0

I would like to have my "dmz"-connected visitors to be able to access services by their global DNS IP (wan) that are redirected to another zone, let's say "lan".

  • openwrt wan - 12.23.34.45
  • client is sitting in dmz - 192.168.2.101
  • httpd is in lan - 192.168.1.2, configured for vhost someservice.net (resolves to 12.23.34.45)

Now dmz guy tries to access someservice.net with his browser and therefore will try to connect to 12.23.34.45:80, which in my imagination should go through wan zone, then get redirected back to lan.

Somewhere along the chains openwrt blocks this, because this connection does not succeed.

My traffic control configuration currently looks like this:

  • lan -> wan
  • dmz -> wan
  • lan -> vpn
  • lan -> dmz

Any pointers welcome!

lkraav
  • 786
  • 1
  • 8
  • 22
  • Have read your question 3 times but I am still not sure what you are getting at. Could you please rephrase the question? If I get the gist of your question you need to allow access to your LAN from the DMZ ip address, but I am not sure if that is what you are getting at or not. – Dave Drager Jan 24 '11 at 16:24
  • Yes, access to LAN from DMZ is the goal, but using global DNS resolution. I think that makes the difference here. I could easily have someservice.net resolve to 192.168.1.2 inside DMZ and set up a forwarding rule (that already works for vpn zone) but I would like have access also when using 12.23.34.45, for some reason those packets get dropped. I can't figure out what path the packets take when you address your router's WAN IP behind IP masquerade. – lkraav Jan 24 '11 at 17:08
  • Looks like I made a duplicate of this: http://serverfault.com/questions/74182/service-cant-connect-to-self-using-public-ip-nat-problem. I've also got some tips and keywords from openwrt forum, which I will be posting in an answer. Essentially this is a "NAT loopback" problem. – lkraav Jan 24 '11 at 20:59

1 Answers1

0

This particular scenario was an OpenWRT NAT loopback configuration issue. Looking at the changelog, this was implemented in base system /etc/hotplug.d/firewall/10-nat-reflection only starting from 10.03.1-rc4 (which I am running), but LuCI 0.9 is only able to assign redirects into "lan" zone. According to an OpenWRT developer LuCI 0.10 will be able to assign redirects to other zones as well. For now doing a manual redirect in /etc/config/firewall with "option dest dmz" will achieve the desired result.

lkraav
  • 786
  • 1
  • 8
  • 22