(Zywall USG 300) NAT bypassed when accessing in-house-server From LAN Via domain name

Posted by mschr on Server Fault See other posts from Server Fault or by mschr
Published on 2012-06-03T15:19:20Z Indexed on 2012/06/03 16:42 UTC
Read the original article Hit count: 322

Filed under:
|
|
|
|

My situations is like this; i host a number of websites from within our joint network solution. On the network is basically 3 categories:

  1. the known public, registered via mac, given static dhcp lease
  2. the anonymous lan connections, given lease from specific dhcp range
  3. switches, unix hosts firewall

Now, consider following hosts which are of interest

  1. 111.111.111.111 (Zywall USG 300 WAN)
  2. 192.168.1.1 (ZyWall USG 300 LAN) load balances and bw monitors plus handles NAT
  3. 192.168.1.2 (Linux www) serves mydomain1.tld and mydomain2.tld
  4. 192.168.123.123 (Random LAN client) accesses mydomain1.tld from LAN
  5. 23.234.12.253 (Random External client) accesses mydomain1.tld via WAN

DNS A records are setup so that both mydomain1.tld and mydomain2.tld points to 111.111.111.111 - and the Linux www serves the http parts with VirtualHost configurations, setting up the document roots pr ServerName, this is not so interesting though..

NAT rule translates 111.111.111.111:80 to 192.168.1.2:80 (1:1 NAT)

Our problem follows;

When accessing http://mydomain1.tld from outside (23.234.12.253 example host) the joint network - everything is fine, zywall receives requests via port 80 and maps it to the linux host' httpd. However - once trying to go through the NAT from LAN side (in-house, 192.168.123.123 example host) then one gets filtered in the Zywall port 80 firewall.

I know this only because port 443 is open for administration interface and https://mydomain1.tld prompts for zywall login.

So my conclusion is, that the LAN that accesses 111.111.111.111 in fact are routed to 192.168.1.1 whilst bypassing the NAT table.

I need to know how to setup NAT / Policy Route, so that LAN > WAN > LAN will function with proper network translations instead of doing the 'quick nameserver lookup' or whatever this might be.

© Server Fault or respective owner

Related posts about firewall

Related posts about nat