Firewall/NAT

Hello everyone,

we're running a m0n0wall v1.235.

My problem is that I've setup DNS forwarder for a domain to our SBS 2k3 which is configured to forward the domain to the webserver we're running. Now, within the network everything works fine, the domain is forwarded to the webserver and content is displayed. If you're outside and try to reach the domain you'll be forwarded to another server. That is configured by a inbound NAT rule to forward the port 80 to that specific server.

Though I've just setup everything today, a couple hours ago, so it might be just a matter of time before it'll be recognized outside as well.

Any ideas?

Kind regards,
Sebastian

EDIT: Or is the dns forwarder not supposed to solve incoming domains. If i own the domain test.com and use the dns forwarder to forward it to my webserver that holds the data, it works inside but is not supposed to work from the outside?

How should I setup multiple Webserver then?

Hello everyone,

we're running a m0n0wall v1.235.

My problem is that I've setup DNS forwarder for a domain to our SBS 2k3 which is configured to forward the domain to the webserver we're running. Now, within the network everything works fine, the domain is forwarded to the webserver and content is displayed. If you're outside and try to reach the domain you'll be forwarded to another server. That is configured by a inbound NAT rule to forward the port 80 to that specific server.

Though I've just setup everything today, a couple hours ago, so it might be just a matter of time before it'll be recognized outside as well.

Any ideas?

Kind regards,
Sebastian

EDIT: Or is the dns forwarder not supposed to solve incoming domains. If i own the domain test.com and use the dns forwarder to forward it to my webserver that holds the data, it works inside but is not supposed to work from the outside?

How should I setup multiple Webserver then?

I do exactly that for many machines, so the DNS forwarder only affects machines on your internal network because they talk it for DNS, people outside your network (WAN, Internet, etc.) use their own DNS servers which send them to m0n0wall's WAN (which you then forward to whatever internal machine that it needs like web, mail, radius, etc.)

DNS forwarder only works for your internal network. Some firewall's have what they call a "bounce" feature. You type yourdomain.com and it knows that this resolves to itself and just bounces you back through.  Neat feature, but highly problematic in complex network setups. M0n0wall doesn't have this feature, but it can bounce it's WAN to your LAN for the m0n0wall WAN IP only if you setup the right firewall rules for it.

If you are like me, I have a whole range of IPs assigned to my m0n0wall, so doing a "bounce" will not work. The DNS forwarder solves this problem. I want to work on a website and be able to type http://blah.com/ to see what it looks like.  The DNS forwarder will send my machine directly to the LAN IP instead of bouncing through the firewall (solves on bandwidth travel and redirect time).

You're going to need a machine outside your network to test with. Plenty of us are willing to help if it's just a simple "can you tell me if this port shows open or if a website shows up here" if you need a quick test. 

Thanks for your reply knightmb.

Okay, so I got that, dns forward only for internal purpose, and it doesn't really matter who owns the domain or if the domain is forwarded to my WAN IP. Not too bad to know anyway.

Though, that leaves out my problem to setup multiple webservers. Right now we have 2, both setup with NAT inbound rules...one uses port 80 and the other 8080, none the less I don't want to continue with that, cause most people don't get they'd need to enter http://blah.com:1234 to get to the correct site.

Isn't there any way or program that if I type http://blah.com it will be forwarded to my monowall IP via A-Record and another service/program or anything resolves that blah.com belongs to the webserver #3 and forwards it to the correct server/computer?

Regards,
Sebastian

Thanks for your reply knightmb.

Okay, so I got that, dns forward only for internal purpose, and it doesn't really matter who owns the domain or if the domain is forwarded to my WAN IP. Not too bad to know anyway.

Though, that leaves out my problem to setup multiple webservers. Right now we have 2, both setup with NAT inbound rules...one uses port 80 and the other 8080, none the less I don't want to continue with that, cause most people don't get they'd need to enter http://blah.com:1234 to get to the correct site.

Isn't there any way or program that if I type http://blah.com it will be forwarded to my monowall IP via A-Record and another service/program or anything resolves that blah.com belongs to the webserver #3 and forwards it to the correct server/computer?

Regards,
Sebastian

I think I understand, you have one site, http://blah.com on port 80, you need another site http://blah2.com on port 81, etc, etc. You can't do it through the name records (they only resolve the IP address, don't do anything with ports)

Am I right on that so far? I can think of a few solutions, but not sure if they are relevant to your needs if you are referring to something else.

Right on. We have one site forward using port 80 to identify it and another at port 8080 and I don't really wanna go on that way, but can't think of another way as of now.

I'm open for your ideas.

Rgerads,
Sebastian

Right on. We have one site forward using port 80 to identify it and another at port 8080 and I don't really wanna go on that way, but can't think of another way as of now.

I'm open for your ideas.

Rgerads,
Sebastian

Well a couple come to mind.

You can purchase redirect services from dynamic dns or other companies just for that very reason, they redirect all web visitors to any port you need. But it cost a monthly fee for all of them, last I checked.

If you are running Apache for a web server (or any other, they all support this), have both websites point to the same IP.  Setup a virtual server for the first site on port 80, setup another virtual server on the same port (Site #2) but make the headers use a redirect to the other machine on a different port.

I'm guessing that you have *two* separate web server machines or just one?

You could just use name based vhosts with Apache, though some (older mostly) browsers may not work well.

I have several webservers running on the same developer box, sharing one IP, it works fine.

http://httpd.apache.org/docs/2.0/vhosts/

To me it looks like you want a webproxy service. This is not included in m0n0wall.

You have two options.

1) Use one server and use virtual hosts on this server. Or install a proxy service on this machine and have your webservers reachable from it.

2) Get multiple IPs for you WAN interface on your m0n0wall. And assign each IP to one server.