From owner-freebsd-questions Tue Apr 30 16:38:48 2002 Delivered-To: freebsd-questions@freebsd.org Received: from infinity.aesredfish.net (ns1.aesredfish.net [65.168.0.12]) by hub.freebsd.org (Postfix) with ESMTP id 7BB4837B419 for ; Tue, 30 Apr 2002 16:38:43 -0700 (PDT) Received: from potentialtech.com (mhope-dhcp-65-168-1-181.dashfast.com [65.168.1.181]) by infinity.aesredfish.net (8.11.6/8.11.0) with ESMTP id g3UNciU05374; Tue, 30 Apr 2002 19:38:44 -0400 Message-ID: <3CCF2C3A.7040902@potentialtech.com> Date: Tue, 30 Apr 2002 19:43:54 -0400 From: Bill Moran Organization: Potential Technologies User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.3) Gecko/20010914 X-Accept-Language: en-us MIME-Version: 1.0 To: Carolyn Longfoot Cc: freebsd-questions@freebsd.org Subject: Re: NAT/DNS/WEB References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Carolyn Longfoot wrote: > Bill, > > thanks, I'm not quite there yet but at least in my mind I am beginning > to narrow the problem down somewhat. I have inserted the tests from the > outside and hope the revised questions reflect the problem statement > better :-) You're on the right road, you just haven't walked far enough yet. >> From: Bill Moran >> To: Carolyn Longfoot >> CC: freebsd-questions@freebsd.org >> Subject: Re: NAT/DNS/WEB >> Date: Tue, 30 Apr 2002 17:13:52 -0400 >> >> Carolyn Longfoot wrote: >> >>> I have a machine that's a dual homed host running NAT and DNS, connected >>> to the outside world with a static IP. It seems I can nslookup >>> 'www.mydomain.com' from the outside, so I think my DNS responds to >>> lookups from the outside. >> >> >> If nslookup from a machine on the internet resolves the name to the >> proper >> address, then your DNS is correct. A simple "ping www.mydomain.com" will >> tell you whether or not the DNS resolved. If you then can't contact that >> machine, well, it's not DNS that's the problem. > > > The ping works, and I hope it's ok that ping www.mydomain.com returns this: > Pinging mydomain.com [x.x.x.7] with 32 bytes of data: > ... > where .7 is the IP of the dual homed host, which I would expect becasue > NAT should make sure to only communciate with the outside world using > the external IP. Pretty much. Forget DNS, routing, etc, at this point - they're all working correctly. Well done. >>> I am pointing 'WWW' via DNS to a separate machine called >>> web.mydomain.com but for some reason from the outside I cannot get to >>> www.mydomain.com. It is working from the inside however. > >> What's the IP address of the www machine? If it's a private IP addy, >> you'll get this behaviour. > > Yes, the www box has a private IP. I was counting on the magic of NAT > and DNS to resolve this, my naive reasoning was this: since I allow > inbound DNS and have set up an alias for www.mydomain.com in DNS I was > thinking that would be sufficient to direct traffic to the www box. Not quite. NAT is capable of doing what you want, it's just not capable of doing it automatically. Read through the man page for natd and pay special attention to the -redirect_port option. What you want to do is redirect port 80 on the gateway machine to port 80 on your webserver. That will instruct natd on how to direct traffic. > nslookup www.mydomain.com gives this (from the outside): > Server:... > Address:... > Non-authoritative answer: > Name: mydomain.com > Address: x.x.x.7 > Aliases: www.mydomain.com > > It seems DNS is doing at least part of it's job and finds the alias www, > while NAT returns the external IP, not the internal one. That's what you want, once you've setup natd, everything should work (assuming your web server is set up, etc) > Based on ping and nslookup it looks like it's found but not really, > because nothing goes through to the www box. > It's getting a little clearer now but where would I configure the 'pass > http traffic to www' directive? NAT, DNS? The natd option -redirect_port -- Bill Moran Potential Technology http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message