General Questions

Hi,

Up until now m0n0wall has been resolving some hosts to internal IP address internally from within the LAN to solve the issue with being unable to access local services inside my LAN using the external IP address.

This causes a lot of other problems and I was just recently told that this is in fact not the right way to do it. I was also told that something like transparent proxy / routing would help me out.

So my question is simply: How do I configure m0n0wall to allow me to access local services using the external IP address (the IP address on the WAN if). m0n0wall is setup with one WAN and one LAN (DHCP) if.

Thanks!

I believe you have been misinformed.

Is there some reason why the person who told you these things didn't provide a working solution?

I'm developing an android app that is communicating with a local service. And it's quite annoying not being able to use the app when I move from mobile network -> wifi/LAN, because the host lookup is cached and I will have to force a stop of the application and restart it again to have it work.
So I first thought the "issue" was with my application, not being able to re-resolve the host somehow and so I post the question on their official IRC channel for developers. That's where I was told, and I quote:

you should fix your wifi dns, that's how.
instead of using dns tom-foolery, use iptables DNAT.

On my question:

so you mean it is wrong to have a hostname resolve to a local IP address when inside the LAN, and the external IP address when outside?

I got the explicit answer "Yes" from the channel.
The person was unable to help me specifically with m0n0wall but told me that transparent proxying/routing is what I needed.

I must admit that it sounds far more flexible to have services accessible through the external IP even internally rather than having to setup local dns records. But I have been able to cope with this up until now when my android app is actually giving me problems as it come and go between mobile and wifi network.

I'm afraid right now there is no alternative to the way you are configured.

It may be possible to get it working they way you want (one universal IP for use inside and outside) if you have a third interface on your m0n0wall, but I have never tested this.  The idea would be do setup a third interface, and put the public server into that network , then do nat for any traffic from the lan subnet to the WAN ip, redirect to the server ip. 

Right now , to attempt this, you would need a static wan ip, and have to edit you config.xml

Ok, managed to get it into the beta before release with limited testing. 

You need a third interface to use as dmz

http://m0n0.ch/wall/beta.php

Cool. I actually have a third interface on my WRAP. I just need to figure out how to attach the third interface to a specific virtual machine.

using vlans may be the easiest way to achieve this

Okay, so I'm not quite sure how to set this up. Could someone give me a more or less step-by-step guide?
I have three interfaces LAN, WAN, PUB. LAN is running DHCP on 192.168.1.x, WAN as a public IP adress and PUB is not really configured yet (because I'm not sure how to).

How should PUB be configured?
What should I do in the NAT configuration?

Thanks!

Do you have access to the DNS servers in question? If so, set the TTL of the record on internal and external servers to 300:

host.yourdomain.com    300  IN  A  192.168.1.1

This means that when you are back in WiFi reach, it will take no longer than five minutes for your Android to change from mobile to WiFi. Just enough to brew a cup of Java

Of course, if your record is live, the public DNS server will get hammered