My situations is like this; i host a number of websites from within our joint network solution. On the network is basically 3 categories:
- the known public, registered via mac, given static dhcp lease
- the anonymous lan connections, given lease from specific dhcp range
- switches, unix hosts firewall
Now, consider following hosts which are of interest
- 111.111.111.111 (Zywall USG 300 WAN)
- 192.168.1.1 (ZyWall USG 300 LAN) load balances and bw monitors plus handles NAT
- 192.168.1.2 (Linux www) serves mydomain1.tld and mydomain2.tld
- 192.168.123.123 (Random LAN client) accesses mydomain1.tld from LAN
- 23.234.12.253 (Random External client) accesses mydomain1.tld via WAN
DNS A records are setup so that both mydomain1.tld and mydomain2.tld points to 111.111.111.111 - and the Linux www serves the http parts with VirtualHost configurations, setting up the document roots pr ServerName, this is not so interesting though..
NAT rule translates 111.111.111.111:80 to 192.168.1.2:80 (1:1 NAT) as such:
- Type: Virtual Server
- Interface: WAN
- Original IP: any
- Mapped IP: 192.168.1.2
- Original port: 80
- Mapped port: 80
While NAT-Loopback is activated it causes device unreachable from external interfaces (havent tried though, if it makes LAN -> WAN IP:80 work)
Our problem follows;
When accessing http://mydomain1.tld from outside (23.234.12.253 example host) the joint network - everything is fine, zywall receives requests via port 80 and maps it to the linux host' httpd. However - once trying to go through the NAT from LAN side (in-house, 192.168.123.123 example host) then one gets filtered in the Zywall port 80 firewall.
I know this only because port 443 is open for administration interface and https://mydomain1.tld prompts for zywall login.
So my conclusion is, that the LAN that accesses 111.111.111.111 in fact are routed to 192.168.1.1 whilst bypassing the NAT table.
I need to know how to setup NAT / Policy Route, so that LAN > WAN > LAN will function with proper network translations instead of doing the 'quick nameserver lookup' or whatever this might be.
Solution ended up being maintenence of the internal DNS lookup table (much like an /etc/hosts file) where i put in mydomainX.tld and map it to their appropiate IP's.. Would have like to get around this though and there's a bounty out for an answer which allows for LAN -> WAN IP : PORT go through the NAT table
So I Struggled with this myself and I figured out the answer. To make this work use the standard NAT rule (the same rule that is working to allow the world to access the website), just adjust the rule so that the Original IP is the WAN IP. Then you can enable NAT loopback and all works fine.
Let me know if you have more questions.