PDA

View Full Version : LAN access to server via public IP



KBOYLE
09-Jul-2018, 18:00
Is this possible using SLES as a router/firewall? I know it works with
some commercial firewalls. SonicWALL is one of them.

Example:

Firewall/router (sLES)
Public interface: 10.0.23.100
Private interface: 192.168.24.1

Email Server
Interface: 192.168.24.2

Laptop/tablet/smart phone
Interface: local IP 192.168.24.3

Firewall configuration port forwarding:
10.0.23.100:25 --> 192.168.24.2:25

From the Internet I can access the email server using 10.0.23.100:25.
From the LAN I can access the email server using 192.168.24.2:25.

From the *LAN* I *want* to access the email server using 10.0.23.100:25
so that the device configuration doesn't have to be changed for
onsite/offsite access. I know I can accomplish this by setting up
appropriate internal/external DNS entries but that is not what I am
asking.

Any ideas?

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

malcolmlewis
09-Jul-2018, 19:31
On Mon 09 Jul 2018 05:00:52 PM CDT, Kevin Boyle wrote:

Is this possible using SLES as a router/firewall? I know it works with
some commercial firewalls. SonicWALL is one of them.

Example:

Firewall/router (sLES)
Public interface: 10.0.23.100
Private interface: 192.168.24.1

Email Server
Interface: 192.168.24.2

Laptop/tablet/smart phone
Interface: local IP 192.168.24.3

Firewall configuration port forwarding:
10.0.23.100:25 --> 192.168.24.2:25

From the Internet I can access the email server using 10.0.23.100:25.
From the LAN I can access the email server using 192.168.24.2:25.

From the *LAN* I *want* to access the email server using 10.0.23.100:25
so that the device configuration doesn't have to be changed for
onsite/offsite access. I know I can accomplish this by setting up
appropriate internal/external DNS entries but that is not what I am
asking.

Any ideas?



Hi
You should just be able to add via the ip command to the 192.x.x.x
interface....


ip addr add dev ethX 10.x.x.x/subnet


--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
SLES 15 | GNOME Shell 3.26.2 | 4.12.14-23-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

KBOYLE
09-Jul-2018, 19:41
malcolmlewis wrote:

>

> On Mon 09 Jul 2018 05:00:52 PM CDT, Kevin Boyle wrote:
>
> Is this possible using SLES as a router/firewall? I know it works with
> some commercial firewalls. SonicWALL is one of them.
>
> Example:
>
> Firewall/router (sLES)
> Public interface: 10.0.23.100
> Private interface: 192.168.24.1
>
> Email Server
> Interface: 192.168.24.2
>
> Laptop/tablet/smart phone
> Interface: local IP 192.168.24.3
>
> Firewall configuration port forwarding:
> 10.0.23.100:25 --> 192.168.24.2:25
>
> From the Internet I can access the email server using 10.0.23.100:25.
> From the LAN I can access the email server using 192.168.24.2:25.
>
> From the LAN I want to access the email server using 10.0.23.100:25
> so that the device configuration doesn't have to be changed for
> onsite/offsite access. I know I can accomplish this by setting up
> appropriate internal/external DNS entries but that is not what I am
> asking.
>
> Any ideas?
>
>
>
> Hi
> You should just be able to add via the ip command to the 192.x.x.x
> interface....
>

> ip addr add dev ethX 10.x.x.x/subnet
>

Thank you for reminding me that I omitted a critical piece of
information: The gateway for devices on the LAN is 192.168.24.1.

The issue is how to direct LAN traffic addressed to 10.0.23.100, which
would arrive at the firewall's private interface (192.168.24.1), to the
email server at 192.168.24.2.

Sorry to complicate things... ;-)

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

malcolmlewis
09-Jul-2018, 22:23
On Mon 09 Jul 2018 06:41:09 PM CDT, Kevin Boyle wrote:

malcolmlewis wrote:

>

> On Mon 09 Jul 2018 05:00:52 PM CDT, Kevin Boyle wrote:
>
> Is this possible using SLES as a router/firewall? I know it works with
> some commercial firewalls. SonicWALL is one of them.
>
> Example:
>
> Firewall/router (sLES)
> Public interface: 10.0.23.100
> Private interface: 192.168.24.1
>
> Email Server
> Interface: 192.168.24.2
>
> Laptop/tablet/smart phone
> Interface: local IP 192.168.24.3
>
> Firewall configuration port forwarding:
> 10.0.23.100:25 --> 192.168.24.2:25
>
> From the Internet I can access the email server using 10.0.23.100:25.
> From the LAN I can access the email server using 192.168.24.2:25.
>
> From the LAN I want to access the email server using 10.0.23.100:25
> so that the device configuration doesn't have to be changed for
> onsite/offsite access. I know I can accomplish this by setting up
> appropriate internal/external DNS entries but that is not what I am
> asking.
>
> Any ideas?
>
>
>
> Hi
> You should just be able to add via the ip command to the 192.x.x.x
> interface....
>

> ip addr add dev ethX 10.x.x.x/subnet
>

Thank you for reminding me that I omitted a critical piece of
information: The gateway for devices on the LAN is 192.168.24.1.

