Discussion:
dst-nat rule
r***@italycom.it
2004-05-28 15:15:24 UTC
Permalink
I have a little problem:

we have a web server inside our network at a privete ip:10.0.0.248
I have a dst-nat rule to access the server from ouside to the ip: 62.94.xxx.yyy.

The problem is that I'd like to have the server accessible also from inside the private network using the public ip used from the outside.

Is this possible??

thank you
Kevin Summers
2004-05-28 16:09:01 UTC
Permalink
It's possible, but a little tricky. After all the packets have to go out the
internet interface, come back through it to get the data, and then reverse
course and head back out and in the internet interface.

I've got a similar situation that I'm working on. So if we run across the
solution I'll post it.
Kevin Summers
KISTech Internet
www.kistech.com


-----Original Message-----
From: routeros-***@bruno.pmi.lv
[mailto:routeros-***@bruno.pmi.lv]On Behalf Of ***@italycom.it
Sent: Friday, May 28, 2004 8:15 AM
To: ***@bruno.pmi.lv
Subject: [MikroTik] dst-nat rule


I have a little problem:

we have a web server inside our network at a privete ip:10.0.0.248
I have a dst-nat rule to access the server from ouside to the ip:
62.94.xxx.yyy.

The problem is that I'd like to have the server accessible also from
inside the private network using the public ip used from the outside.

Is this possible??

thank you
b***@simplebroadband.com
2004-05-28 16:27:59 UTC
Permalink
Can't you do this with DNS? If you're in control of your client's DNS you
can set the dns response to your public website equal to the internal IP
address. We do this all over the place on our network, "hijacking"
specific sites that we have need to display locally.
Post by Kevin Summers
It's possible, but a little tricky. After all the packets have to go out
the internet interface, come back through it to get the data, and then
reverse course and head back out and in the internet interface.
I've got a similar situation that I'm working on. So if we run across
the solution I'll post it.
Kevin Summers
KISTech Internet
www.kistech.com
-----Original Message-----
Sent: Friday, May 28, 2004 8:15 AM
Subject: [MikroTik] dst-nat rule
we have a web server inside our network at a privete ip:10.0.0.248 I
62.94.xxx.yyy.
The problem is that I'd like to have the server accessible also from
inside the private network using the public ip used from the outside.
Is this possible??
thank you
John Kiehnle
2004-05-28 17:53:34 UTC
Permalink
Brian you are correct,

DNS admins suggest a dual chrooted DNS server for this.
Use a DNAT rule on your firewall that points to the
"outside server" which answers queries for the rest of
world. The server answering queries about the inside
addresses resolves for folks "on the inside only". The
outside DNS server has no info about the inside addresses.
This is also very popular solution if you have a web
server sending mail to a mail server both are on the
"inside" but must be known to the "outside" as well.

I run these server configs on bind 9.2.3. If you run bind
I have all the configs to do this. Let me know If you want
to see.
All the docs to do this are also out on isc.org.

JK

On Fri, 28 May 2004 10:27:59 -0600 (MDT)
*This message was transferred with a trial version of
CommuniGate(tm) Pro*
Can't you do this with DNS? If you're in control of your
client's DNS you
can set the dns response to your public website equal to
the internal IP
address. We do this all over the place on our network,
"hijacking"
specific sites that we have need to display locally.
Post by Kevin Summers
It's possible, but a little tricky. After all the
packets have to go out
the internet interface, come back through it to get the
data, and then
reverse course and head back out and in the internet
interface.
I've got a similar situation that I'm working on. So if
we run across
the solution I'll post it.
Kevin Summers
KISTech Internet
www.kistech.com
-----Original Message-----
Sent: Friday, May 28, 2004 8:15 AM
Subject: [MikroTik] dst-nat rule
we have a web server inside our network at a privete
ip:10.0.0.248 I
have a dst-nat rule to access the server from ouside to
62.94.xxx.yyy.
The problem is that I'd like to have the server
accessible also from
inside the private network using the public ip used from
the outside.
Is this possible??
thank you
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to
To unsubscribe/subscribe: email to
with text in the body "unsubscribe <password>" or
"subscribe"
David Richardson
2004-05-28 18:09:32 UTC
Permalink
In addition, you can use a HOSTS file on the particular server, it will
try the HOSTS file for a matching record FIRST before it goes to the DNS
server.

-----Original Message-----
From: routeros-***@bruno.pmi.lv
[mailto:routeros-***@bruno.pmi.lv] On Behalf Of John Kiehnle
Sent: Friday, May 28, 2004 1:54 PM
To: ***@coloradogeeks.com; General questions about MikroTik RouterOS
Subject: Re: [MikroTik] dst-nat rule


Brian you are correct,

DNS admins suggest a dual chrooted DNS server for this.
Use a DNAT rule on your firewall that points to the
"outside server" which answers queries for the rest of
world. The server answering queries about the inside
addresses resolves for folks "on the inside only". The
outside DNS server has no info about the inside addresses.
This is also very popular solution if you have a web
server sending mail to a mail server both are on the
"inside" but must be known to the "outside" as well.

