Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread An-Cheng Huang 
Hi Nate,

If the problem you're seeing is caused by external vs. internal DNS problem 
(external access is fine, but internal hosts resolve the server to the external 
address and therefore cannot access it), you might be able to work around it 
using NAT. See the following message from the list archive for more details.

http://mailman.vyatta.com/pipermail/vyatta-users/2007-August/001741.html

An-Cheng

Nathan McBride wrote:
> hmmm, guess i should make an internal dns server then... :D
> 
> nate
> 
> On Tue, 2008-01-29 at 22:34 -0500, Aubrey Wells wrote:
>> Its been a while since I researched it, but I think there was  
>> something about the way netfilter_conntrac tracks the NAT sessions  
>> that prevents the hairpin nat from working. I never figured out a way  
>> around it and no one on google was helpful either.
>>
>> The usual solution is to put a dns entry in your internal dns server  
>> to point the domain name to the internal ip of the web site.
>>
>> --
>> Aubrey Wells
>> Senior Engineer
>> Shelton | Johns Technology Group
>> A Vyatta Ready Partner
>> www.sheltonjohns.com
>>
>> On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:
>>> Can't I do another nat rule?
>>>
>>> On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
 It sounds like you're a victim of hairpin natting. Very frustrating.
 Iptables doesnt do it (that I know of.) I first encountered this on a
 PIX firewall years ago and thought it was an absurd limitation  
 (then I
 found out my beloved linux couldn't do it either and was crushed).
 Cisco fixed it in v7 of the PIX software IIRC but iptables still  
 can't
 do it.

 --
 Aubrey Wells
 Senior Engineer
 Shelton | Johns Technology Group
 A Vyatta Ready Partner
 www.sheltonjohns.com

 On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:

> John just told me he can get to the page too.
>> From inside the lan I am going to a browser and typing
> www.nombyte.com.  And it doesn't work?
>
> Nate
>
> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
>> *shrug* same here
>>
>> Are you trying to hit the natted address from inside the LAN that  
>> is
>> being natted to? Hairpin NAT doesnt work in iptables...
>>
>> --
>> Aubrey Wells
>> Senior Engineer
>> Shelton | Johns Technology Group
>> A Vyatta Ready Partner
>> www.sheltonjohns.com
>>
>>
>>
>>
>>
>> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
>>
>>> I just connected and see the Apache 2 test page running on CentOS
>>>
>>> John
>>>
>>>
>>>
>>> Nathan McBride wrote:
 First off I appreciate help from everyone, this is a nice  
 change to
 some
 mailing lists I'm used to.  Unfortunately, I am still having the
 same
 problem.  I'm giving out real information, probably shouldn't,  
 but
 that's how frustrated I am.  I just get an unable to connect
 error.  The
 firewalls are fine I promise.  I can see the page on  
 192.168.0.105
 from
 inside the lan, and I can see and use the webgui of the router  
 just
 fine.  Altho I did disable it of course since I want the port
 forwarded.
 In the ssh example sent to me which is below, I notice that the
 address
 are just numbers where mine have "" around them.  Does this
 matter?  Can
 anyone please give any suggestions?

 Thanks alot,
 Nate

 My domain is:
 www.nombyte.com

 The IP is:
 71.62.193.105

 Full Nat is:

 nat {
  rule 1 {
  type: "destination"
  inbound-interface: "eth0"
  protocols: "tcp"
  source {
  network: "0.0.0.0/0"
  }
  destination {
  address: "71.62.193.105"
  port-name http
  }
  inside-address {
  address: 192.168.0.105
  }
  }
  rule 2 {
  type: "masquerade"
  outbound-interface: "eth0"
  protocols: "all"
  source {
  network: "192.168.0.0/24"
  }
  destination {
  network: "0.0.0.0/0"
  }
  }
  rule 3 {
  type: "masquerade"
  outbound-interface: "eth0"
  protocols: "all"
  source {
  network: "192.168.1.0/24"
>>

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Go Wow 
> Another way would be to have these kind of servers (which needs to be
> access from LAN ) on another subnet. Looks feasible to me.
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread John Mason Jr 
Or if network is very small or doesn't have internal DNS the hosts file 
works as well.

I found a link that is interesting but don't have time to experiment



John

Aubrey Wells wrote:
> Its been a while since I researched it, but I think there was  
> something about the way netfilter_conntrac tracks the NAT sessions  
> that prevents the hairpin nat from working. I never figured out a way  
> around it and no one on google was helpful either.
> 
> The usual solution is to put a dns entry in your internal dns server  
> to point the domain name to the internal ip of the web site.
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> 
> 
> 
> 
> On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:
> 
>> Can't I do another nat rule?
>>
>> On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
>>> It sounds like you're a victim of hairpin natting. Very frustrating.
>>> Iptables doesnt do it (that I know of.) I first encountered this on a
>>> PIX firewall years ago and thought it was an absurd limitation  
>>> (then I
>>> found out my beloved linux couldn't do it either and was crushed).
>>> Cisco fixed it in v7 of the PIX software IIRC but iptables still  
>>> can't
>>> do it.
>>>
>>> --
>>> Aubrey Wells
>>> Senior Engineer
>>> Shelton | Johns Technology Group
>>> A Vyatta Ready Partner
>>> www.sheltonjohns.com
>>>
>>>
>>>
>>>
>>>
>>> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
>>>
 John just told me he can get to the page too.
> From inside the lan I am going to a browser and typing
 www.nombyte.com.  And it doesn't work?