The issue is how to direct LAN traffic addressed to 10.0.23.100, which
would arrive at the firewall's private interface (192.168.24.1), to the
email server at 192.168.24.2.

Sorry to complicate things... ;-)



Hi
Hmmm, on the gateway I would guess anything internally with a
destination port of 25 on the router could be forwarded to the mail
system might be an easier way?

Else use the SLES system as the gateway internally?

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
SLES 15 | GNOME Shell 3.26.2 | 4.12.14-23-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

KBOYLE
09-Jul-2018, 22:42
malcolmlewis wrote:

>

> On Mon 09 Jul 2018 06:41:09 PM CDT, Kevin Boyle wrote:
>
> malcolmlewis wrote:
>
> >

> > On Mon 09 Jul 2018 05:00:52 PM CDT, Kevin Boyle wrote:
> >
> > Is this possible using SLES as a router/firewall? I know it works
> > with some commercial firewalls. SonicWALL is one of them.
> >
> > Example:
> >
> > Firewall/router (sLES)
> > Public interface: 10.0.23.100
> > Private interface: 192.168.24.1
> >
> > Email Server
> > Interface: 192.168.24.2
> >
> > Laptop/tablet/smart phone
> > Interface: local IP 192.168.24.3
> >
> > Firewall configuration port forwarding:
> > 10.0.23.100:25 --> 192.168.24.2:25
> >
> > From the Internet I can access the email server using
> > 10.0.23.100:25. From the LAN I can access the email server using
> > 192.168.24.2:25.
> >
> > From the LAN I want to access the email server using 10.0.23.100:25
> > so that the device configuration doesn't have to be changed for
> > onsite/offsite access. I know I can accomplish this by setting up
> > appropriate internal/external DNS entries but that is not what I am
> > asking.
> >
> > Any ideas?
> >
> >
> >
> > Hi
> > You should just be able to add via the ip command to the 192.x.x.x
> > interface....
> >

> > ip addr add dev ethX 10.x.x.x/subnet
> >
>
> Thank you for reminding me that I omitted a critical piece of
> information: The gateway for devices on the LAN is 192.168.24.1.
>
> The issue is how to direct LAN traffic addressed to 10.0.23.100, which
> would arrive at the firewall's private interface (192.168.24.1), to
> the email server at 192.168.24.2.
>
> Sorry to complicate things... ;-)
>
>
>
> Hi
> Hmmm, on the gateway I would guess anything internally with a
> destination port of 25 on the router could be forwarded to the mail
> system might be an easier way?
>
> Else use the SLES system as the gateway internally?

The SLES server is the gateway to the Internet. It uses masquerading.

Incoming traffic from the public interface is forwarded to the mail
server's private IP address. I don't know how, or if it is even
possible, to route incoming traffic on the private interface, with the
a destination IP address of the public interface, back to the private
interface using the same SuSEfirewall2 rules that would be applied if
the packet arrived via the public interface.

Perhaps the solution is so simple that it is eluding me?

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

malcolmlewis
09-Jul-2018, 23:00
On Mon 09 Jul 2018 09:42:31 PM CDT, Kevin Boyle wrote:

malcolmlewis wrote:

>

> On Mon 09 Jul 2018 06:41:09 PM CDT, Kevin Boyle wrote:
>
> malcolmlewis wrote:
>
> >

