[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

nat/pf: how to route a dyndns domain inside a lan?



Hello!

I am using OpenBSD for over a year now and am very confident with it. I use
it as a router/firewall serving a dsl connection within my lan and ALL IS
WORKING FINE - just want to mention this! :-) But I have a little problem
in the last weeks which I can't solve my own. Something I must have
misunderstood, or whatever.

I have two machines behind my NAT: a windows client and a debian webserver.
My NAT is configured like this:

	no nat on $if_Ext from any to $if_Ext
	no nat on $if_Ext from any to $net_Local
	nat on $if_Ext from $net_Local to any -> $if_Ext

Incoming HTTP-Requests are redirected to the webserver using a rule like
this:

	rdr on $if_Ext proto tcp from any to $if_Ext port http -> $mach_Webserver
port http

There are some other rdr rules for other ports which shouldn't bother us
now. There's no other nat/binat rule! It works fine. If I open
mydomain.dyndns.org FROM OUTSIDE MY LAN (!!!) I get my webservers starting
page. It seems my webserver (debian) works correctly with inside and
outside connections. It even understands multiple virtual hosts.

But it won't work from inside!!!

That's why I added the above "no nat" rules, with no effect. I also tried
another rdr rule like this:

	rdr on $if_Int proto tcp from $net_Local to $if_Ext port 80 ->
$mach_Webserver port 80

Using tcpdump on my debian webserver shows me the following (all port 80
traffic on eth0):

[client-ip].1585 > [dsl-ip].80: S [tcp sum ok] 1496870387:1496870387(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 40881, len 48)
[client-ip].1585 > [webserver-ip].80: S [tcp sum ok]
1496870387:1496870387(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 127,
id 40881, len 48)
[webserver-ip].80 > [client-ip].1585: S [tcp sum ok]
2650274519:2650274519(0) ack 1496870388 win 5840 <mss 1460,nop,nop,sackOK>
(DF) (ttl 64, id 0, len 48)
[client-ip].1585 > [webserver-ip].80: R [tcp sum ok]
1496870388:1496870388(0) win 0 (ttl 128, id 40883, len 40)

Seems the packets are redirected fine. This also shows my pflog on my
OpenBSD machine. But I do not get a result in my webbrowser! The connection
can't be established. I tried accessing it with telnet on port 80 too but
there is no answer too. 

If you have ANY idea how I could solve this problem, please let me know!
Thanks!

P.S.: adding a ns entry for my dyndns domain will work but for other
reasons I want to solve this problem not like this :-(

Thanks, 
Alexander von Hedenstroem.
---