Routing between private and DMZ networks


#1

Hi everyone,
I’m trying to solve following problem.

I have one Vyatta router with zone firewall applied where are ethernet interfaces:
eth0 - public network (public IP from internet provider 8X.4X.1X.1X)
eth1 - private network (192.168.0.1/24)
eth2 - DMZ (10.0.0.1/24)

I have set nat destination rules on a router:

set nat destination rule 1 destination address '8X.4X.1X.1X' set nat destination rule 1 destination port '52131' set nat destination rule 1 inbound-interface 'eth0' set nat destination rule 1 protocol 'tcp' set nat destination rule 1 translation port '80' set nat destination rule 1 translation address '10.0.0.2'

and according firewall rules.

Domain name which is used to access the server in DMZ is translated to the public IP address 8X.4X.1X.1X.

If I am accessing the dmz server from the internet it works well. Perfectly works if I access dmz server from private network and use IP address 10.0.0.2.

Problem is when I am in a private network:

telnet dmzserver.company.net 52131 Trying 8X.4X.1X.1X... telnet: Unable to connect to remote host: Connection refused

I ran tshark on interface eth1 (private) and I can see SYN and ACK packet but that’s all. I expect packets on eth2 (DMZ) or eth0(public) interfaces but there aren’t.
Packets catched on eth1:

0.000000 192.168.0.4 -> 8X.4X.1X.1X TCP 52794 > 52131 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 TSV=28046719 TSER=0 WS=7 0.000055 8X.4X.1X.1X -> 192.168.0.4 TCP 52131 > 52794 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Does someone know what problem I have and how to solve it?
Thank you very much in advance.


#2

I think you want to use hairpin nat.
There are 2 options i think for this situation.
Split dns or hairpin nat.

Maybe you can look on this site for the hairpin.


#3

Thanks, Unicron. I’ve been thinking about split DNS but I do not want to manage two DNS servers. If hairpin NAT solves the problem that would be my horse :slight_smile: I’ll take a look and let you know.