 Nate

 On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
> *shrug* same here
>
> Are you trying to hit the natted address from inside the LAN that  
> is
> being natted to? Hairpin NAT doesnt work in iptables...
>
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
>
>
>
>
>
> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
>
>> I just connected and see the Apache 2 test page running on CentOS
>>
>> John
>>
>>
>>
>> Nathan McBride wrote:
>>> First off I appreciate help from everyone, this is a nice  
>>> change to
>>> some
>>> mailing lists I'm used to.  Unfortunately, I am still having the
>>> same
>>> problem.  I'm giving out real information, probably shouldn't,  
>>> but
>>> that's how frustrated I am.  I just get an unable to connect
>>> error.  The
>>> firewalls are fine I promise.  I can see the page on  
>>> 192.168.0.105
>>> from
>>> inside the lan, and I can see and use the webgui of the router  
>>> just
>>> fine.  Altho I did disable it of course since I want the port
>>> forwarded.
>>> In the ssh example sent to me which is below, I notice that the
>>> address
>>> are just numbers where mine have "" around them.  Does this
>>> matter?  Can
>>> anyone please give any suggestions?
>>>
>>> Thanks alot,
>>> Nate
>>>
>>> My domain is:
>>> www.nombyte.com
>>>
>>> The IP is:
>>> 71.62.193.105
>>>
>>> Full Nat is:
>>>
>>> nat {
>>>  rule 1 {
>>>  type: "destination"
>>>  inbound-interface: "eth0"
>>>  protocols: "tcp"
>>>  source {
>>>  network: "0.0.0.0/0"
>>>  }
>>>  destination {
>>>  address: "71.62.193.105"
>>>  port-name http
>>>  }
>>>  inside-address {
>>>  address: 192.168.0.105
>>>  }
>>>  }
>>>  rule 2 {
>>>  type: "masquerade"
>>>  outbound-interface: "eth0"
>>>  protocols: "all"
>>>  source {
>>>  network: "192.168.0.0/24"
>>>  }
>>>  destination {
>>>  network: "0.0.0.0/0"
>>>  }
>>>  }
>>>  rule 3 {
>>>  type: "masquerade"
>>>  outbound-interface: "eth0"
>>>  protocols: "all"
>>>  source {
>>>  network: "192.168.1.0/24"
>>>  }
>>>  destination {
>>>  network: "0.0.0.0/0"
>>>  }
>>>  }
>>>
>>>
>>>
>>>
>>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
 Here's what I use to port-forward ssh; just adjust for address
 (where
 destination address is the public IP) and change it to http.

  ru

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Nathan McBride 
hmmm, guess i should make an internal dns server then... :D

nate

On Tue, 2008-01-29 at 22:34 -0500, Aubrey Wells wrote:
> Its been a while since I researched it, but I think there was  
> something about the way netfilter_conntrac tracks the NAT sessions  
> that prevents the hairpin nat from working. I never figured out a way  
> around it and no one on google was helpful either.
> 
> The usual solution is to put a dns entry in your internal dns server  
> to point the domain name to the internal ip of the web site.
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> 
> 
> 
> 
> On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:
> 
> > Can't I do another nat rule?
> >
> > On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
> >> It sounds like you're a victim of hairpin natting. Very frustrating.
> >> Iptables doesnt do it (that I know of.) I first encountered this on a
> >> PIX firewall years ago and thought it was an absurd limitation  
> >> (then I
> >> found out my beloved linux couldn't do it either and was crushed).
> >> Cisco fixed it in v7 of the PIX software IIRC but iptables still  
> >> can't
> >> do it.
> >>
> >> --
> >> Aubrey Wells
> >> Senior Engineer
> >> Shelton | Johns Technology Group
> >> A Vyatta Ready Partner
> >> www.sheltonjohns.com
> >>
> >>
> >>
> >>
> >>
> >> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
> >>
> >>> John just told me he can get to the page too.
>  From inside the lan I am going to a browser and typing
> >>> www.nombyte.com.  And it doesn't work?
> >>>
> >>> Nate
> >>>
> >>> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
>  *shrug* same here
> 
>  Are you trying to hit the natted address from inside the LAN that  
>  is
>  being natted to? Hairpin NAT doesnt work in iptables...
> 
>  --
>  Aubrey Wells
>  Senior Engineer
>  Shelton | Johns Technology Group
>  A Vyatta Ready Partner
>  www.sheltonjohns.com
> 
> 
> 
> 
> 
>  On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
> 
> > I just connected and see the Apache 2 test page running on CentOS
> >
> > John
> >
> >
> >
> > Nathan McBride wrote:
> >> First off I appreciate help from everyone, this is a nice  
> >> change to
> >> some
> >> mailing lists I'm used to.  Unfortunately, I am still having the
> >> same
> >> problem.  I'm giving out real information, probably shouldn't,  
> >> but
> >> that's how frustrated I am.  I just get an unable to connect
> >> error.  The
> >> firewalls are fine I promise.  I can see the page on  
> >> 192.168.0.105
> >> from
> >> inside the lan, and I can see and use the webgui of the router  
> >> just
> >> fine.  Altho I did disable it of course since I want the port
> >> forwarded.
> >> In the ssh example sent to me which is below, I notice that the
> >> address
> >> are just numbers where mine have "" around them.  Does this
> >> matter?  Can
> >> anyone please give any suggestions?
> >>
> >> Thanks alot,
> >> Nate
> >>
> >> My domain is:
> >> www.nombyte.com
> >>
> >> The IP is:
> >> 71.62.193.105
> >>
> >> Full Nat is:
> >>
> >> nat {
> >>  rule 1 {
> >>  type: "destination"
> >>  inbound-interface: "eth0"
> >>  protocols: "tcp"
> >>  source {
> >>  network: "0.0.0.0/0"
> >>  }
> >>  destination {
> >>  address: "71.62.193.105"
> >>  port-name http
> >>  }
> >>  inside-address {
> >>  address: 192.168.0.105
> >>  }
> >>  }
> >>  rule 2 {
> >>  type: "masquerade"
> >>  outbound-interface: "eth0"
> >>  protocols: "all"
> >>  source {
> >>  network: "192.168.0.0/24"
> >>  }
> >>  destination {
> >>  network: "0.0.0.0/0"
> >>  }
> >>  }
> >>  rule 3 {
> >>  type: "masquerade"
> >>  outbound-interface: "eth0"
> >>  protocols: "all"
> >>  source {
> >>  network: "192.168.1.0/24"
> >>  }
> >>  destination {
> >>  network: "0.0.0.0/0"
> >>  }
> >>  }
> >>
> >>
> >>
> >>
> >> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> >>> Here's what I use to port-forward ssh; just adjust for address
> >>> (where
> >>> destination address is the public IP) and change it to http.
> >>>

