(Zywall USG 300) NAT bypassed when accessing in-house-server From LAN Via domain name
Posted
by
mschr
on Server Fault
See other posts from Server Fault
or by mschr
Published on 2012-06-03T15:19:20Z
Indexed on
2012/06/03
16:42 UTC
Read the original article
Hit count: 358
My situations is like this; i host a number of websites from within our joint network solution. On the network is basically 3 categories:
- the known public, registered via mac, given static dhcp lease
- the anonymous lan connections, given lease from specific dhcp range
- switches, unix hosts firewall
Now, consider following hosts which are of interest
- 111.111.111.111 (Zywall USG 300 WAN)
- 192.168.1.1 (ZyWall USG 300 LAN) load balances and bw monitors plus handles NAT
- 192.168.1.2 (Linux www) serves mydomain1.tld and mydomain2.tld
- 192.168.123.123 (Random LAN client) accesses mydomain1.tld from LAN
- 23.234.12.253 (Random External client) accesses mydomain1.tld via WAN
DNS A records are setup so that both mydomain1.tld and mydomain2.tld points to 111.111.111.111 - and the Linux www serves the http parts with VirtualHost configurations, setting up the document roots pr ServerName, this is not so interesting though..
NAT rule translates 111.111.111.111:80 to 192.168.1.2:80 (1:1 NAT)
Our problem follows;
When accessing http://mydomain1.tld from outside (23.234.12.253 example host) the joint network - everything is fine, zywall receives requests via port 80 and maps it to the linux host' httpd. However - once trying to go through the NAT from LAN side (in-house, 192.168.123.123 example host) then one gets filtered in the Zywall port 80 firewall.
I know this only because port 443 is open for administration interface and https://mydomain1.tld prompts for zywall login.
So my conclusion is, that the LAN that accesses 111.111.111.111 in fact are routed to 192.168.1.1 whilst bypassing the NAT table.
I need to know how to setup NAT / Policy Route, so that LAN > WAN > LAN will function with proper network translations instead of doing the 'quick nameserver lookup' or whatever this might be.
© Server Fault or respective owner