Changes between Version 1 and Version 2 of RulesNAT


Ignore:
Timestamp:
09/01/07 14:56:00 (12 years ago)
Author:
Victor Julien
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • RulesNAT

    v1 v2  
    6868== Bounce ==
    6969
    70 If you use NAT and you have servers on your local network that are publicly accesseble through portfw rules you might have run into the problem that your lan-clients cannot access the server by using its hostname. The problem is that the hostname of the server as the world knows it is connected to your public ipaddress. If you lan client tries to access it the dns lookup will return the public ipaddress and not the lan address.
     70If you use NAT and you have servers on your local network that are publicly accesseble through portfw rules you might have run into the problem that your lan-clients cannot access the server by using its hostname. The problem is that the hostname of the server as the world knows it is connected to your public ipaddress. If your lan client tries to access it the dns lookup will return the public ipaddress and not the lan address.
    7171
    7272=== Solving this the right way ===
    7373
    74 In essence this is a name resolution problem. When a client from you lan requests the ipaddress of a server in the same lan the dns server ideally should return the lan-ipaddress. Three solutions on the dns levels are possible:
     74In essence this is a name resolution problem. When a client from your lan requests the ipaddress of a server in the same lan the dns server ideally should return the lan-ipaddress. Three solutions on the dns levels are possible:
    7575 1. Setup the dns server in your lan so that it returns private addresses for the hostnames in question.
    7676 1. Setup your dns server in such a way that it will return the local addresses for requests from your lan, but the public ipaddresses for requests from the internet. See for an explanation on how to do this with bind: http://www.debian-administration.org/articles/355
    7777 1. On all clients manually add the hostname and private ipaddress to /etc/hosts
    7878
    79 There are numerous reason why all solutions above won't work for you, although they really are the best solutions. For example if the dns server does not support the separation, or you need to quickly replace an existing firewall. However you are strongly adviced to use one of the above solutions over the bounce action.
     79There are numerous reasons why all solutions above won't work for you, although they really are the best solutions. For example if the dns server does not support the separation, or you need to quickly replace an existing firewall. However you are strongly advised to use one of the above solutions over the bounce action.
    8080
    8181=== Solving it the wrong way, aka the bounce action ===