> > On Mon 09 Jul 2018 05:00:52 PM CDT, Kevin Boyle wrote:
> >
> > Is this possible using SLES as a router/firewall? I know it works
> > with some commercial firewalls. SonicWALL is one of them.
> >
> > Example:
> >
> > Firewall/router (sLES)
> > Public interface: 10.0.23.100
> > Private interface: 192.168.24.1
> >
> > Email Server
> > Interface: 192.168.24.2
> >
> > Laptop/tablet/smart phone
> > Interface: local IP 192.168.24.3
> >
> > Firewall configuration port forwarding:
> > 10.0.23.100:25 --> 192.168.24.2:25
> >
> > From the Internet I can access the email server using
> > 10.0.23.100:25. From the LAN I can access the email server using
> > 192.168.24.2:25.
> >
> > From the LAN I want to access the email server using 10.0.23.100:25
> > so that the device configuration doesn't have to be changed for
> > onsite/offsite access. I know I can accomplish this by setting up
> > appropriate internal/external DNS entries but that is not what I am
> > asking.
> >
> > Any ideas?
> >
> >
> >
> > Hi
> > You should just be able to add via the ip command to the 192.x.x.x
> > interface....
> >

> > ip addr add dev ethX 10.x.x.x/subnet
> >
>
> Thank you for reminding me that I omitted a critical piece of
> information: The gateway for devices on the LAN is 192.168.24.1.
>
> The issue is how to direct LAN traffic addressed to 10.0.23.100, which
> would arrive at the firewall's private interface (192.168.24.1), to
> the email server at 192.168.24.2.
>
> Sorry to complicate things... ;-)
>
>
>
> Hi
> Hmmm, on the gateway I would guess anything internally with a
> destination port of 25 on the router could be forwarded to the mail
> system might be an easier way?
>
> Else use the SLES system as the gateway internally?

The SLES server is the gateway to the Internet. It uses masquerading.

Incoming traffic from the public interface is forwarded to the mail
server's private IP address. I don't know how, or if it is even
possible, to route incoming traffic on the private interface, with the
a destination IP address of the public interface, back to the private
interface using the same SuSEfirewall2 rules that would be applied if
the packet arrived via the public interface.

Perhaps the solution is so simple that it is eluding me?



Hi
As you eluded to... DNS and FQDN

Internally I can connect to a 192.x.x.x via FQDN (hosts file
internally), then if external it resolves to the external IP address
which is then forwarded to the respective machine on the 192.x.x.x
address and port as defined.

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
SLES 15 | GNOME Shell 3.26.2 | 4.12.14-23-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

KBOYLE
09-Jul-2018, 23:18
malcolmlewis wrote:

>

> On Mon 09 Jul 2018 09:42:31 PM CDT, Kevin Boyle wrote:
>
> malcolmlewis wrote:
>
> >

> > On Mon 09 Jul 2018 06:41:09 PM CDT, Kevin Boyle wrote:
> >
> > malcolmlewis wrote:
> >
> > >

> > > On Mon 09 Jul 2018 05:00:52 PM CDT, Kevin Boyle wrote:
> > >
> > > Is this possible using SLES as a router/firewall? I know it works
> > > with some commercial firewalls. SonicWALL is one of them.
> > >
> > > Example:
> > >
> > > Firewall/router (sLES)
> > > Public interface: 10.0.23.100
> > > Private interface: 192.168.24.1
> > >
> > > Email Server
> > > Interface: 192.168.24.2
> > >
> > > Laptop/tablet/smart phone
> > > Interface: local IP 192.168.24.3
> > >
> > > Firewall configuration port forwarding:
> > > 10.0.23.100:25 --> 192.168.24.2:25
> > >
> > > From the Internet I can access the email server using
> > > 10.0.23.100:25. From the LAN I can access the email server using
> > > 192.168.24.2:25.
> > >
> > > From the LAN I want to access the email server using
> > > 10.0.23.100:25 so that the device configuration doesn't have to
> > > be changed for onsite/offsite access. I know I can accomplish
> > > this by setting up appropriate internal/external DNS entries but
> > > that is not what I am asking.
> > >
> > > Any ideas?
> > >
> > >
> > >
> > > Hi
> > > You should just be able to add via the ip command to the 192.x.x.x
> > > interface....
> > >

> > > ip addr add dev ethX 10.x.x.x/subnet
> > >
> >
> > Thank you for reminding me that I omitted a critical piece of
> > information: The gateway for devices on the LAN is 192.168.24.1.
> >
> > The issue is how to direct LAN traffic addressed to 10.0.23.100,
> > which would arrive at the firewall's private interface
> > (192.168.24.1), to the email server at 192.168.24.2.
> >
> > Sorry to complicate things... ;-)
> >
> >
> >
> > Hi
> > Hmmm, on the gateway I would guess anything internally with a
> > destination port of 25 on the router could be forwarded to the mail
> > system might be an easier way?
> >
> > Else use the SLES system as the gateway internally?
>
> The SLES server is the gateway to the Internet. It uses masquerading.
>
> Incoming traffic from the public interface is forwarded to the mail
> server's private IP address. I don't know how, or if it is even
> possible, to route incoming traffic on the private interface, with the
> a destination IP address of the public interface, back to the private
> interface using the same SuSEfirewall2 rules that would be applied if
> the packet arrived via the public interface.
>
> Perhaps the solution is so simple that it is eluding me?
>
>
>
> Hi
> As you eluded to... DNS and FQDN
>
> Internally I can connect to a 192.x.x.x via FQDN (hosts file
> internally), then if external it resolves to the external IP address
> which is then forwarded to the respective machine on the 192.x.x.x
> address and port as defined.

