Sunday, August 26, 2018

firewall - (Zywall USG 300) NAT bypassed when accessing in-house-server From LAN Via domain name



My situations is like this; i host a number of websites from within our joint network solution. On the network is basically 3 categories:




  1. the known public, registered via mac, given static dhcp lease

  2. the anonymous lan connections, given lease from specific dhcp range

  3. switches, unix hosts firewall




Now, consider following hosts which are of interest




  1. 111.111.111.111 (Zywall USG 300 WAN)

  2. 192.168.1.1 (ZyWall USG 300 LAN) load balances and bw monitors plus handles NAT

  3. 192.168.1.2 (Linux www) serves mydomain1.tld and mydomain2.tld

  4. 192.168.123.123 (Random LAN client) accesses mydomain1.tld from LAN

  5. 23.234.12.253 (Random External client) accesses mydomain1.tld via WAN




DNS A records are setup so that both mydomain1.tld and mydomain2.tld points to 111.111.111.111 - and the Linux www serves the http parts with VirtualHost configurations, setting up the document roots pr ServerName, this is not so interesting though..



NAT rule translates 111.111.111.111:80 to 192.168.1.2:80 (1:1 NAT) as such:




  • Type: Virtual Server

  • Interface: WAN

  • Original IP: any

  • Mapped IP: 192.168.1.2

  • Original port: 80


  • Mapped port: 80



While NAT-Loopback is activated it causes device unreachable from external interfaces (havent tried though, if it makes LAN -> WAN IP:80 work)



Our problem follows;



When accessing http://mydomain1.tld from outside (23.234.12.253 example host) the joint network - everything is fine, zywall receives requests via port 80 and maps it to the linux host' httpd. However - once trying to go through the NAT from LAN side (in-house, 192.168.123.123 example host) then one gets filtered in the Zywall port 80 firewall.



I know this only because port 443 is open for administration interface and https://mydomain1.tld prompts for zywall login.




So my conclusion is, that the LAN that accesses 111.111.111.111 in fact are routed to 192.168.1.1 whilst bypassing the NAT table.



I need to know how to setup NAT / Policy Route, so that LAN > WAN > LAN will function with proper network translations instead of doing the 'quick nameserver lookup' or whatever this might be.


Answer



Solution ended up being maintenence of the internal DNS lookup table (much like an /etc/hosts file) where i put in mydomainX.tld and map it to their appropiate IP's.. Would have like to get around this though and there's a bounty out for an answer which allows for LAN -> WAN IP : PORT go through the NAT table


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...