Routing between private and DMZ networks


Hi everyone,
I’m trying to solve following problem.

I have one Vyatta router with zone firewall applied where are ethernet interfaces:
eth0 - public network (public IP from internet provider 8X.4X.1X.1X)
eth1 - private network (
eth2 - DMZ (

I have set nat destination rules on a router:

set nat destination rule 1 destination address '8X.4X.1X.1X' set nat destination rule 1 destination port '52131' set nat destination rule 1 inbound-interface 'eth0' set nat destination rule 1 protocol 'tcp' set nat destination rule 1 translation port '80' set nat destination rule 1 translation address ''

and according firewall rules.

Domain name which is used to access the server in DMZ is translated to the public IP address 8X.4X.1X.1X.

If I am accessing the dmz server from the internet it works well. Perfectly works if I access dmz server from private network and use IP address

Problem is when I am in a private network:

telnet 52131 Trying 8X.4X.1X.1X... telnet: Unable to connect to remote host: Connection refused

I ran tshark on interface eth1 (private) and I can see SYN and ACK packet but that’s all. I expect packets on eth2 (DMZ) or eth0(public) interfaces but there aren’t.
Packets catched on eth1:

0.000000 -> 8X.4X.1X.1X TCP 52794 > 52131 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 TSV=28046719 TSER=0 WS=7 0.000055 8X.4X.1X.1X -> TCP 52131 > 52794 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Does someone know what problem I have and how to solve it?
Thank you very much in advance.


I think you want to use hairpin nat.
There are 2 options i think for this situation.
Split dns or hairpin nat.

Maybe you can look on this site for the hairpin.


Thanks, Unicron. I’ve been thinking about split DNS but I do not want to manage two DNS servers. If hairpin NAT solves the problem that would be my horse :slight_smile: I’ll take a look and let you know.