Re: Accessing LAN server via WAN IP: Any changes since v12?

Home Page Forums Network Management ZeroShell nat reflection Re: Accessing LAN server via WAN IP: Any changes since v12?

#45425

gordonf
Member

I’m raising a long dead thread here, so please point me to a correct thread if there is one.

I just installed Zeroshell 1.0 v16 this week and I’m replacing a Snapgear SG300 with it — both are Linux-based firewall routers. I need to be able to access internal servers via their WAN IPs because the host names have to match in some cases, both for HTTP host headers and for SSL / TLS so the certificate names match the host names. Yes, I know for SSL I can use subject alternative names, but this will be a public-facing server and commercial SAN certs are pricey. Host headers are even more difficult to work around.

Testing jeffrhyjones’ NAT startup script example… I have static IPs so this works perfectly for both internal and external access to my server via the WAN IP:

iptables -t nat -A PREROUTING -d pub.ip.ad.dr -p tcp --dport 80 -j DNAT --to internal.ip.ad.dr
iptables -t nat -A POSTROUTING -s internal.ip.subnet.0/24 -p tcp --dport 80 -d internal.ip.ad.dr -j MASQUERADE

I also found that I didn’t need to specify a virtual server setting in the Router pages if I scripted this at post-startup.

Having come away from Snapgear, I miss the luxury of point-and-drool router configs. The SG did this “NAT reflection” for me automatically. But this Zeroshell thread was for v12. Is there a setting I missed in v16 to enable this without having to script it?

I did find that if I enabled NAT on my internal interface like one fellow did here, it works but the source IP looks like the router’s IP and any logging or access lists that depend on source IPs don’t work right at all.