dns, LAN and firewall - Networking

This is a discussion on dns, LAN and firewall - Networking ; Hi, I've a few machines on LAN behind a firewall. Inside the LAN, I've a bind server that manages a domain 'localdomain' for the machines on the LAN. It forwards all other dns queries to our ISP dns server. I've ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: dns, LAN and firewall

  1. dns, LAN and firewall

    Hi,

    I've a few machines on LAN behind a firewall. Inside the LAN, I've a
    bind server that manages a domain 'localdomain' for the machines on
    the LAN. It forwards all other dns queries to our ISP dns server.

    I've also a fqdn managed by a machine not on the LAN. One of the
    entry, say lan.mydomain.com is pointing to the external interface of
    my firewall. The firewall redirect port 80 onto a machine of the
    internal network. Access from outside works fine. Access from inside
    don't.

    The DNS query succeed and I'm able to ping from inside
    lan.mydomain.com. But I'm not able to access lan.mydomain.com on port
    80 from inside.

    What is the problem and how to resolve it?

    Thanks for your reply,
    -AJ

  2. Re: dns, LAN and firewall

    Hello,

    Antoine Junod a écrit :
    >
    > I've a few machines on LAN behind a firewall. Inside the LAN, I've a
    > bind server that manages a domain 'localdomain' for the machines on
    > the LAN. It forwards all other dns queries to our ISP dns server.
    >
    > I've also a fqdn managed by a machine not on the LAN. One of the
    > entry, say lan.mydomain.com is pointing to the external interface of
    > my firewall. The firewall redirect port 80 onto a machine of the
    > internal network. Access from outside works fine. Access from inside
    > don't.
    >
    > The DNS query succeed and I'm able to ping from inside
    > lan.mydomain.com.


    What you ping is actually the router.

    > But I'm not able to access lan.mydomain.com on port
    > 80 from inside.
    >
    > What is the problem and how to resolve it?


    Your router/firewall is not doing the port redirection properly when the
    client is inside the LAN. This is a rather common flaw in SOHO routers.
    If it runs some Linux flavour and you have a shell access to it, it may
    be possible to fix it by adding a couple of iptables rules. Otherwise,
    you can set up your local BIND to be authoritative for lan.mydomain.com
    and serve the local web server private IP address.

  3. Re: dns, LAN and firewall

    Antoine Junod wrote:
    > I've also a FQDN managed by a machine not on the LAN. One of the
    > entry, say lan.mydomain.com is pointing to the external interface of
    > my firewall. The firewall redirect port 80 onto a machine of the
    > internal network. Access from outside works fine. Access from inside
    > don't.


    > The DNS query succeed and I'm able to ping from inside
    > lan.mydomain.com. But I'm not able to access lan.mydomain.com on port
    > 80 from inside.


    You're able to ping what, exactly? The address resolved from
    lan.mydomain.com? Remember this is your firewall, not the webserver.

    > What is the problem and how to resolve it?


    It's a NAT/Firewall issue. Either your firewall cannot double-NAT
    traffic from its internal interface back onto its internal interface,
    or else you've not allowed it to.

    Most domestic router/firewall devices cannot perform double-NAT; many
    (expensive) business quality devices can.

    Chris

  4. Re: dns, LAN and firewall

    Pascal Hambourg writes:

    > Antoine Junod a écrit :
    >
    > > The DNS query succeed and I'm able to ping from inside
    > > lan.mydomain.com.

    >
    > What you ping is actually the router.


    To be exact, the external interface of my router, yes.

    > > But I'm not able to access lan.mydomain.com on port
    > > 80 from inside.
    > >
    > > What is the problem and how to resolve it?

    >
    > Your router/firewall is not doing the port redirection properly when
    > the client is inside the LAN.


    I had he same conclusion. But is it a 'feature' (ie, I'm not correctly
    understanding what is going on because of a misunderstanding of the
    technical stuff and the behavior is normal) or a 'bug' (ie the
    firewall is bad and is not able to handle such a case)?

    > This is a rather common flaw in SOHO routers. If it runs some Linux
    > flavour and you have a shell access to it, it may be possible to fix
    > it by adding a couple of iptables rules.


    To say the firewall to do what?