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Aubrey Wells 
Its been a while since I researched it, but I think there was  
something about the way netfilter_conntrac tracks the NAT sessions  
that prevents the hairpin nat from working. I never figured out a way  
around it and no one on google was helpful either.

The usual solution is to put a dns entry in your internal dns server  
to point the domain name to the internal ip of the web site.

--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:

> Can't I do another nat rule?
>
> On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
>> It sounds like you're a victim of hairpin natting. Very frustrating.
>> Iptables doesnt do it (that I know of.) I first encountered this on a
>> PIX firewall years ago and thought it was an absurd limitation  
>> (then I
>> found out my beloved linux couldn't do it either and was crushed).
>> Cisco fixed it in v7 of the PIX software IIRC but iptables still  
>> can't
>> do it.
>>
>> --
>> Aubrey Wells
>> Senior Engineer
>> Shelton | Johns Technology Group
>> A Vyatta Ready Partner
>> www.sheltonjohns.com
>>
>>
>>
>>
>>
>> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
>>
>>> John just told me he can get to the page too.
 From inside the lan I am going to a browser and typing
>>> www.nombyte.com.  And it doesn't work?
>>>
>>> Nate
>>>
>>> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
 *shrug* same here

 Are you trying to hit the natted address from inside the LAN that  
 is
 being natted to? Hairpin NAT doesnt work in iptables...

 --
 Aubrey Wells
 Senior Engineer
 Shelton | Johns Technology Group
 A Vyatta Ready Partner
 www.sheltonjohns.com





 On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:

> I just connected and see the Apache 2 test page running on CentOS
>
> John
>
>
>
> Nathan McBride wrote:
>> First off I appreciate help from everyone, this is a nice  
>> change to
>> some
>> mailing lists I'm used to.  Unfortunately, I am still having the
>> same
>> problem.  I'm giving out real information, probably shouldn't,  
>> but
>> that's how frustrated I am.  I just get an unable to connect
>> error.  The
>> firewalls are fine I promise.  I can see the page on  
>> 192.168.0.105
>> from
>> inside the lan, and I can see and use the webgui of the router  
>> just
>> fine.  Altho I did disable it of course since I want the port
>> forwarded.
>> In the ssh example sent to me which is below, I notice that the
>> address
>> are just numbers where mine have "" around them.  Does this
>> matter?  Can
>> anyone please give any suggestions?
>>
>> Thanks alot,
>> Nate
>>
>> My domain is:
>> www.nombyte.com
>>
>> The IP is:
>> 71.62.193.105
>>
>> Full Nat is:
>>
>> nat {
>>  rule 1 {
>>  type: "destination"
>>  inbound-interface: "eth0"
>>  protocols: "tcp"
>>  source {
>>  network: "0.0.0.0/0"
>>  }
>>  destination {
>>  address: "71.62.193.105"
>>  port-name http
>>  }
>>  inside-address {
>>  address: 192.168.0.105
>>  }
>>  }
>>  rule 2 {
>>  type: "masquerade"
>>  outbound-interface: "eth0"
>>  protocols: "all"
>>  source {
>>  network: "192.168.0.0/24"
>>  }
>>  destination {
>>  network: "0.0.0.0/0"
>>  }
>>  }
>>  rule 3 {
>>  type: "masquerade"
>>  outbound-interface: "eth0"
>>  protocols: "all"
>>  source {
>>  network: "192.168.1.0/24"
>>  }
>>  destination {
>>  network: "0.0.0.0/0"
>>  }
>>  }
>>
>>
>>
>>
>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
>>> Here's what I use to port-forward ssh; just adjust for address
>>> (where
>>> destination address is the public IP) and change it to http.
>>>
>>>  rule 2 {
>>>  type: "destination"
>>>  inbound-interface: "eth0"
>>>  protocols: "tcp"
>>>  source {
>>>  network: 0.0.0.0/0
>>>  }
>>>  destination {
>>>  address: 1.2.3.4
>>>  port-name ssh
>>>  }
>>>  inside-address {
>>>  address: 10.0.0.30
>>>

