1

My situations is like this; i host a number of websites from within our joint network solution. On the network is basically 3 categories:

  1. the known public, registered via mac, given static dhcp lease
  2. the anonymous lan connections, given lease from specific dhcp range
  3. switches, unix hosts firewall

Now, consider following hosts which are of interest

  1. 111.111.111.111 (Zywall USG 300 WAN)
  2. 192.168.1.1 (ZyWall USG 300 LAN) load balances and bw monitors plus handles NAT
  3. 192.168.1.2 (Linux www) serves mydomain1.tld and mydomain2.tld
  4. 192.168.123.123 (Random LAN client) accesses mydomain1.tld from LAN
  5. 23.234.12.253 (Random External client) accesses mydomain1.tld via WAN

DNS A records are setup so that both mydomain1.tld and mydomain2.tld points to 111.111.111.111 - and the Linux www serves the http parts with VirtualHost configurations, setting up the document roots pr ServerName, this is not so interesting though..

NAT rule translates 111.111.111.111:80 to 192.168.1.2:80 (1:1 NAT) as such:

  • Type: Virtual Server
  • Interface: WAN
  • Original IP: any
  • Mapped IP: 192.168.1.2
  • Original port: 80
  • Mapped port: 80

While NAT-Loopback is activated it causes device unreachable from external interfaces (havent tried though, if it makes LAN -> WAN IP:80 work)

Our problem follows;

When accessing http://mydomain1.tld from outside (23.234.12.253 example host) the joint network - everything is fine, zywall receives requests via port 80 and maps it to the linux host' httpd. However - once trying to go through the NAT from LAN side (in-house, 192.168.123.123 example host) then one gets filtered in the Zywall port 80 firewall.

I know this only because port 443 is open for administration interface and https://mydomain1.tld prompts for zywall login.

So my conclusion is, that the LAN that accesses 111.111.111.111 in fact are routed to 192.168.1.1 whilst bypassing the NAT table.

I need to know how to setup NAT / Policy Route, so that LAN > WAN > LAN will function with proper network translations instead of doing the 'quick nameserver lookup' or whatever this might be.

mschr
  • 48
  • 1
  • 2
  • 6

2 Answers2

0

Solution ended up being maintenence of the internal DNS lookup table (much like an /etc/hosts file) where i put in mydomainX.tld and map it to their appropiate IP's.. Would have like to get around this though and there's a bounty out for an answer which allows for LAN -> WAN IP : PORT go through the NAT table

mschr
  • 48
  • 1
  • 2
  • 6
  • This is called a U-turn NAT... not sure how to do it on that type of firewall. Split-horizon DNS would also solve your situation. – SpacemanSpiff Jun 08 '12 at 04:29
  • I think by Zyxel terms, this is called NAT-loopback, however i get this message when enabling it: Original IP cannot be set to ANY while NAT-Loopback is activated because it might cause device unreachable – mschr Jun 08 '12 at 11:56
  • That's true... set the source address to be your inside network with mask...IE 192.168.1.0/24 or something like that. – SpacemanSpiff Jun 08 '12 at 13:45
  • Thanks, ill try that with a two-rule setup then, adding one that matches LAN subnets and letting that have NAT-loopback enabled - with Interface LAN, and then leave the WAN interfaced rule. Think this will actually work, but since i was denied access after enabling the NAT-loopback my mind seemed to have forgotten what it actually meant :) – mschr Jun 08 '12 at 14:00
  • argh, cannot declare iprange in the Zywall NAT rule, there is an option to choose 'Many 1:1 NAT' as opposed to 'Virtual Server' (rule classification). If Many is chosen, then an iprange/mask is requested for original IP But *also* only iprange is accepted as the mapped IP – mschr Jun 08 '12 at 14:14
  • sadly no legit solutions.. make an answer and thou shall receive a 100 points :D – mschr Jun 13 '12 at 17:34
0

So I Struggled with this myself and I figured out the answer. To make this work use the standard NAT rule (the same rule that is working to allow the world to access the website), just adjust the rule so that the Original IP is the WAN IP. Then you can enable NAT loopback and all works fine.

Let me know if you have more questions.

Tom Goetz
  • 1