For my lan I am using range 192.168.0.
For internet I have 2 ip addresses.

The primary WAN ip 1.1.1.1, is used for my main server (mailserver, webserver, proxy etc). This server takes care of the routing as well... It's ip on the LAN is 192.168.0.1

Now I have a secondary server on LAN ip 192.168.0.2, which i route to WAN ip 1.1.1.2.

iptables rules used:
-A PREROUTING -d 1.1.1.2 -j DNAT --to-destination 192.168.0.2
-A POSTROUTING -s 192.168.0.2 -j SNAT --to-source 1.1.1.2

It is reachable on WAN ip 1.1.1.2 and when connecting to a WAN address is is also seen as 1.1.1.2. All working fine.

The problem is that when i try to connect to 1.1.1.2 from the LAN, i can not reach it. It is reachable on 192.168.0.2, but I want it reachable on the WAN address as well.

Any ideas anyone?

Shouldn't you be reaching your own servers (on 192.168.0.0/24) from the lan using their local IP addresses.

If the internet servers where in a DMZ, which you probably should do, you would use your gateway firewall as the default gateway and reach them as you would any internet address.

The first server is directly connected to the ISP over optic fiber and is the gateway for the second server: we have 5 WAN IP addresses, which have to be routed by the first server.

The routing goes fine when accessed from WAN, and accessing WAN, but for some reason not when accessed from the LAN

You shouldn't be routing packets from your internal network out over the external interface on your firewall and then back in again. Just setup your DNS with split views so that internal clients are answered with the internal IP address, and all other clients (external) will get the external IP address. You could also do this with hosts files as well.

I had this same issue and learned how to get past it.

I can only tell you the Shorewall way of doing it and you'll have to translate it to raw IPTables:

Add new FW rules to go from LAN to WAN - inside to out basically. I.e.

DNAT LAN WAN:192.168.1.23 tcp 80,443 - 1.1.1.2

You then need to add a rule in your SNAT or MASQ table (not sure) to NAT it back into your LAN to the right IP:

eth0:192.168.1.23 eth0 192.168.1.1 tcp 80,443

eth0 is my internal interface (LAN)

These rules are just doing ports 80 and 443 - if you need to do all ports on the IP then you'll have to remove those.

I hope this helps you out.

Hmm guess setting up a seperate DNS view is a solution since it will omit the IP address...
The only problem is that the internet domain is hosted at the ISP, and I would have to add all subdomains existing (and created in the future) to my local view... It is not possible to add a single record as in the hosts file, is it?

That's practically what I have done with the rules:
-A PREROUTING -d 1.1.1.2 -j DNAT --to-destination 192.168.0.2
-A POSTROUTING -s 192.168.0.2 -j SNAT --to-source 1.1.1.2

Or am I interpreting your solution incorrectly?

I don't know IPTables but from looking at this I think you are.

Maybe something like this:

iptables -A POSTROUTING -s $INTERNAL_NET -d $INTERNAL_IP \
-j SNAT --to-source $NAT_IP

I found this on a blog - says this final rule makes it so you can hit the public IP from the LAN. You'll have to plug in your values.

Maybe someone with IPTable experience can explain what should go in each variable.

I use Shorewall for everything and it really shields you from the nitty gritty of IPTables.

I hope you can do something with this line of code.

Try this post as well - it may help:

http://www.dslreports.com/forum/remark,15532090

It is not really clear to me WHY this rule is doing the job, but it sure is

-A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to-source 1.1.1.2

Thanks a lot for your help compucoder, really appreciate it

greetz

I felt the same way when I found the Shorewall rules to do this. I found it very non intuitive. But, hey, it works and I'll take it!