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Nathan McBride 
Can't I do another nat rule?

On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
> It sounds like you're a victim of hairpin natting. Very frustrating.  
> Iptables doesnt do it (that I know of.) I first encountered this on a  
> PIX firewall years ago and thought it was an absurd limitation (then I  
> found out my beloved linux couldn't do it either and was crushed).  
> Cisco fixed it in v7 of the PIX software IIRC but iptables still can't  
> do it.
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> 
> 
> 
> 
> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
> 
> > John just told me he can get to the page too.
> >> From inside the lan I am going to a browser and typing
> > www.nombyte.com.  And it doesn't work?
> >
> > Nate
> >
> > On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
> >> *shrug* same here
> >>
> >> Are you trying to hit the natted address from inside the LAN that is
> >> being natted to? Hairpin NAT doesnt work in iptables...
> >>
> >> --
> >> Aubrey Wells
> >> Senior Engineer
> >> Shelton | Johns Technology Group
> >> A Vyatta Ready Partner
> >> www.sheltonjohns.com
> >>
> >>
> >>
> >>
> >>
> >> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
> >>
> >>> I just connected and see the Apache 2 test page running on CentOS
> >>>
> >>> John
> >>>
> >>>
> >>>
> >>> Nathan McBride wrote:
>  First off I appreciate help from everyone, this is a nice change to
>  some
>  mailing lists I'm used to.  Unfortunately, I am still having the  
>  same
>  problem.  I'm giving out real information, probably shouldn't, but
>  that's how frustrated I am.  I just get an unable to connect
>  error.  The
>  firewalls are fine I promise.  I can see the page on 192.168.0.105
>  from
>  inside the lan, and I can see and use the webgui of the router just
>  fine.  Altho I did disable it of course since I want the port
>  forwarded.
>  In the ssh example sent to me which is below, I notice that the
>  address
>  are just numbers where mine have "" around them.  Does this
>  matter?  Can
>  anyone please give any suggestions?
> 
>  Thanks alot,
>  Nate
> 
>  My domain is:
>  www.nombyte.com
> 
>  The IP is:
>  71.62.193.105
> 
>  Full Nat is:
> 
>  nat {
>    rule 1 {
>    type: "destination"
>    inbound-interface: "eth0"
>    protocols: "tcp"
>    source {
>    network: "0.0.0.0/0"
>    }
>    destination {
>    address: "71.62.193.105"
>    port-name http
>    }
>    inside-address {
>    address: 192.168.0.105
>    }
>    }
>    rule 2 {
>    type: "masquerade"
>    outbound-interface: "eth0"
>    protocols: "all"
>    source {
>    network: "192.168.0.0/24"
>    }
>    destination {
>    network: "0.0.0.0/0"
>    }
>    }
>    rule 3 {
>    type: "masquerade"
>    outbound-interface: "eth0"
>    protocols: "all"
>    source {
>    network: "192.168.1.0/24"
>    }
>    destination {
>    network: "0.0.0.0/0"
>    }
>    }
> 
> 
> 
> 
>  On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> > Here's what I use to port-forward ssh; just adjust for address
> > (where
> > destination address is the public IP) and change it to http.
> >
> >   rule 2 {
> >   type: "destination"
> >   inbound-interface: "eth0"
> >   protocols: "tcp"
> >   source {
> >   network: 0.0.0.0/0
> >   }
> >   destination {
> >   address: 1.2.3.4
> >   port-name ssh
> >   }
> >   inside-address {
> >   address: 10.0.0.30
> >   }
> >   }
> >
> > Best,
> > Justin
> >
> > On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]>  
> > wrote:
> >> Can someone please help me get this worked out?
> >> Nate
> >>
> >>
> >>> Ok these are my nat rules now, I didn't see a command to change
>  the rule
> >>> numbers so i just redid them all by hand.  It still doesn't  
> >>> work.
> >>>
> >>> rule 1 {
> >>>   type: "destination"
> >>>   inbound-interface: "eth0"
> >>>   protocols: "tcp"
> >>>   destinatio

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Aubrey Wells 
It sounds like you're a victim of hairpin natting. Very frustrating.  
Iptables doesnt do it (that I know of.) I first encountered this on a  
PIX firewall years ago and thought it was an absurd limitation (then I  
found out my beloved linux couldn't do it either and was crushed).  
Cisco fixed it in v7 of the PIX software IIRC but iptables still can't  
do it.

