managed by a machine not on the LAN. One of the
> entry, say lan.mydomain.com is pointing to the external interface of
> my firewall. The firewall redirect port 80 onto a machine of the
> internal network. Access from outside works fine. Access from inside
> don't.
>
> The DNS query succeed and I'm able to ping from inside
> lan.mydomain.com.

What you ping is actually the router.

> But I'm not able to access lan.mydomain.com on port
> 80 from inside.
>
> What is the problem and how to resolve it?

Your router/firewall is not doing the port redirection properly when the
client is inside the LAN. This is a rather common flaw in SOHO routers.
If it runs some Linux flavour and you have a shell access to it, it may
be possible to fix it by adding a couple of iptables rules. Otherwise,
you can set up your local BIND to be authoritative for lan.mydomain.com
and serve the local web server private IP address.

Antoine Junod <(E-Mail Removed)> wrote:
> I've also a FQDN managed by a machine not on the LAN. One of the
> entry, say lan.mydomain.com is pointing to the external interface of
> my firewall. The firewall redirect port 80 onto a machine of the
> internal network. Access from outside works fine. Access from inside
> don't.

> The DNS query succeed and I'm able to ping from inside
> lan.mydomain.com. But I'm not able to access lan.mydomain.com on port
> 80 from inside.

You're able to ping what, exactly? The address resolved from
lan.mydomain.com? Remember this is your firewall, not the webserver.

> What is the problem and how to resolve it?

It's a NAT/Firewall issue. Either your firewall cannot double-NAT
traffic from its internal interface back onto its internal interface,
or else you've not allowed it to.

Most domestic router/firewall devices cannot perform double-NAT; many
(expensive) business quality devices can.

Chris

Pascal Hambourg <boite-a-(E-Mail Removed)> writes:

> Antoine Junod a écrit :
>
> > The DNS query succeed and I'm able to ping from inside
> > lan.mydomain.com.
>
> What you ping is actually the router.

To be exact, the external interface of my router, yes.

> > But I'm not able to access lan.mydomain.com on port
> > 80 from inside.
> >
> > What is the problem and how to resolve it?
>
> Your router/firewall is not doing the port redirection properly when
> the client is inside the LAN.

I had he same conclusion. But is it a 'feature' (ie, I'm not correctly
understanding what is going on because of a misunderstanding of the
technical stuff and the behavior is normal) or a 'bug' (ie the
firewall is bad and is not able to handle such a case)?

> This is a rather common flaw in SOHO routers. If it runs some Linux
> flavour and you have a shell access to it, it may be possible to fix
> it by adding a couple of iptables rules.

To say the firewall to do what?

> Otherwise, you can set up your local BIND to be authoritative for
> lan.mydomain.com and serve the local web server private IP address.

Okay.

Thanks a lot for your reply,
-AJ

Chris Davies <chris-(E-Mail Removed)> writes:

> Antoine Junod <(E-Mail Removed)> wrote:
>
> > [...]
>
> > The DNS query succeed and I'm able to ping from inside
> > lan.mydomain.com. But I'm not able to access lan.mydomain.com on
> > port 80 from inside.
>
> You're able to ping what, exactly? The address resolved from
> lan.mydomain.com? Remember this is your firewall, not the webserver.

Of course. This is just to say that the basic config of the firewall
is correct.

> > What is the problem and how to resolve it?
>
> It's a NAT/Firewall issue. Either your firewall cannot double-NAT
> traffic from its internal interface back onto its internal
> interface, or else you've not allowed it to.

This is probably not a permisson problem. The only rules actually on
the firewall only manage port forwarding and NAT.

> Most domestic router/firewall devices cannot perform double-NAT;
> many (expensive) business quality devices can.

I'm not sure of what you are speaking about with your 'double-NAT'
term. For me, double-NAT is having to NAT machines, one after the
other. Does it apply here?

Thanks for your reply,
-AJ

Little Addendum:

Antoine Junod <(E-Mail Removed)> writes:

> Pascal Hambourg <boite-a-(E-Mail Removed)> writes:
>
> > Antoine Junod a écrit :
> >
> > Otherwise, you can set up your local BIND to be authoritative for
> > lan.mydomain.com and serve the local web server private IP address.
>
> Okay.

This is not a solution for me as the firewall is forwarding ports to
not only one machine inside the LAN. A DNS setting would redirect all
queries comming from inside the LAN to the same machine.

A+
-AJ

Antoine Junod a écrit :
>>
>>What you ping is actually the router.
>
> To be exact, the external interface of my router, yes.

No, the external address of your router. You ping an address, not an
interface. When ping'ing from the internal LAN, the external interface
is not involved.

>>Your router/firewall is not doing the port redirection properly when
>>the client is inside the LAN.
>
> I had he same conclusion. But is it a 'feature' (ie, I'm not correctly
> understanding what is going on because of a misunderstanding of the
> technical stuff and the behavior is normal) or a 'bug' (ie the
> firewall is bad and is not able to handle such a case)?

It's probably a case that the designers didn't think about. Whether you
call it a bug or a feature does not make much difference.

>>This is a rather common flaw in SOHO routers. If it runs some Linux
>>flavour and you have a shell access to it, it may be possible to fix
>>it by adding a couple of iptables rules.
>
> To say the firewall to do what?

1) Accept forwarded traffic from the internal interface back to the
internal interface. Some call it "loopback", but it don't like it
because it may be confused with the loopback interface which is a very
different thing.

2) Masquerade all forwarded connections from the internal LAN, not only
those which are forwarded to the external interface.

>>Otherwise, you can set up your local BIND to be authoritative for
>>lan.mydomain.com and serve the local web server private IP address.
>
> This is not a solution for me as the firewall is forwarding ports to
> not only one machine inside the LAN. A DNS setting would redirect all
> queries comming from inside the LAN to the same machine.

You could create and use a different hostname for each machine. Outside
the LAN, all these names would resolve to the external IP address of
your router, while inside they would resolve to the private IP addresses
of the machines.

Antoine Junod a écrit :
>
>>Most domestic router/firewall devices cannot perform double-NAT;
>>many (expensive) business quality devices can.
>
> I'm not sure of what you are speaking about with your 'double-NAT'
> term. For me, double-NAT is having to NAT machines, one after the
> other. Does it apply here?

No, here it means that the router performs at the same time destination
NAT (port redirection) and source NAT (masquerading) on a connection.
Usually domestic routers can do only either port redirection of incoming
connections or masquerading of outgoing connections.