    > Otherwise, you can set up your local BIND to be authoritative for
    > lan.mydomain.com and serve the local web server private IP address.


    Okay.

    Thanks a lot for your reply,
    -AJ

  5. Re: dns, LAN and firewall

    Chris Davies writes:

    > Antoine Junod wrote:
    >
    > > [...]

    >
    > > The DNS query succeed and I'm able to ping from inside
    > > lan.mydomain.com. But I'm not able to access lan.mydomain.com on
    > > port 80 from inside.

    >
    > You're able to ping what, exactly? The address resolved from
    > lan.mydomain.com? Remember this is your firewall, not the webserver.


    Of course. This is just to say that the basic config of the firewall
    is correct.

    > > What is the problem and how to resolve it?

    >
    > It's a NAT/Firewall issue. Either your firewall cannot double-NAT
    > traffic from its internal interface back onto its internal
    > interface, or else you've not allowed it to.


    This is probably not a permisson problem. The only rules actually on
    the firewall only manage port forwarding and NAT.

    > Most domestic router/firewall devices cannot perform double-NAT;
    > many (expensive) business quality devices can.


    I'm not sure of what you are speaking about with your 'double-NAT'
    term. For me, double-NAT is having to NAT machines, one after the
    other. Does it apply here?

    Thanks for your reply,
    -AJ

  6. Re: dns, LAN and firewall

    Little Addendum:

    Antoine Junod writes:

    > Pascal Hambourg writes:
    >
    > > Antoine Junod a écrit :
    > >
    > > Otherwise, you can set up your local BIND to be authoritative for
    > > lan.mydomain.com and serve the local web server private IP address.

    >
    > Okay.


    This is not a solution for me as the firewall is forwarding ports to
    not only one machine inside the LAN. A DNS setting would redirect all
    queries comming from inside the LAN to the same machine.

    A+
    -AJ

  7. Re: dns, LAN and firewall

    Antoine Junod a écrit :
    >>
    >>What you ping is actually the router.

    >
    > To be exact, the external interface of my router, yes.


    No, the external address of your router. You ping an address, not an
    interface. When ping'ing from the internal LAN, the external interface
    is not involved.

    >>Your router/firewall is not doing the port redirection properly when
    >>the client is inside the LAN.

    >
    > I had he same conclusion. But is it a 'feature' (ie, I'm not correctly
    > understanding what is going on because of a misunderstanding of the
    > technical stuff and the behavior is normal) or a 'bug' (ie the
    > firewall is bad and is not able to handle such a case)?


    It's probably a case that the designers didn't think about. Whether you
    call it a bug or a feature does not make much difference.

    >>This is a rather common flaw in SOHO routers. If it runs some Linux
    >>flavour and you have a shell access to it, it may be possible to fix
    >>it by adding a couple of iptables rules.

    >
    > To say the firewall to do what?


    1) Accept forwarded traffic from the internal interface back to the
    internal interface. Some call it "loopback", but it don't like it
    because it may be confused with the loopback interface which is a very
    different thing.

    2) Masquerade all forwarded connections from the internal LAN, not only
    those which are forwarded to the external interface.

    >>Otherwise, you can set up your local BIND to be authoritative for
    >>lan.mydomain.com and serve the local web server private IP address.

    >
    > This is not a solution for me as the firewall is forwarding ports to
    > not only one machine inside the LAN. A DNS setting would redirect all
    > queries comming from inside the LAN to the same machine.


    You could create and use a different hostname for each machine. Outside
    the LAN, all these names would resolve to the external IP address of
    your router, while inside they would resolve to the private IP addresses
    of the machines.

  8. Re: dns, LAN and firewall

    Antoine Junod a écrit :
    >
    >>Most domestic router/firewall devices cannot perform double-NAT;
    >>many (expensive) business quality devices can.

    >
    > I'm not sure of what you are speaking about with your 'double-NAT'
    > term. For me, double-NAT is having to NAT machines, one after the
    > other. Does it apply here?


    No, here it means that the router performs at the same time destination
    NAT (port redirection) and source NAT (masquerading) on a connection.
    Usually domestic routers can do only either port redirection of incoming
    connections or masquerading of outgoing connections.

+ Reply to Thread