internal -> external -> internal routing possible?

[beefjerky911]

here's my problem, i have a web site running on machine "webserver" on private network, 192.168.1.100. the coding on some of the pages require me to use the external addressing, http://www.websitehere.com. i would like to be able to view the page by typing in http://www.websitehere.com on any machines from my local network instead of using http://webserver. if i try http://websitehere.com it never loads up. is it possible to load using the public address on a local network? have a netgear rt314 router btw, or is it just my router? i only have 1 public ip so i can't give the webserver an ip for its own. ive also directed port 80 to the proper ip.

 

[Lord Evermore]

It doesn't work. Network address translation prevents this from working, because of the fact that the router has to track which connections are made on which ports, and so when you try to connect to the "real" IP address (which is found when your browser looks up the domain name), first a connection goes outbound on port 80, then tries to come back in on the same port and the router gets confused. You also can't change what ports are used, since you'll be trying to connect on whatever port you assign.

Each of the machines can have a line added in their HOSTS file to get past this, or if you have an internal webserver you can set it there. Point the server's domain name to the internal IP address of the server. In the HOSTS file like this:

192.168.1.100 www.websitehere.com

 

[Santa]

First off are you typing in http://www.websitehere.com or http://websitehere.com?

There is a differnce and if you don't have the A record for http://websitehere.com it won't resolve.

Thats one potential issue.

Second. It is possible for you to just type http://www.websitehere.com even from within your local network and have the website come up.

Reason this works is the router will translate the communication both ways. This does work and NAT will not prevent this.

To the Webserver it will appear that the request came from the external legal address.

Another thing to check is can someone from the outside world get to your web server? If not that would be another problem.

 

[beefjerky911]

Originally posted by: Santa
Second. It is possible for you to just type http://www.websitehere.com even from within your local network and have the website come up.

nope its not possible, but after i posted this i thought of a way to fix this. it's the same thing lord evermore is talking about. for those who are curious, the fix is to just add a dns entry to point to the server, so you don't have to run around and change all the individual machine's hosts files. of course this only works if you have a dns server

 

[Lord Evermore]

Amazing, despite the many times this has failed to work, and the Cisco documentation I recall reading when I first encountered this while helping a customer set up his network, suddenly it works because Santa said so! Can I have an elf?

The router can't translate the traffic to itself. It already has the port open from the external address, even though it's technically passing it back to the internal network. Once it comes into the router, it has to do the NAT translation, then the traffic has to actually be sent to the logical interface, where the router then picks it up again as incoming traffic that it can't do anything with because that IP/interface already has an entry for the port 80 access in the NAT tables. (I wouldn't be surprised if a packet sniffer could see the traffic coming back to your own computer.)

 

[Santa]

NAT on most SOHO router does not get "confused" by traffic from one interface to another. I have not heard of any and if there are it is a very poor implementation of NAT.

When you go through the router that Address Translates your Internal Address you are placed in a table and translated into a differnt address that then in turns gets retranslated and sent to the web server with the router's external address.

Doing a DNS entry on the inside is definiatly a way to circumvent going to the outside and back in again so congrats on your work around.

Just to clarify though it is possible to do what you orginially tried to though. I do the very thing on all the networks I manage and implement so I know it is possible.

 

[Santa]

When you send a packet request to a web server your destination port is not translated. It is your Source port which is translated. When the packet comes back it doesn't come back to port 80 it comes back to some random port assigned to the machine it translated. So in other words if you had a 10.1.1.1 machine with source address 25647 and you access www.websitehere.com you get www.websitehere.com as (if you don't do an internal resolution) <legal address here> then you try to access <legal address here> on port 80.

But because you are being NATed you get translated to <legal address here> and port 101 for example. When the web server gets the request it will see it coming from <legal address here> and source port 101. It will know that this request is not part of its local wire and send it back to the default route which will then translate the server's IP address and source port as something else like 102. So the communication should go back and forth between the computers with overloaded NAT technique.

If this didn't work then there would be no way that a DMZ would be feasible.

 

[Lord Evermore]

I don't feel like reading. It doesn't work, it's never worked on any sort of router I've ever used, and many people here have run into the problem before, and it doesn't work on Cisco routers.

 

[Soybomb]

Heh yeah many people use seperate internal dns servers or a dns server that handles split horizon to get around the problem.

 

[Lord Evermore]

Alright, the way Santa describes NAT is of course correct, for OUTSIDE servers. Not the same for inside servers normally.

I went and got real information on it. With any basic setup, it won't work. There are ways to make it work, but it involves using certain versions of Linux in one case (2.4.x kernel and iptables), and configuring it in a particular way that isn't the default for NAT, or doing the same configurations in a router if it allows it, or using other ways to get around the issue.

One site says Netopia routers support configuring for this way. Cisco did not do it this way the last time I used them, which was about a year ago.

The normal NAT configuration translates the source address when the traffic passes out the external interface. But, if the traffic is going to be redirected to another internal address, like a website, then the source does NOT get translated to the external IP address of the router. The webserver sees a request coming from 192.168.x.x or whatever, and responds to that IP. The requesting computer gets the response but ignores it, since the reply came from a 192.168.x.x address of the server which isn't the IP the browser tried to reach.