I run these server configs on bind 9.2.3. If you run bind
I have all the configs to do this. Let me know If you want
to see.
All the docs to do this are also out on isc.org.

JK

On Fri, 28 May 2004 10:27:59 -0600 (MDT)
*This message was transferred with a trial version of
CommuniGate(tm) Pro*
Can't you do this with DNS? If you're in control of your
client's DNS you
can set the dns response to your public website equal to
the internal IP
address. We do this all over the place on our network,
"hijacking"
specific sites that we have need to display locally.
Post by Kevin Summers
It's possible, but a little tricky. After all the
packets have to go out
the internet interface, come back through it to get the
data, and then
reverse course and head back out and in the internet
interface.
I've got a similar situation that I'm working on. So if
we run across
the solution I'll post it.
Kevin Summers
KISTech Internet
www.kistech.com
-----Original Message-----
Sent: Friday, May 28, 2004 8:15 AM
Subject: [MikroTik] dst-nat rule
we have a web server inside our network at a privete
ip:10.0.0.248 I
have a dst-nat rule to access the server from ouside to
62.94.xxx.yyy.
The problem is that I'd like to have the server
accessible also from
inside the private network using the public ip used from
the outside.
Is this possible??
thank you
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to
To unsubscribe/subscribe: email to
with text in the body "unsubscribe <password>" or
"subscribe"
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to ***@bruno.pmi.lv
To unsubscribe/subscribe: email to RouterOS-***@bruno.pmi.lv ,
with text in the body "unsubscribe <password>" or "subscribe"
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]
Kevin Summers
2004-05-28 20:22:10 UTC
Permalink
Excellent point. Many, myself included, forget about that seldom
used file.

Kevin Summers
KISTech Internet
www.kistech.com



-----Original Message-----
From: routeros-***@bruno.pmi.lv
[mailto:routeros-***@bruno.pmi.lv]On Behalf Of David Richardson
Sent: Friday, May 28, 2004 11:10 AM
To: 'General questions about MikroTik RouterOS'
Subject: RE: [MikroTik] dst-nat rule


In addition, you can use a HOSTS file on the particular server, it will
try the HOSTS file for a matching record FIRST before it goes to the DNS
server.

-----Original Message-----
From: routeros-***@bruno.pmi.lv
[mailto:routeros-***@bruno.pmi.lv] On Behalf Of John Kiehnle
Sent: Friday, May 28, 2004 1:54 PM
To: ***@coloradogeeks.com; General questions about MikroTik RouterOS
Subject: Re: [MikroTik] dst-nat rule


Brian you are correct,

DNS admins suggest a dual chrooted DNS server for this.
Use a DNAT rule on your firewall that points to the
"outside server" which answers queries for the rest of
world. The server answering queries about the inside
addresses resolves for folks "on the inside only". The
outside DNS server has no info about the inside addresses.
This is also very popular solution if you have a web
server sending mail to a mail server both are on the
"inside" but must be known to the "outside" as well.

I run these server configs on bind 9.2.3. If you run bind
I have all the configs to do this. Let me know If you want
to see.
All the docs to do this are also out on isc.org.

JK

On Fri, 28 May 2004 10:27:59 -0600 (MDT)
*This message was transferred with a trial version of
CommuniGate(tm) Pro*
Can't you do this with DNS? If you're in control of your
client's DNS you
can set the dns response to your public website equal to
the internal IP
address. We do this all over the place on our network,
"hijacking"
specific sites that we have need to display locally.
Post by Kevin Summers
It's possible, but a little tricky. After all the
packets have to go out
the internet interface, come back through it to get the
data, and then
reverse course and head back out and in the internet
interface.
I've got a similar situation that I'm working on. So if
we run across
the solution I'll post it.
Kevin Summers
KISTech Internet
www.kistech.com
-----Original Message-----
Sent: Friday, May 28, 2004 8:15 AM
Subject: [MikroTik] dst-nat rule
we have a web server inside our network at a privete
ip:10.0.0.248 I
have a dst-nat rule to access the server from ouside to
62.94.xxx.yyy.
The problem is that I'd like to have the server
accessible also from
inside the private network using the public ip used from
the outside.
Is this possible??
thank you
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to
To unsubscribe/subscribe: email to
with text in the body "unsubscribe <password>" or
"subscribe"
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to ***@bruno.pmi.lv
To unsubscribe/subscribe: email to RouterOS-***@bruno.pmi.lv ,
with text in the body "unsubscribe <password>" or "subscribe"
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]

_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to ***@bruno.pmi.lv
To unsubscribe/subscribe: email to RouterOS-***@bruno.pmi.lv ,
with text in the body "unsubscribe <password>" or "subscribe"
John Kiehnle
2004-05-29 05:33:22 UTC
Permalink
Readers,

I concure with the use of the hosts file. nsswitch.conf is
your friend. :) But remember the primary reason we use DNS
is so that we don't need to keep all those /etc/hosts
files updated. I can't keep my zone files updated let
alone groups of workstations. In a large organization it
is not practical and the bind config will be the way I'll
get this done. It is most prctical. I'll post all relevent
links for the dual chrooted bind config. Go out and grab a
shiny new copy of bind 9.2.3 from http://www.isc.org.
Compile it and be ready to make some mods to the basic
config.

