HPE Community
Operating System - HP-UX
1825766 Members
2089 Online
109687 Solutions
New Discussion

I can't surf to my own domain name inside the LAN

 
SOLVED
Go to solution
bob smith_6
Advisor

‎02-08-2002 08:00 AM

‎02-08-2002 08:00 AM

I can't surf to my own domain name inside the LAN

I have a new router that replaced my gateway (2 nic) machine. The router is given a real ip address of '11.22.33.44 ' and uses NAT to route any port 80 requests to a webserver (inside the LAN) at 192.168.254.133:80 (DHCP'd by the router). Also, FTP is routed there. From anywhere on the internet, I can hit http://11.22.33.44:80 and ftp://11.22.33.44:21 or http://www.xyz.com and ftp://www.xyz.com. From INSIDE the lan, I can NOT! All other addresses work from inside, i.e. http://yahoo.com etc. I've tried resetting and rebooting the router, changing it to use 10.0.0.x instead of 192.168.254.x, but nothing has worked. Any ideas?

The router is a speed stream 2614 (http://www.speedstream.com/datasheet_2614.html). Before I replaced the gateway with the router, all worked fine. Speedstream tech support was no help.

If I ping www.xyz.com from inside the lan, it actually does get 11.22.33.44 from the DNS and the ping works. Also, surfing inside directly to http://192.168.254.133 works.

Also, I'm not sure how this could be related (because I can surf from the internet to www.xyz.com and my machine serves up the pages just fine through the router), but I'm using www.zoneedit.com for the DNS entry.

Any ideas??
Bob
0 Kudos
Reply
4 REPLIES 4
John Bolene
Honored Contributor

‎02-08-2002 08:24 AM

‎02-08-2002 08:24 AM

Re: I can't surf to my own domain name inside the LAN

Welcome to the wonderful world of networking.

When you had a hub, your IP's were all the same and reachable inside and out of the firewall.

Now that you have NAT and 192.168 IP's, they are not routable outside the NAT/firewall, that is why they give more security.

Inside the NAT, you have to use the 192.168 IP's to get to your inside devices, outside you can use the main IP that is translated and forwarded thru the NAT to get to the inside 192.168 IP's.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
0 Kudos
Reply
Ron Kinner
Honored Contributor

‎02-08-2002 11:29 AM

‎02-08-2002 11:29 AM

Re: I can't surf to my own domain name inside the LAN

John is correct. You can't really get there from here anymore without the using the inside LAN address. When you set up NAT you identify one interface as INSIDE and one as OUTSIDE. Packets going from INSIDE to OUTSIDE or vice versa will undergo the NAT process. Packets which go from INSIDE to INSIDE or from an unmarked interface to INSIDE do not get touched. Ditto for any packets which are sourced on the same LAN as the server.

When you do a ping the router is the one that answers since your NAT only works for ftp or http traffic.

I'd have the router guy assign a permanent 192 address to the server to make life easier.

Depending on how many machines are involved you may want to then just put an entry in your host file and change the order of the search so it checks there first. Alternatively run an inside DNS which knows the internal address for the server and point your inside PCs toward the inside DNS first.

Ron
0 Kudos
Reply
bob smith_6
Advisor

‎02-08-2002 12:42 PM

‎02-08-2002 12:42 PM

Re: I can't surf to my own domain name inside the LAN

I'm still not clear why this is not working. Before I had the router, I had a gateway with 2 nic.. one side had the real IP, the other side connected to my hub and also DHCP'd the machines on my LAN and provided NAT (or whatever Sygate firewall does). When I would hit http://www.xyz.com from inside, the page would be served, np. I don't understand why the router would stop this. I mean, the browser hits DNS to get the IP, then it reworks the request as IP:80. WORST case (best?) would be the router would wake up and say "Oh, that's me.. port 80, and fish it back through to my local ws" BEST (worst?) case would be it would hit my provider with that IP request and they'd eventually send it back down to me. At least that's my understanding... and hell, it worked with the 2-nic machine. AND, ping does all this, doesn't it? Tt HAS to hit the DNS to get the real world IP, then either the router grabs the request and answers, or it sends it on to my provider.

The problem I'm faced with is... this POS router stops working for some services (80 and 21 stop. SSH on 22 works all the time :o/ ) and I'd like to see from inside when the router stops forwarding port 80's. Obviously I need to get a different router, but then I'd also like to understand if/why this problem (as described in my first post) will continue with any router...

BTW, I do have the ws set at a static IP inside... I don't think I can route requests to it with this router if it wasn't static.

Thanks for your replies!
Bob
0 Kudos
Reply
Ron Kinner
Honored Contributor

‎02-09-2002 09:40 AM

‎02-09-2002 09:40 AM

Solution

Re: I can't surf to my own domain name inside the LAN

When you do a ping xyz.com you first ask the DNS for the IP address of xyz.com. You get the 11.22.33.44 address back then you send the ping to 11.22.33.44. 11.22.33.44 is an outside address so you have to send it to the gateway to get out. However, since the address actually lives on the router AND the router is listening for ICMP the router accepts your echo request and send you back the echo reply.

When you try to go to zxy.com port 80 or 21 the exact same thing happens except that the router is not listening on port 80 or port 21 as it is not running an http or ftp server so it does not respond and since you are not coming in from the outside NAT is not activated so the packet can not be sent anywhere else.

This is how NAT always works. If you are on the inside you have to use the inside address to talk to the server. Your outside DNS is giving you the outside address which does not help you at all.

However, for the purpose of testing the NAT translation (as you mentioned in your other post - by the way - it is counterproductive to keep opening new posts. Better to reply to this one to keep it at the top of the list.) it wouldn't help even if you did have the inside address. You could get to the server OK and prove whether it was working but you still wouldn't know whether NAT was working. You have to really be on the outside to test that. Setup a cheap PC with a dialup to an ISP and use that to test with.

Are you sure the problem is with the router? Sometimes you can get so many connections stuck in FIN_WAIT_2 that nothing else can get through. Next time your problem happens look at the server: netstat -an |grep FIN_WAIT_2 and see how many connections you have stuck.

Can't help you with a Datastream router. I am fluent in Cisco and can get by in 3Com but never even met a Datastream before.

Ron

PS The guys on this forum work for points so if you assign a few points to the replies as they come in, even if they don't solve your problem, you will have a better chance of attracting replies.



Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.