Firewall/NAT

Hello,

I've read the FAQ, and understand that Monowall won't (normally) let me access a port-forwarded server on another subnet from the LAN subnet by using its WAN public IP address.  Unfortunately, I have a scenerio that absolutely requires this, and I can't do the DNS Proxy tricks.

Config: Monowall with:
WAN (a handful of IPs)
LAN (clients)
DMZ1
DMZ2
DMZ3 - all separate server networks that have ports forwarded to them from the WAN interface.

There's a funky DNS thing going on with Windows AD which is why its not practical to use Monowall's DNS Proxy.  But LAN clients need access to the DMZ machines with the public IP.

So if Monowall doesn't do this, are there any suggestions on what will?  Or is there some config trick that can be done to make it work?

I really like the traffic monitoring, and need the QoS that Monowall offers.  Thanks!

Are you able to set up alternative host names or domain for servers for the client machines to use that point to the internal IP addresses?

Mark.

Unfortunately not.  There are a bunch of them, and its all Windows intgrated AD & DNS garbage.

If you're running internal DNS it should have all internal IP's for your internal names, so I don't see why you should have a problem here unless you're using your internal DNS to serve public records to the Internet.

You can also force the Windows DNS servers to resolve through m0n0wall, which works around this.

>> unless you're using your internal DNS to serve public records to the Internet.

Yes, that's exactly what is going on.  Windows DNS is serving outside DNS, as well as being a proxy for internal clients.  The clients need the windows machine for their dns for the active directory junk.  Any other ideas?

Eww, hosting your public DNS and internal DNS on the same machine is asking for trouble. Outside users can completely enumerate your domain in this type of configuration. Depending on your security settings, it may be possible for outside to update DNS records for important machines, and hence let an outsider point internal users to a server of their choosing. Among other things, this could cause internal users to execute code from an attacker's system when they think it's an internal system. This type of setup is a serious security problem.

What you need to do is use a proper split DNS infrastructure. Public DNS comes from one set of servers, internal DNS is internal only.

Good point.  Thanks for the info, let me see what I can configure...