Cannot access own public web and mail server from LAN addresses
 

I have two nagging problems on one network which I do not have on another elsewhere, both using uptodate Debian servers. The server is on the private subnet behind a router/adsl modem.

The symptoms of the one which does not work
1) Users cannot access their web site from lan. If they try, they get to the router web interface, same as if they entered http:10.0.0.138 which is the router's lan address.

2) Users cannot access smtp or pop3 service using the domain name, they can access it only using the servers LAN address.

I fear that I might have not set up the router properly because appart from that the two servers are almost identical but I do not know where I might have made an error.

Or perhaps the way DNS records are set up?

Could you point me to some debugging tools?

Hello,

I assume that your router is set up to be the gateway in your LAN, right? So if your users try to go to their website do they use a http://website.domain.com or http://000.000.000.000 (ip-address)?

If they use domain name, how are your DNS settings? Do you have your own DNS server in house? Or does all naming services get provided by the ISP's DNS servers?

Is your router setup to accept traffic for http and mail and redirect it to the correct server?

Kind regards,

Eric

Yes


The simple answer to all your questions is that ALL works fine from outside the LAN. The router forwarding is fine - it works.
I have the DNS records at a registrar service which provides for DNS management.

The most simple way I can describe this: If I connect my laptop to the LAN at work, I have the described problems. The same laptop will work just fine from my home.

I am suspecting it has to do with NAT loopback - the router which works is Apple Airport Base Station, the one which does not is DLINK.

Can you perform a trace from a workstation to your smtp/pop server? Not using IP of course but the url you use from home to find out where the communication stops? I assume also it is your DLINK router that's causing the problem.

Also, do you have your mail server set up in DMZ or directly to the internet (which is pretty dangerous of course) and/or do you use a proxy server?

Is there a firewall configured on your router? Or separate firewall?

Kind regards,

Eric

Eric, thank you for your patience.

The router already provides a simple firewall by virtue of the way NAT works. By default NAT does not respond to unsolicited incoming requests on any port.

I never use DMZ, I forward the ports to the server.

I have only enabled SPI in the firewall. In ALG I have left enabled all
PPTP :
IPSec (VPN Passthrough) :
RTSP (Online Video Streaming) :
Windows/MSN Messenger :
FTP :
H.323 (Video Conferencing) :
SIP :
Wake-On-LAN :
MMS :

I will do the trace (excellent suggestion) when I get to the office but I think, that with the router-modem I have, I cannot achive the desired result. It is DLINK 2741B - I think DLINK is really a bad choice.

Sounds like an IPtables/NAT issue. Try this http://www.netfilter.org/documentati...-HOWTO-10.html

Hi,

No problem whatsoever :cool:

I've worked with DLINK in the past without any real problems, so I wouldn't say it was a bad choice. It just depends on what you need and what the DLINK model offers.

How did you configure access to your mail server in the router? Using port forwarding, ip rules, virtual server? Can you provide screenshots of those settings?

Kind regards,

Eric

Port forwarding

I tried the suggestions for port 80 but the result was the same.

Where you able to do a trace from your LAN at work to your smtp/pop server? Please post the output.

Kind regards,

Eric

Our workstations are windows and they do not have full traceroute to trace to a port. Ordinary trace output is
telnet 88.208.66.6 25 is

I might be mistaking about this but to me it seems that you only have port forwarding enabled from the outside to your mailserver, and by using domain (external DNS) you get bounced back to your own router. Don't know if it will work but try creating a port forwarding rule for your LAN network on the router so that it detects when communication is coming from inside LAN on port 25/110 that it doesn't have to throw it on the internet.

There probably is an easier way but I'm not sure how, maybe instead of using port forwarding you could use virtual server. Probably someone with more experience with those routers will kick in sooner or later.

Kind regards,

Eric

If I knew how to I would not be here trying you patience/

Could you post an example?

To be able to communicate with devices inside your LAN from inside the LAN using the internet-routable address, you need to set up a feature called "NAT loopback" in your router. Whether this is possible or not depends on your router.

Another option is to use an internal DNS server and make the appropriate records point to the internal LAN IP-addresses.

Thanks. My router does not show a NAT loopback feature anywhere. Is it known under a different name?

I will see if I can try to set up my own DNS server.