--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:

> John just told me he can get to the page too.
>> From inside the lan I am going to a browser and typing
> www.nombyte.com.  And it doesn't work?
>
> Nate
>
> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
>> *shrug* same here
>>
>> Are you trying to hit the natted address from inside the LAN that is
>> being natted to? Hairpin NAT doesnt work in iptables...
>>
>> --
>> Aubrey Wells
>> Senior Engineer
>> Shelton | Johns Technology Group
>> A Vyatta Ready Partner
>> www.sheltonjohns.com
>>
>>
>>
>>
>>
>> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
>>
>>> I just connected and see the Apache 2 test page running on CentOS
>>>
>>> John
>>>
>>>
>>>
>>> Nathan McBride wrote:
 First off I appreciate help from everyone, this is a nice change to
 some
 mailing lists I'm used to.  Unfortunately, I am still having the  
 same
 problem.  I'm giving out real information, probably shouldn't, but
 that's how frustrated I am.  I just get an unable to connect
 error.  The
 firewalls are fine I promise.  I can see the page on 192.168.0.105
 from
 inside the lan, and I can see and use the webgui of the router just
 fine.  Altho I did disable it of course since I want the port
 forwarded.
 In the ssh example sent to me which is below, I notice that the
 address
 are just numbers where mine have "" around them.  Does this
 matter?  Can
 anyone please give any suggestions?

 Thanks alot,
 Nate

 My domain is:
 www.nombyte.com

 The IP is:
 71.62.193.105

 Full Nat is:

 nat {
   rule 1 {
   type: "destination"
   inbound-interface: "eth0"
   protocols: "tcp"
   source {
   network: "0.0.0.0/0"
   }
   destination {
   address: "71.62.193.105"
   port-name http
   }
   inside-address {
   address: 192.168.0.105
   }
   }
   rule 2 {
   type: "masquerade"
   outbound-interface: "eth0"
   protocols: "all"
   source {
   network: "192.168.0.0/24"
   }
   destination {
   network: "0.0.0.0/0"
   }
   }
   rule 3 {
   type: "masquerade"
   outbound-interface: "eth0"
   protocols: "all"
   source {
   network: "192.168.1.0/24"
   }
   destination {
   network: "0.0.0.0/0"
   }
   }




 On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> Here's what I use to port-forward ssh; just adjust for address
> (where
> destination address is the public IP) and change it to http.
>
>   rule 2 {
>   type: "destination"
>   inbound-interface: "eth0"
>   protocols: "tcp"
>   source {
>   network: 0.0.0.0/0
>   }
>   destination {
>   address: 1.2.3.4
>   port-name ssh
>   }
>   inside-address {
>   address: 10.0.0.30
>   }
>   }
>
> Best,
> Justin
>
> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]>  
> wrote:
>> Can someone please help me get this worked out?
>> Nate
>>
>>
>>> Ok these are my nat rules now, I didn't see a command to change
 the rule
>>> numbers so i just redid them all by hand.  It still doesn't  
>>> work.
>>>
>>> rule 1 {
>>>   type: "destination"
>>>   inbound-interface: "eth0"
>>>   protocols: "tcp"
>>>   destination {
>>>   address: "71.62.193.105"
>>>   port-name http
>>>   }
>>>   inside-address {
>>>   address: 192.168.0.105
>>>   }
>>>   }
>>>   rule 2 {
>>>   type: "masquerade"
>>>   outbound-interface: "eth0"
>>>   protocols: "all"
>>>   source {
>>>   network: "192.168.0.0/24"
>>>   }
>>>

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Nathan McBride 
Hmm, gotcha.  I guess that makes sense actually.
I'll see if I can't figure it out.

Nate

On Wed, 2008-01-30 at 08:49 +0530, Go Wow wrote:
> Nathan i can even view it, from inside LAN you cannot view it, if i
> remember correctly someone said when you try to enter on NAT'ted ip
> from inside network the router doesnt know the address where it needs
> to forward your request. Now look im not a networking guru and not
> even iptables guru so dont know why it happens but you would like to
> even visit it from inside LAN then you need to add couple of more nat
> rules i guess. someone may help you with additional rules.

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Go Wow 
Nathan i can even view it, from inside LAN you cannot view it, if i remember
correctly someone said when you try to enter on NAT'ted ip from inside
network the router doesnt know the address where it needs to forward your
request. Now look im not a networking guru and not even iptables guru so
dont know why it happens but you would like to even visit it from inside LAN
then you need to add couple of more nat rules i guess. someone may help you
with additional rules.
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Nathan McBride 
John just told me he can get to the page too.
>From inside the lan I am going to a browser and typing 
www.nombyte.com.  And it doesn't work?