The extra configuration which is possible apparently in some routers or routing software makes the translation happen even for traffic being sent to an internal server with a port mapping. I don't know why that would not be an automatic assumption for how to design a NAT system.

Getting around this with a Cisco involves making the Cisco respond to DNS requests for the domain names you're using, and responding with the internal address, so that's easier than using a HOSTS file or your own DNS.

 

[Santa]

From what I read on Cisco site they recommend using an "Alias" command which is what you are talking about in terms of having the cisco responding to the IP request. Most router/NAT implementations can support this type of extra translation line to account for machines accessing IP address translatable by the router/NAT device.

There is either an ICMP redirect capability or DNS Alias or it has to do the dirty translate/detranslate and translate/detranslate routine.

Home routers don't have this Alias feature but I do belieave most implement the translate/detranslate routine.

For example here is my web server's netstat -a output.

TCP WebServer:http dhcpxxx-xxx-xxx-xxx.xxxxxx.rr.com:64924 ESTABLISHED
TCP WebServer:http dhcpxxx-xxx-xxx-xxx.xxxxxx.rr.com:64976 ESTABLISHED

What I did was connect to my web server from an internal machine and the session shows a connection from this dhcpxxx-xxx-xxx-xxx-xxxxxx.rr.com on source port 64924 and source port 64976.

Well this dhcpxxx-xxx-xxx-xxx-xxxxxx.rr.com is really the DNS name for the external legal address. The web server is having communications with this dhcpxxx.xxx.xxx.xxx.xxxxxxx.rr.com person which is really my inside machine.

My machine has the following netstat -a log..

TCP localmachine:3454 dhcpxxx-xxx-xxx-xxx.xxxxxx.rr.com:http ESTABLISHED
TCP localmachine:3455 dhcpxxx-xxx-xxx-xxx.xxxxxx.rr.com:http ESTABLISHED

My machine thinks it is communicating with the web server at the external IP address of my router. Neither know that the other machine is really on a local segment of the network.

btw I have an Asante FR3004LC which has the same firmware as the SMC barricade 7004BR I do belieave.

 

[BaDaBooM]

Sorry Lord Evermore, Santa's right... I've done this very thing on an SMC SOHO router with no problem.

 

[spidey07]

LOL, I've never heard split-horizon and DNS used in the same sentence.

sorry, got a good chuck out of that one.

 

[Soybomb]

Originally posted by: spidey07
LOL, I've never heard split-horizon and DNS used in the same sentence.

sorry, got a good chuck out of that one.

Have I been misled? I've never used it but I've heard it mentioned frequently........

http://www.fefe.de/djbdns/#splithorizon

 

[Santa]

hehe me either until I did a search for it.. I guess application folks also have something they call a split horizon which is news to us routing folk

http://www.fefe.de/djbdns/#splithorizon

 

[Santa]

hahah Soy.. same exact link I found.. im used to Split Horizon explained in routing protocols

 

[Santa]

Here is another funny one..

http://www.acmebw.com/askmrdns/archive.php?category=89&question=519

Split name space haha.. wow lots of differnt jargon out there..

 

[Lord Evermore]

Ah well. SOME routers don't do it at any rate, and I would presume that if it did, it would, and the user wouldn't post here saying it didn't work.

 

[Soybomb]

Lol yeah I don't play enough with routing to know it from there but I knew when I was working on some dns stuff I'd seen it mentioned multiple times and sounded like it might have some cool points Sounds like a mis-labeling though, I have officially learned something today

 

[spidey07]

Yeah, split-horizon is a network thing. Don't EVER let those application guys use our terms again.

Now I gotta go poisen-reverse my injected stub node and hope it doesn't mess with my neighbors pre-fix.

 

[Santa]

Link

Well aint that a bitch..

Apparently Netgear themselves are just too dumb to implement some form of inside to inside NAT rule.. so Lord Evermore is correct, this router is not capable of this oh so tricky feature.. (note to self don't buy netgear)

It is possible and should be apart of every NAT implementation but I guess if someone can get away from coding an extra line of code then they are going to do it.

Hope this has been of help to some people besides my electric company

 

[Lord Evermore]

Well, really, if Cisco doesn't default implement it...why would anybody else think it's needed? Sure it has a way around it, but it ought to done the right way not having to implement some other configuration options to make it work.

Oh, and of course these routers are designed for home users who generally aren't running servers and needing an inside to inside connection, and for the most part have terms of service that say they can't.

 

[Santa]

Linksys, SMC, Asante.. to name a few implement this feature.. and the coding it takes to implement it is only an additional line of code at most..

I know it is one Policy line in Checkpoint anyways..

We won't get into what cisco doesn't implement as default as being right..

*cough*no ip directed-broadcast*cough*smurf*cough*

 

[Lord Evermore]

So easy to use, no wonder they're number one!

 

[Lord Evermore]

Hmm, Zyxel doesn't allow it, which isn't surprising since it appears to be just a slightly modified Netgear firmware. Covad supplies Zyxel equipment even for the SOHO accounts, so this is something of a limitation for a "business" type account.

Of course, Netopia is a common business router, and I remembered a few minutes ago that they also don't do this right.