JK

On Fri, 28 May 2004 14:09:32 -0400
*This message was transferred with a trial version of
CommuniGate(tm) Pro*
In addition, you can use a HOSTS file on the particular
server, it will
try the HOSTS file for a matching record FIRST before it
goes to the DNS
server.
-----Original Message-----
Kiehnle
Sent: Friday, May 28, 2004 1:54 PM
MikroTik RouterOS
Subject: Re: [MikroTik] dst-nat rule
Brian you are correct,
DNS admins suggest a dual chrooted DNS server for this.
Use a DNAT rule on your firewall that points to the
"outside server" which answers queries for the rest of
world. The server answering queries about the inside
addresses resolves for folks "on the inside only". The
outside DNS server has no info about the inside
addresses.
This is also very popular solution if you have a web
server sending mail to a mail server both are on the
"inside" but must be known to the "outside" as well.
I run these server configs on bind 9.2.3. If you run bind
I have all the configs to do this. Let me know If you
want
to see.
All the docs to do this are also out on isc.org.
JK
On Fri, 28 May 2004 10:27:59 -0600 (MDT)
*This message was transferred with a trial version of
CommuniGate(tm) Pro*
Can't you do this with DNS? If you're in control of your
client's DNS you
can set the dns response to your public website equal to
the internal IP
address. We do this all over the place on our network,
"hijacking"
specific sites that we have need to display locally.
Post by Kevin Summers
It's possible, but a little tricky. After all the
packets have to go out
the internet interface, come back through it to get the
data, and then
reverse course and head back out and in the internet
interface.
I've got a similar situation that I'm working on. So if
we run across
the solution I'll post it.
Kevin Summers
KISTech Internet
www.kistech.com
-----Original Message-----
Sent: Friday, May 28, 2004 8:15 AM
Subject: [MikroTik] dst-nat rule
we have a web server inside our network at a privete
ip:10.0.0.248 I
have a dst-nat rule to access the server from ouside to
62.94.xxx.yyy.
The problem is that I'd like to have the server
accessible also from
inside the private network using the public ip used from
the outside.
Is this possible??
thank you
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to
To unsubscribe/subscribe: email to
with text in the body "unsubscribe <password>" or
"subscribe"
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to
To unsubscribe/subscribe: email to
with text in the body "unsubscribe <password>" or
"subscribe"
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail scanned for viruses by Declude Virus]
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to
To unsubscribe/subscribe: email to
with text in the body "unsubscribe <password>" or
"subscribe"
Rosario Pingaro
2004-05-28 21:47:56 UTC
Permalink
I'm interseted about the config and the docs.

thanks


----- Original Message -----
From: "John Kiehnle" <***@satcomsystems.net>
To: <***@coloradogeeks.com>; "General questions about MikroTik RouterOS"
<***@bruno.pmi.lv>
Sent: Friday, May 28, 2004 1:53 PM
Subject: Re: [MikroTik] dst-nat rule
Post by John Kiehnle
Brian you are correct,
DNS admins suggest a dual chrooted DNS server for this.
Use a DNAT rule on your firewall that points to the
"outside server" which answers queries for the rest of
world. The server answering queries about the inside
addresses resolves for folks "on the inside only". The
outside DNS server has no info about the inside addresses.
This is also very popular solution if you have a web
server sending mail to a mail server both are on the
"inside" but must be known to the "outside" as well.
I run these server configs on bind 9.2.3. If you run bind
I have all the configs to do this. Let me know If you want
to see.
All the docs to do this are also out on isc.org.
JK
On Fri, 28 May 2004 10:27:59 -0600 (MDT)
*This message was transferred with a trial version of
CommuniGate(tm) Pro*
Can't you do this with DNS? If you're in control of your
client's DNS you
can set the dns response to your public website equal to
the internal IP
address. We do this all over the place on our network,
"hijacking"
specific sites that we have need to display locally.
Post by Kevin Summers
It's possible, but a little tricky. After all the
packets have to go out
the internet interface, come back through it to get the
data, and then
reverse course and head back out and in the internet
interface.
I've got a similar situation that I'm working on. So if
we run across
the solution I'll post it.
Kevin Summers
KISTech Internet
www.kistech.com
-----Original Message-----
Sent: Friday, May 28, 2004 8:15 AM
Subject: [MikroTik] dst-nat rule
we have a web server inside our network at a privete
ip:10.0.0.248 I
have a dst-nat rule to access the server from ouside to
62.94.xxx.yyy.
The problem is that I'd like to have the server
accessible also from
inside the private network using the public ip used from
the outside.
Is this possible??
thank you
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to
To unsubscribe/subscribe: email to
with text in the body "unsubscribe <password>" or
"subscribe"
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
with text in the body "unsubscribe <password>" or "subscribe"
Loading...