Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#189074 - 11/11/2003 12:11 Difficult routing question
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
Until today, my server was colocated. I've had to move it home, where I have a 512/256 ADSL line.

I've configured port forwarding for a whole bunch of ports (smtp, http, etc.) at my router (a D-Link DSL604+) so that the outside world can get to it correctly.

Unfortunately, I can't get at it from the inside. It appears that my router isn't redirecting 81.86.66.34:80 correctly if I'm on the inside of the router.

Any suggestions? Do I need static routes configured? Do I need to have different DNS on the inside vs. the outside? I don't want to play with hosts files, because my laptop is used equally on both the inside and outside of the router, and http://www.differentpla.net/ should work properly in either case.

Should I just bin this consumer piece of junk and use a Linux or BSD box to do the routing? If I did, I'm assuming that I can configure requests received on the inside interface destined for particular address/port combinations to go to another PC on the inside.

I assume that I'll cause difficulty if I just route _all_ traffic destined for that address to another PC.
_________________________
-- roger

Top
#189075 - 11/11/2003 12:23 Re: Difficult routing question [Re: Roger]
jmwking
old hand

Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
Unfortunately, I can't get at it from the inside.
Are you trying to get in via DNS resolution, and are you using NAT on your firewall? If so, you can put a hosts file in the appropriate sub-directory for your operating system, pointing the A records to the internal ip addresses.

Or set up an internal DNS server with the internal IP addresses. Most firewalls don't like to route out and back in.

-jk

Top
#189076 - 11/11/2003 12:34 Re: Difficult routing question [Re: jmwking]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
Are you trying to get in via DNS resolution, and are you using NAT on your firewall?

Yes and yes.

If so, you can put a hosts file in the appropriate sub-directory for your operating system, pointing the A records to the internal ip addresses.

As I said, this isn't feasible for at least one of the PCs.

Or set up an internal DNS server with the internal IP addresses.

I was hoping to avoid having to do this. It means that I now have to replicate 5 domains internally as well as externally.

Most firewalls don't like to route out and back in.

I noticed. If I use a proper PC, could I configure it to do this properly?
_________________________
-- roger

Top
#189077 - 11/11/2003 12:46 Re: Difficult routing question [Re: Roger]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
I noticed. If I use a proper PC, could I configure it to do this properly?

Yes. Even if you can't get it to work with iptables (or whatever) you could definitely get it to work by running a simple proxy on port 80 that redirected the packets to the real server.
_________________________
Remind me to change my signature to something more interesting someday

Top
#189078 - 11/11/2003 12:49 Re: Difficult routing question [Re: Roger]
jmwking
old hand

Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
As I said, this isn't feasible for at least one of the PCs.
Mea culpa - I didn't read carefully enough.

It means that I now have to replicate 5 domains internally as well as externally.
How many A records do you have, and how often do they change? I run a pair of internal DNS servers with a few dozen internal A records (as well as caching everything else) for several hundred users inside our VPN. They use public DNS servers when they travel, with DHCP feeding them the appropriate servers. I have to edit my servers about once every month or two, and it's mostly painless: when I send a request off to the public (authoritative) DNS hosting service, I've (usually) already made the change internally for testing.

If I use a proper PC, could I configure it to do this properly?
I really don't know what router software might be able to do it, I'm afraid. All the "appliance" boxes I've worked with won't, and I really didn't want to custom build something.

-jk

Top
#189079 - 11/11/2003 13:42 Re: Difficult routing question [Re: jmwking]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
How many A records do you have, and how often do they change? I run a pair of internal DNS servers ...

Not that many, really -- I suppose that I could do it.. Presumably, I just need to make my internal DNS server claim to be authoritative for those domains?
_________________________
-- roger

Top
#189080 - 11/11/2003 13:44 Re: Difficult routing question [Re: andy]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
by running a simple proxy on port 80 that redirected the packets to the real server.

Unfortunately, it's more than just port 80. It's ports 22, 25, 80, 81, 110, 143, 443, 993 and 995. In itself, that's not so tricky -- it's just a pain to get right.
_________________________
-- roger

Top
#189081 - 11/11/2003 14:11 Re: Difficult routing question [Re: Roger]
jmwking
old hand

Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
Presumably, I just need to make my internal DNS server claim to be authoritative for those domains?
Yes. Make it authoritative for your local domains, and lookup and cache everything else. Then just point all your internal machines to it, whether through dhcp or statically, and you're all set. The internal computers won't be aware that public addresses are available as long as they're using the internal dns. When your laptop has an outside ip address using outside dns, it goes to (and through) the firewall, along with the rest of the public.

-jk

Top