# Problem connecting to server using external address



## neal (Oct 10, 2012)

Hi.

I've created myself a new firewall using IPFW and with PPP doing the NATing. I have a server on  a dedicated DMZ LAN which is accessible from outside by the use of nat port commands in ppp.conf.

I can access the server from outside successfully and from inside using the internal IP address, but I am not able to access the server from my own network using the external IP address.

I was wondering of anyone has any idea if there is anything special I need to do to allow this to work. I can see there is a route to the external IP address on lo0, but nothing gets there.

Thanks,

Neal.


----------



## Morte (Oct 10, 2012)

Due to the nature of network address translation, you have to use the internal address to access internal machines. 

What exactly are you trying to do?

(related: http://forums.freebsd.org/showthread.php?t=29997)


----------



## neal (Oct 11, 2012)

I'm just trying to access my internal mail server and the like. It works perfectly outside and from inside I can use my internal addresses. It wouldn't be a problem except that when my phone is using my wireless network it can't get any mail, which is less than optimal.

I think I know the nature of the problem after some overnight pondering.

On the firewall, there is a route to the external address which is on the lo0 interface, so quite logically it bounces the packets back to itself. The problem with that is that NAT and associated redirecting is done by PPP, so it happens outside of the firewall, so when the local packets come in, they end up back at the firewall, which rejects them as only the server allows packets of that kind.

I think what I need to do is get the firewall to redirect any internal packets going to the external address to the server that can handle them. From what I can see looking at the IPFW man page there is a forward directive. What worries me is that it says that "the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them.".

I will have to recompile my kernel to allow this unfortunately as it needs the IPFIREWALL_FORWARD option, which I don't think is in the kernel module.


----------

