We have a HTTP web server inside our internal network and we want to make it accessible to the world on our fresh bought domain www.example.com which points to our router IP address. We also have an internal network, SNAT-ed with the router public IP address when packets leave the router via the public interface.aaaaa
For this we create a DNAT rule on our external router with the appropriate filter rules (FORWARD). After a few tests we observe that our HTTP web server is accessible from the Internet on www.example.com but NOT from our internal network. We try to access the internal web server on our private IP address and we see that everything works fine. What is happening?
To explain this we’ll start from the beginning:
- We open our browser and we type ‘www.example.com’
- Our browser tries to resolve the IP address of ‘www.example.com’ and it obtains the public IP of our router (let’s say 1.1.1.1) but our internal web server is on the internal network (let’s say the IP 10.0.0.1).
- Our PC (let’s say 10.0.0.2) tries to connect to the public IP returned by the DNS server, 1.1.1.1, with its source IP 10.0.0.2, so it sends his request to our gateway (our router! let’s say 10.0.0.254 on the internal network)
- The DNAT rule on our router sends our request back to the
internal network to our web server 10.0.0.1. (IP SRC
10.0.0.2
-> IP DST 10.0.0.1) - The web server receives our connection and replies directly with its local IP 10.0.0.1 to our PC, 10.0.0.2, because they are in the same network.
- Our PC waits for a reply from our web server 1.1.1.1(that’s the IP that the DNS server replied to be ‘www.example.com’) but it receives a reply from the local IP 10.0.0.1 of our web server …
- Our PC ignores the reply because it didn’t initiate any connection to the local IP of our web server 10.0.0.1 (from the PC point of view this reply is from another web server with the address 10.0.0.1) and keeps on waiting for a reply to his request at the ip 1.1.1.1
- A timeout expires and our PC displays the message “Request timed out”.
The solutions:
- SNAT based solution:
Create/modify the SNAT rule to change the Source IP of your internal LAN when connecting to the internal IP of your web server. This will make the web server to reply to your router which through its connection tracking mechanism will send the reply to the right destination with the right source IP, making the connection possible.
Note: in this solution all internal clients are masked with the public IP of the router
- Change your DNS server configuration
This is the best solution. Why? Because the traffic to your
local web server isn’t going through your network router … it is a
direct connection (unless your server is in DMZ not on LAN).
The idea is to provide different IP address of your domain
www.example.com according to the source IP address that originates
the DNS query.
IP SRC 10.0.0.0/24 --> DNS reply 10.0.0.1
IP SRC 5.5.5.5/24 --> DNS reply 1.1.1.1
How to configure various DNS servers:
- BIND9 Tutorial on split dns zones: http://www.knowplace.org/pages/howtos/split_view_with_bind_9_howto.php
- Microsoft DNS
Server: http://articles.techrepublic.com.com/5100-10878_11-5031769.html
Or you can use two DNS servers, one for your internal network
which is propagated via
from
已投稿到: |
|
---|