I have some trouble in my network setup, but I have very limited knowledge of networking.

I recently purchased an ADSL modem (Thomson SpeedTouch 510), which also has a built-in router, DHCP and other stuff (as I discovered later). I already had a server/firewall/router that took care of IP masquerading, but I managed to put everything together ok except for one thing: I can not access my server with the external IP from inside my LAN (no problems from outside).

This is my setup:

Internet
|
|
98.81.118.53 (ppp)
(Modem which forwards every connection to the server)
10.0.0.138 (eth0)
|
|
10.0.0.39 (eth0)
(Server provides IP Masq for LAN)
192.168.0.1 (eth1)
|
|
192.168.0.2
(Internal Masq'ed PC)

So if I try to surf from an internal PC or the server itself to 98.81.118.53 I get nothing, but access from outside works perfectly. If I try 10.0.0.39 it works fine.

I figured it had something to do with my firewall, so I checked the server logs, where every attempt brings up this:
Aug 31 21:11:48 localhost kernel: martian source 10.0.0.39 from 10.0.0.39, on dev eth0
Aug 31 21:11:48 localhost kernel: ll header: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

I know nothing about routing, but could it be something is wrong there?
Thank you!

I messed about with this for quite awhile... and I'd sure like to be able to do it too. The glitch is somewhere in the thought that the LAN becomes vulnerable IF you can go thru the firewall directly from your DMZ to the LAN. It not an "error" so much as the way life is... I have asked this ? several times here and have not received a good way to go yet. Meanwhile, everytime I change my site I gotta go use my wifes dial-up to "see" if it is ok? RATS!

Take heart someone will eventually take pity on us and share this little tidbit of knoweldge on HOW to do it.

piratebiter

My guess... Apparently this ADSL modem+router box bounces your connection to 98.81.118.53 back to your server's (10.0.0.39) but it doesn't change the source IP to 98.81.118.53 as it does with other connections to the internet.
Now since your connection originates from 10.0.0.39 (because of the NAT your server does) your server sees an incoming connection on eth0 from 10.0.0.39 which is impossible because that's its own IP address
That's what in linux lingo is called "martian source" -- an impossible source IP address which indicates some problem, so it gets logged (usually).

So I guess it's the ADSL router that is a bit sloppy when it sees an outgoing connection to its own outside address...

To be sure, you'd have to do some analysis with e.g. ethereal

regards,
nukkel

If I understand your explanation, shouldn't the ADSL modem change the source IP to 192.168.0.2 (internal pc) then? Isn't there a simple way to configure this in it's NAT or routing?

It can't: the ADSL modem doesn't even know about the existance of 192.168.0.2, because the server NATs this to 10.0.0.39. The modem only "sees" one computer with IP 10.0.0.39...

But -- if the ADSL modem forwards every connection from 98.81.118.53 to 10.0.0.39, then what's the point in trying to connect to 98.81.118.53 from the inside LAN, when you can just connect to 10.0.0.39 instead?

If the ADSL modem can be configured, there may be a way to make it work after all... By telling it to change the source IP of anything coming from 10.0.0.39 going to 98.81.118.53, into some other address, like 10.0.0.111.

Anyway it should be possible to "see" your own server from the inside by using 10.0.0.39 as destination address. Piratebiter: have you ever tried it this way?

Yes indeed that works. I already mentioned it, but maybe I wasn't clear.

Still, if i'm on the server itself, I want to access my different virtual websites (that resolve to the same IP in DNS) so I have to use the external IP. Is that impossible too (let's leave the problem for internal PC's for later)? If the modem can NAT it back to 10.0.0.39, wouldn't it solve the problem?

I have a suggestion that may not solve the problem as such but may work to view your virtual sites anyway: if you tell your browser to use a proxy, which is somewhere on the internet, the site will in effect be retrieved by that proxy -- in other words, from the outside, just as a visitor to your sites would view it.

A google (or other) search for "public proxy list" should give plenty of proxies that can be used -- some may be quite slow though

To really solve the problem, might be worth trying to get the adsl box to really nat it back to 10.0.0.39, however I don't know if it can be configured that specifically...

Your packets should not be traveling from the inside of the firewall to the outside and come back in. If that was allowed, then spoofing attacks could allow outside traffic to pretend to be from your internal network.

The solution to your problem is not to break the firewall and make it insecure. The solution is to use "split horizen" DNS zones. You need to tell your internal hosts to use a set of DNS that reflects your internal IPs, while the external world needs to see your external IP addresses.

Hm, seems there is no easy way out then...

Okay, thank you for your answers!