Nate

On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
> *shrug* same here
> 
> Are you trying to hit the natted address from inside the LAN that is  
> being natted to? Hairpin NAT doesnt work in iptables...
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> 
> 
> 
> 
> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
> 
> > I just connected and see the Apache 2 test page running on CentOS
> >
> > John
> >
> >
> >
> > Nathan McBride wrote:
> >> First off I appreciate help from everyone, this is a nice change to  
> >> some
> >> mailing lists I'm used to.  Unfortunately, I am still having the same
> >> problem.  I'm giving out real information, probably shouldn't, but
> >> that's how frustrated I am.  I just get an unable to connect  
> >> error.  The
> >> firewalls are fine I promise.  I can see the page on 192.168.0.105  
> >> from
> >> inside the lan, and I can see and use the webgui of the router just
> >> fine.  Altho I did disable it of course since I want the port  
> >> forwarded.
> >> In the ssh example sent to me which is below, I notice that the  
> >> address
> >> are just numbers where mine have "" around them.  Does this  
> >> matter?  Can
> >> anyone please give any suggestions?
> >>
> >> Thanks alot,
> >> Nate
> >>
> >> My domain is:
> >> www.nombyte.com
> >>
> >> The IP is:
> >> 71.62.193.105
> >>
> >> Full Nat is:
> >>
> >> nat {
> >>rule 1 {
> >>type: "destination"
> >>inbound-interface: "eth0"
> >>protocols: "tcp"
> >>source {
> >>network: "0.0.0.0/0"
> >>}
> >>destination {
> >>address: "71.62.193.105"
> >>port-name http
> >>}
> >>inside-address {
> >>address: 192.168.0.105
> >>}
> >>}
> >>rule 2 {
> >>type: "masquerade"
> >>outbound-interface: "eth0"
> >>protocols: "all"
> >>source {
> >>network: "192.168.0.0/24"
> >>}
> >>destination {
> >>network: "0.0.0.0/0"
> >>}
> >>}
> >>rule 3 {
> >>type: "masquerade"
> >>outbound-interface: "eth0"
> >>protocols: "all"
> >>source {
> >>network: "192.168.1.0/24"
> >>}
> >>destination {
> >>network: "0.0.0.0/0"
> >>}
> >>}
> >>
> >>
> >>
> >>
> >> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> >>> Here's what I use to port-forward ssh; just adjust for address  
> >>> (where
> >>> destination address is the public IP) and change it to http.
> >>>
> >>>rule 2 {
> >>>type: "destination"
> >>>inbound-interface: "eth0"
> >>>protocols: "tcp"
> >>>source {
> >>>network: 0.0.0.0/0
> >>>}
> >>>destination {
> >>>address: 1.2.3.4
> >>>port-name ssh
> >>>}
> >>>inside-address {
> >>>address: 10.0.0.30
> >>>}
> >>>}
> >>>
> >>> Best,
> >>> Justin
> >>>
> >>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
>  Can someone please help me get this worked out?
>  Nate
> 
> 
> > Ok these are my nat rules now, I didn't see a command to change
> >> the rule
> > numbers so i just redid them all by hand.  It still doesn't work.
> >
> > rule 1 {
> >type: "destination"
> >inbound-interface: "eth0"
> >protocols: "tcp"
> >destination {
> >address: "71.62.193.105"
> >port-name http
> >}
> >inside-address {
> >address: 192.168.0.105
> >}
> >}
> >rule 2 {
> >type: "masquerade"
> >outbound-interface: "eth0"
> >protocols: "all"
> >source {
> >network: "192.168.0.0/24"
> >}
> >destination {
> >network: "0.0.0.0/0"
> >}
> >}
> >rule 3 {
> >type: "masquerade"
> >outbound-interface: "eth0"
> >protocols: "all"
> >source {
> >network: "192.168.1.0/24"
> >}
> >destination {
> >network: "0.0.0.0/0"
> >}
> >}
> >
> > Nate
> >
> > On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> >> Hi

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Go Wow 
Yeah I was about to say the same thing as Aubrey said, I had the same issue
when i was trying to access the NATt'ed ip from inside the LAN, try to
access it from outside any ip.
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Aubrey Wells 
*shrug* same here

Are you trying to hit the natted address from inside the LAN that is  
being natted to? Hairpin NAT doesnt work in iptables...

--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:

> I just connected and see the Apache 2 test page running on CentOS
>
> John
>
>
>
> Nathan McBride wrote:
>> First off I appreciate help from everyone, this is a nice change to  
>> some
>> mailing lists I'm used to.  Unfortunately, I am still having the same
>> problem.  I'm giving out real information, probably shouldn't, but
>> that's how frustrated I am.  I just get an unable to connect  
>> error.  The
>> firewalls are fine I promise.  I can see the page on 192.168.0.105  
>> from
>> inside the lan, and I can see and use the webgui of the router just
>> fine.  Altho I did disable it of course since I want the port  
>> forwarded.
>> In the ssh example sent to me which is below, I notice that the  
>> address
>> are just numbers where mine have "" around them.  Does this  
>> matter?  Can
>> anyone please give any suggestions?
>>
>> Thanks alot,
>> Nate
>>
>> My domain is:
>> www.nombyte.com
>>
>> The IP is:
>> 71.62.193.105
>>
>> Full Nat is:
>>
>> nat {
>>rule 1 {
>>type: "destination"
>>inbound-interface: "eth0"
>>protocols: "tcp"
>>source {
>>network: "0.0.0.0/0"
>>}
>>destination {
>>address: "71.62.193.105"
>>port-name http
>>}
>>inside-address {
>>address: 192.168.0.105
>>}
>>}
>>rule 2 {
>>type: "masquerade"
>>outbound-interface: "eth0"
>>protocols: "all"
>>source {
>>network: "192.168.0.0/24"
>>}
>>destination {
>>network: "0.0.0.0/0"
>>}
>>}
>>rule 3 {
>>type: "masquerade"
>>outbound-interface: "eth0"
>>protocols: "all"
>>source {
>>network: "192.168.1.0/24"
>>}
>>destination {
>>network: "0.0.0.0/0"
>>}
>>}
>>
>>
>>
>>
>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
>>> Here's what I use to port-forward ssh; just adjust for address  
>>> (where
>>> destination address is the public IP) and change it to http.
>>>
>>>rule 2 {
>>>type: "destination"
>>>inbound-interface: "eth0"
>>>protocols: "tcp"
>>>source {
>>>network: 0.0.0.0/0
>>>}
>>>destination {
>>>address: 1.2.3.4
>>>port-name ssh
>>>}
>>>inside-address {
>>>address: 10.0.0.30
>>>}
>>>}
>>>
>>> Best,
>>> Justin
>>>
>>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
 Can someone please help me get this worked out?
 Nate


