Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 08 Aug 2004 17:19:16 -0700
From:      Pat Lashley <patl+freebsd@volant.org>
To:        mailist@whoweb.com, freebsd-questions@freebsd.org
Subject:   Re: IPFW/NATD Transparent Proxy
Message-ID:  <29C1396540CA28B1C9E7B822@vanvoght.phoenix.volant.org>
In-Reply-To: <200408081843.21513.mailist@whoweb.com>
References:  <MIEPLLIBMLEEABPDBIEGGELBGIAA.Barbish3@adelphia.net> <200408081843.21513.mailist@whoweb.com>

next in thread | previous in thread | raw e-mail | index | archive | help
--On Sunday, August 08, 2004 18:43:21 -0400 mailist@whoweb.com wrote:

> No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when
> they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD
> internet gateway.  Again, the configuration is
> 	de0 = PUBLIC IP = 1.2.3.4
> 	de1 = 192.168.1.1
> 	de2 = 192.168.2.1
>
> I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet
> being redirected to 192.168.2.250.  That works fine.  But I want someone on
> 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the
> public address 1.2.3.4:80.
>
> Put another way, I have a FreeBSD server acting as a Router/Firewall.  It has
> a public interface with an IP number of 1.2.3.4 and is assigned the DNS name
> www.ishouldhaveusedipfilter.com.  It also has a second NIC that supports a
> private address space of 192.168.1.0/255.255.255.0 and a third NIC that
> supports a private address space of 192.168.2.0/255.255.255.0
>
> When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com
> they get redirected to 192.168.2.250 because I've included a redirect_port
> rule for NATD.  This works fine.  But, users on all private networks (I have
> two, but there could be 20) also need to be redirected to 192.168.2.250 when
> they try to go to www.ishouldhaveusedipfilter.com   So the user sitting at
> 192.168.1.247 shouldn't have to worry about putting in the IP number of the
> company web server, they should just be able to put in the company domain
> name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250
> just like anyone coming from the outside.

It seems to me that the best way to handle this is through DNS.  Hosts
within your LAN should find www.ishouldhaveusedipfilter.com to 192.168.2.250
instead of 1.2.3.4.

Typically, you would have an externally visible DNS server which is authorititave
for your domain; and which lists only the publicly visible machines and IP addresses.
(It should -NOT- handle referrals at all.)  Somewhere within your LAN you would have
another DNS server that is authoritative for your internal domain and IP range.  It
may handle referrals; but it is safer to have a completely separate DNS server which
just handles referrals (and possibly caches results) - it should be explicitly told
to use your LAN's authoritative server for your domain and IP range.

With this setup, outside machines see the public address, which is redirected
via your firewall/NAT rules; but internal machines see the internal address and
access it directly.


-Pat



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?29C1396540CA28B1C9E7B822>