On Wed, Feb 06, 2002 at 12:14:29PM -0800, Jerome Houston wrote:
> TIA for any help someone can give.
> 
> I've got the classic setup.  Static IP (w.x.y.z), NetBSD 
> firewall/router(ipfilter/ipnat), internal network with a webserver @ 
> 192.168.a.b.
> Nat is configured to RDR port 80 requests to the internal webserver 
> 192.168.a.b
> 
> Almost all is well.  WAN computers can access the pages on the webserver 
> correctly, and internal network computers can access the pages if they go 
> directly to 192.168.a.b.
> BUT.... (isn't there always a BUT?)
> If INTERNAL computers (i.e. 192.168.c.d) go to w.x.y.z, nuthin' happens.  
> "The page cannot be displayed".
> 
> This isn't a huge problem, except that i want internal computers to access 
> my domain (my.domain.com, which correctly points to w.x.y.z) from 
> inside......
> 
> i could always make an entry in the hosts file of each of the internal net 
> computers to make my.comain.com point to 192.168.a.b, but that seems like 
> such a hack that shouldn't be necessary with ip(nat/filter).
> 
> My hunch is that i'm doing this to myself in IPFILTER somewhere....
> here's the relevant entries...

If the client on servers are on the same net, you can't get this working:
client A will send TCP packet to host P (the public address) via the router.
The router redirects it to server S
server S anserws directly to client A as it's on the same subnet.
But as the anserws doesn't get though the router it doesn't get rewritten,
and the anserws comes from a different address than the request was sent to.

You have to either install a proxy which will do proper redirects, or install
a local DNS wich will send the local address for your server name, instead
of the public one.

If you put the server on its own subnet then the router can do proper
redirects.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
--