> Ok these are my nat rules now, I didn't see a command to change
>> the rule
> numbers so i just redid them all by hand.  It still doesn't work.
>
> rule 1 {
>type: "destination"
>inbound-interface: "eth0"
>protocols: "tcp"
>destination {
>address: "71.62.193.105"
>port-name http
>}
>inside-address {
>address: 192.168.0.105
>}
>}
>rule 2 {
>type: "masquerade"
>outbound-interface: "eth0"
>protocols: "all"
>source {
>network: "192.168.0.0/24"
>}
>destination {
>network: "0.0.0.0/0"
>}
>}
>rule 3 {
>type: "masquerade"
>outbound-interface: "eth0"
>protocols: "all"
>source {
>network: "192.168.1.0/24"
>}
>destination {
>network: "0.0.0.0/0"
>}
>}
>
> Nate
>
> On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
>> Hi Nate,
>>
>> The "inside-address" is the internal (private) IP address of
>> your Web server, which in your case is 192.168.0.105. The  
>> "destination
>> address" should actually be the public IP address that outside  
>> clients
>> will use to access your server, so usually this is the public IP  
>> address
>> of your router.
>> An-Cheng
>>
>> Nathan McBride wrote:
>>> I went and looked at the old docs.  I thought I set them up
>> correctly
>>> but aparently I didn't.  I'll im trying to do is to get p

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread John Mason Jr 
I just connected and see the Apache 2 test page running on CentOS

John



Nathan McBride wrote:
> First off I appreciate help from everyone, this is a nice change to some
> mailing lists I'm used to.  Unfortunately, I am still having the same
> problem.  I'm giving out real information, probably shouldn't, but
> that's how frustrated I am.  I just get an unable to connect error.  The
> firewalls are fine I promise.  I can see the page on 192.168.0.105 from
> inside the lan, and I can see and use the webgui of the router just
> fine.  Altho I did disable it of course since I want the port forwarded.
> In the ssh example sent to me which is below, I notice that the address
> are just numbers where mine have "" around them.  Does this matter?  Can
> anyone please give any suggestions?
> 
> Thanks alot,
> Nate
> 
> My domain is: 
> www.nombyte.com
> 
> The IP is: 
> 71.62.193.105
> 
> Full Nat is:
> 
> nat {
> rule 1 {
> type: "destination"
> inbound-interface: "eth0"
> protocols: "tcp"
> source {
> network: "0.0.0.0/0"
> }
> destination {
> address: "71.62.193.105"
> port-name http
> }
> inside-address {
> address: 192.168.0.105
> }
> }
> rule 2 {
> type: "masquerade"
> outbound-interface: "eth0"
> protocols: "all"
> source {
> network: "192.168.0.0/24"
> }
> destination {
> network: "0.0.0.0/0"
> }
> }
> rule 3 {
> type: "masquerade"
> outbound-interface: "eth0"
> protocols: "all"
> source {
> network: "192.168.1.0/24"
> }
> destination {
> network: "0.0.0.0/0"
> }
> }
> 
> 
> 
> 
> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
>> Here's what I use to port-forward ssh; just adjust for address (where
>> destination address is the public IP) and change it to http.
>>
>> rule 2 {
>> type: "destination"
>> inbound-interface: "eth0"
>> protocols: "tcp"
>> source {
>> network: 0.0.0.0/0
>> }
>> destination {
>> address: 1.2.3.4
>> port-name ssh
>> }
>> inside-address {
>> address: 10.0.0.30
>> }
>> }
>>
>> Best,
>> Justin
>>
>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
>>> Can someone please help me get this worked out?
>>> Nate
>>>
>>>
 Ok these are my nat rules now, I didn't see a command to change
> the rule
 numbers so i just redid them all by hand.  It still doesn't work.

  rule 1 {
 type: "destination"
 inbound-interface: "eth0"
 protocols: "tcp"
 destination {
 address: "71.62.193.105"
 port-name http
 }
 inside-address {
 address: 192.168.0.105
 }
 }
 rule 2 {
 type: "masquerade"
 outbound-interface: "eth0"
 protocols: "all"
 source {
 network: "192.168.0.0/24"
 }
 destination {
 network: "0.0.0.0/0"
 }
 }
 rule 3 {
 type: "masquerade"
 outbound-interface: "eth0"
 protocols: "all"
 source {
 network: "192.168.1.0/24"
 }
 destination {
 network: "0.0.0.0/0"
 }
 }