On Windows systems, the host file is the first place used to resolve
names and, if present, it will always resolve so that doesn't allow
names to be resolve to different addresses when offsite.

What I'm looking for is to see if a properly configured SLES server can
provide this specific capability found in some commercial products and,
if so, how to do it.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

hendersj
10-Jul-2018, 00:31
It sounds like you might need to use the gateway's capability to provide
a NAT Loopback (that's what my router calls it) to allow traffic behind
the firewall to access resources behind the firewall using the external
IP address.

In that case, though, it'd not be a SLE implementation issue unless SLE
was the gateway itself.

Jim

--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell/SUSE/NetIQ Knowledge Partner

KBOYLE
10-Jul-2018, 00:37
Jim Henderson wrote:

> It sounds like you might need to use the gateway's capability to
> provide a NAT Loopback (that's what my router calls it) to allow
> traffic behind the firewall to access resources behind the firewall
> using the external IP address.
>
> In that case, though, it'd not be a SLE implementation issue unless
> SLE was the gateway itself.
>
> Jim

Hi Jim,

That is exactly what I want to do and, yes, the SLES server is the
router/gateway only I haven't found any information on how to do this
or if it is even possible using SLES.

Have you seen th s done before with SLE or even openSUSE software?

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

hendersj
10-Jul-2018, 00:49
On Mon, 09 Jul 2018 23:37:59 +0000, Kevin Boyle wrote:

> Jim Henderson wrote:
>
>> It sounds like you might need to use the gateway's capability to
>> provide a NAT Loopback (that's what my router calls it) to allow
>> traffic behind the firewall to access resources behind the firewall
>> using the external IP address.
>>
>> In that case, though, it'd not be a SLE implementation issue unless SLE
>> was the gateway itself.
>>
>> Jim
>
> Hi Jim,
>
> That is exactly what I want to do and, yes, the SLES server is the
> router/gateway only I haven't found any information on how to do this or
> if it is even possible using SLES.
>
> Have you seen th s done before with SLE or even openSUSE software?

I haven't, but if you're using iptables in SLE (on SLE11 that's what the
firewall is for me, and it seems to also be what's on my openSUSE boxes),
maybe this will help:

https://unix.stackexchange.com/questions/282086/how-does-nat-reflection-
nat-loopback-work

Jim

--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell/SUSE/NetIQ Knowledge Partner

KBOYLE
10-Jul-2018, 01:06
Jim Henderson wrote:

> On Mon, 09 Jul 2018 23:37:59 +0000, Kevin Boyle wrote:
>
> > Jim Henderson wrote:
> >
> >> It sounds like you might need to use the gateway's capability to
> >> provide a NAT Loopback (that's what my router calls it) to allow
> >> traffic behind the firewall to access resources behind the firewall
> >> using the external IP address.
> >>
> >> In that case, though, it'd not be a SLE implementation issue
> unless SLE >> was the gateway itself.
> >>
> >> Jim
> >
> > Hi Jim,
> >
> > That is exactly what I want to do and, yes, the SLES server is the
> > router/gateway only I haven't found any information on how to do
> > this or if it is even possible using SLES.
> >
> > Have you seen th s done before with SLE or even openSUSE software?
>
> I haven't, but if you're using iptables in SLE (on SLE11 that's what
> the firewall is for me, and it seems to also be what's on my openSUSE
> boxes), maybe this will help:
>
>
https://unix.stackexchange.com/questions/282086/how-does-nat-reflection-
> nat-loopback-work
>
> Jim

Yes, that helps a lot and does make sense.

Currently the firewall is configured using the SuSEfirewall2
configuration file. I'll have to give this some thought to see if I can
accomplish the same thing or if I'll have to switch to iptables. That's
something I have considered on a number of occasions but have never
taken the plunge!

Thanks to both you and Malcolm for your help.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.