CANNOT ACCESS INTERNAL WEBSERVER FROM INTERNAL NETWORK

linustorl · October 28, 2016, 1:53am

Hi Guys,

Basically i have 3 public IP which assigned to Ether1 which 1 will be used as gateway to internet, 1 for webmail and another for file hosting (cloud) as below :.
xxx.xxx.xxx.66 ==> webmail
xxx.xxx.xxx.67 ==> gateway
xxx.xxx.xxx.68 ==> file hosting (cloud)

The problem i am facing right now is that i cannot connect to the webmail from internal network while its working fine when trying from outside of my network. BUT i am able to connect to the file hosting (cloud) both from internal network or outside of my network. I have tried the HAIRPIN NAT but it does not working at all.

This is NAT rules

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; ENABLE INTERNET ACCESS FOR OTHER ETHERS
      chain=srcnat action=masquerade out-interface=Ether1 - Gateway - NETWORK 104 log-prefix="" 

 1    ;;; REDIRECT TO WEBMAIL
      chain=dstnat action=dst-nat to-addresses=192.168.103.5 protocol=tcp dst-address=xxx.xxx.xxx.66 dst-address-type="" in-interface=Ether1 - Gateway - NETWORK 104 
      dst-port=80,443 log=no log-prefix="" 

 2    ;;; REDIRECT TO WEBMAIL
      chain=dstnat action=dst-nat to-addresses=192.168.103.5 protocol=tcp dst-address=xxx.xxx.xxx.66 in-interface=Ether1 - Gateway - NETWORK 104 
      dst-port=22,25,110,143,465,587,995 log=no log-prefix="" 

 3    ;;; REDIRECT TO FILE HOSTING
      chain=dstnat action=dst-nat to-addresses=192.168.103.4 protocol=tcp dst-address=xxx.xxx.xxx.68 dst-address-type=local in-interface=Ether1 - Gateway - NETWORK 104 
      log=no log-prefix="" 

 4 XI  ;;; HAIRPIN NAT FOR WEBMAIL
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.103.0/24 dst-address=192.168.103.5 dst-address-type=local out-interface=Ether2 - NETWORK 103 
      dst-port=80,443 log=no log-prefix="" 

 5 XI  ;;; HAIRPIN NAT FOR FILE HOSTING
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.103.0/24 dst-address=192.168.103.4 dst-address-type=local out-interface=Ether2 - NETWORK 103 
      dst-port=80,443 log=no log-prefix="" 

 8    ;;; WEB PROXY
      chain=dstnat action=redirect to-ports=8181 protocol=tcp dst-port=80 log=no log-prefix=""

Sob · October 28, 2016, 2:51am

All rules 1-3 have in-interface=“Ether1 - Gateway - NETWORK 104”, which means they only work for connections coming from this interface. I don’t know what miracle makes your file hosting work from inside, but it’s not rule 3. Next, dst-address-type=local means destination address owned by router. So if xxx.xxx.xxx.68 is owned by router, you don’t need dst-address-type=local in same rule (it doesn’t hurt, but won’t help either). And more importantly, if 192.168.103.4-5 belong to different machines, condition “dst-address=192.168.103.4 dst-address-type=local” won’t ever match any packet.

linustorl · October 28, 2016, 3:26am

Any suggestion how to make this works.

Sob · October 28, 2016, 3:33am

Remove in-interface from dstnat rules and dst-address-type=local from hairpin rules.

linustorl · October 28, 2016, 3:51am

This works, so its mean that my previous NAT will only works if the packet coming from in-interface=Ether1 - Gateway - NETWORK 104 or else it will not works?

However, HAIRPIN NAT for FILE HOSTING is not working, i don’t see any packet going through but i am just able to connect to FILE HOSTING from internal network, what could be the cause for this?

Sob · October 28, 2016, 11:54pm

Yes, rules with in-interface are only valid for given interface.

And about your hosting, try to find and post some more details. As I already wrote you, I don’t know how it can work, based on the info you posted.