 Nate

 On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> Hi Nate,
>
> The "inside-address" is the internal (private) IP address of
> your Web server, which in your case is 192.168.0.105. The "destination
> address" should actually be the public IP address that outside clients
> will use to access your server, so usually this is the public IP address
> of your router.
> An-Cheng
>
> Nathan McBride wrote:
>> I went and looked at the old docs.  I thought I set them up
> correctly
>> but aparently I didn't.  I'll im trying to do is to get people
> on the
>> internet to view the website on my comp (192.168.0.105).  The
> only
>> difference that i noticed when I tried to commit the example
> in the old
>> docs was that vc3 requires an 'inside-address'.  Could someone
> please
>> help me correct this to get it working?
>>
>> rule 3 {
>> type: "destination"
>> inbound-interface: "eth0"
>> protocols: "tcp"
>>

[Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread Nathan McBride 
First off I appreciate help from everyone, this is a nice change to some
mailing lists I'm used to.  Unfortunately, I am still having the same
problem.  I'm giving out real information, probably shouldn't, but
that's how frustrated I am.  I just get an unable to connect error.  The
firewalls are fine I promise.  I can see the page on 192.168.0.105 from
inside the lan, and I can see and use the webgui of the router just
fine.  Altho I did disable it of course since I want the port forwarded.
In the ssh example sent to me which is below, I notice that the address
are just numbers where mine have "" around them.  Does this matter?  Can
anyone please give any suggestions?

Thanks alot,
Nate

My domain is: 
www.nombyte.com

The IP is: 
71.62.193.105

Full Nat is:

nat {
rule 1 {
type: "destination"
inbound-interface: "eth0"
protocols: "tcp"
source {
network: "0.0.0.0/0"
}
destination {
address: "71.62.193.105"
port-name http
}
inside-address {
address: 192.168.0.105
}
}
rule 2 {
type: "masquerade"
outbound-interface: "eth0"
protocols: "all"
source {
network: "192.168.0.0/24"
}
destination {
network: "0.0.0.0/0"
}
}
rule 3 {
type: "masquerade"
outbound-interface: "eth0"
protocols: "all"
source {
network: "192.168.1.0/24"
}
destination {
network: "0.0.0.0/0"
}
}




On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> Here's what I use to port-forward ssh; just adjust for address (where
> destination address is the public IP) and change it to http.
> 
> rule 2 {
> type: "destination"
> inbound-interface: "eth0"
> protocols: "tcp"
> source {
> network: 0.0.0.0/0
> }
> destination {
> address: 1.2.3.4
> port-name ssh
> }
> inside-address {
> address: 10.0.0.30
> }
> }
> 
> Best,
> Justin
> 
> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> > Can someone please help me get this worked out?
> > Nate
> >
> >
> > > Ok these are my nat rules now, I didn't see a command to change
the rule
> > > numbers so i just redid them all by hand.  It still doesn't work.
> > >
> > >  rule 1 {
> > > type: "destination"
> > > inbound-interface: "eth0"
> > > protocols: "tcp"
> > > destination {
> > > address: "71.62.193.105"
> > > port-name http
> > > }
> > > inside-address {
> > > address: 192.168.0.105
> > > }
> > > }
> > > rule 2 {
> > > type: "masquerade"
> > > outbound-interface: "eth0"
> > > protocols: "all"
> > > source {
> > > network: "192.168.0.0/24"
> > > }
> > > destination {
> > > network: "0.0.0.0/0"
> > > }
> > > }
> > > rule 3 {
> > > type: "masquerade"
> > > outbound-interface: "eth0"
> > > protocols: "all"
> > > source {
> > > network: "192.168.1.0/24"
> > > }
> > > destination {
> > > network: "0.0.0.0/0"
> > > }
> > > }
> > >
> > > Nate
> > >
> > > On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> > > > Hi Nate,
> > > >
> > > > The "inside-address" is the internal (private) IP address of
your Web server, which in your case is 192.168.0.105. The "destination
address" should actually be the public IP address that outside clients
will use to access your server, so usually this is the public IP address
of your router.
> > > >
> > > > An-Cheng
> > > >
> > > > Nathan McBride wrote:
> > > > > I went and looked at the old docs.  I thought I set them up
correctly
> > > > > but aparently I didn't.  I'll im trying to do is to get people
on the
> > > > > internet to view the website on my comp (192.168.0.105).  The
only
> > > > > difference that i noticed when I tried to commit the example
in the old
> > > > > docs was that vc3 requires an 'inside-address'.  Could someone
please
> > > > > help me correct this to get it working?
> > > > >
> > > > > rule 3 {
> > > > > type: "destination"
> > > > > inbound-interface: "eth0"
> > > > > protocols: "tcp"
> > > > > destination {
> > > > > address: "192.168.0.105"
> > > > > port-name http
> > > > > }
> > > > > inside-address {
> > > > >