Resolving DNS through IPCop firewall/proxy

[mickwish]

Ok, this is really driving me nuts, now!!

It must be something simple I'm missing, surely!

I know I don't understand enough stuff about how you resolve domainnames, but I thought I had a vague enough idea...

Here's my setup. I run IPCop (linux distro) as a firewall / router for my cable connection. IPCop has 3 NICS in it - GREEN (192.168.0.1) goes to hub for LAN; RED goes to cable modem and resolves to ISP's allocated IP; and ORANGE goes to a DMZ for my web/mail/FTP server (192.168.1.1). Now, IPCop doesn't let anything from ORANGE got to GREEN, so the web traffic to the webserever is blocked outa the LAN. But GREEN traffic can go to ORANGE OK. That's the basics.

Almost everything works fine. IPCop is set as a DNS, but not DCHP: all IP's are manually set. I can get on the web fine in both GREEN and ORANGE boxes; I can resolve webpages by IP or URL fine....

EXCEPT.... I can't resolve my own domain name from my ORANGE webserver on my GREEN LAN!

I can access mail from the ORANGE server (by IP) on GREEN, and I can access server webpages and FPT by IP - but not by URL.

The normally helpful folk on the IPCop list told me to put the domain name in the hosts file of the windows machine on GREEN, so I did. No better. They also suggested I put the domainname in IPCop's hosts file, so I did that too, as well as in the ORANGE server's hosts file (all machines except IPCop are running winXP Pro). Didn't help.

So, can anyone help me, please?

Thanks
Mick the frustrated

[DVNT1]

Actually that doesn't sound very odd for many NAT devices. I'm not sure what to expect from IPCOP though.

From a green LAN client, I suspect you can resolve your Internet host name but just not do the NAT from internal to internal. So normally, you would create a host file with your FQDN that points to the internal IP address of the server you want to access.

If this is what you did, next step is to ping that FQDN to see what it resolves to.

[mickwish]

A nslookup from GREEN gives me this:

H:\>nslookup www.mickwish.is-a-geek.com
Server: ipcop
Address: 192.168.0.1

Non-authoritative answer:
Name: www.mickwish.is-a-geek.com
Address: 192.168.1.2

That should be fine, as 192.168.0.1 is IPCop, which is my DNS server, and 192.168.1.2 is the ORANGE server.

Pings fine too, from GREEN:

H:\>ping www.mickwish.is-a-geek.com

Pinging www.mickwish.is-a-geek.com [192.168.1.2] with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time=12ms TTL=127
Reply from 192.168.1.2: bytes=32 time=2ms TTL=127
Reply from 192.168.1.2: bytes=32 time=2ms TTL=127
Reply from 192.168.1.2: bytes=32 time=2ms TTL=127

Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 12ms, Average = 4ms

Any other thoughts?

Thanks for your help
Mick

[DVNT1]

EXCEPT.... I can't resolve my own domain name from my ORANGE webserver on my GREEN LAN!

I can access mail from the ORANGE server (by IP) on GREEN, and I can access server webpages and FPT by IP - but not by URL

Keep in mind I'm mentally burnt out tonight from IPSEC problems; but right now I don't understand what exactly is the problem...especially the part "ORANGE webserver on my GREEN LAN". Could you state it a different way because I thought the "orange webserver" was on the Orange interface and not the Green interface (aka Green LAN).

[mickwish]

OK. Sorry if I'm confusing. What I can't do is view webpages by URL that are served from the ORANGE (DMZ) webserver in a browser on a PC on the LAN that is connected to the GREEN NIC in IPCop. I can see the pages if I use the IP, but not the URL.

[Bear in mind that no traffic is allowed from ORANGE NIC to GREEN NIC by IPCop rules.]

Does that make sense?

Thanks
Mick

[Siliconjunkie]

In IPCop are there any rules regarding traffic from Orange to Green? It sounds like something is blocking 80. Is there a proxy involved?

[mickwish]

IPCop is set up as a web proxy. All PC's have IPCop set as default gateway.

Yes, there are rules about no traffic allowed from ORANGE to GREEN, but traffic is allowed from GREEN to ORANGE.

What I want is for the wepages served on ORANGE to be seen via the RED (cable modem) NIC by URL.

Thought: If the RED NIC is set for the ISP's allocated IP, then should I put a hosts entry on IPCop that links the RED IP with the fqdn?? At the moment the hosts file on IPCop links the ORANGE webserver IP with the fqdn.

Maybe that's what I did wrong? can't test it until I get home tonight, though. Can't even SSH into IPCop from work - all the ports are blocked, and I haven't got a tunnel set up.

What do you think?

Thanks
Mick

edit: fixed up a messy bit

[Siliconjunkie]

NAT has problems with going out and right back in. Tends to confuse it. I would bet thats the problem you are having. But if you are proxying via IPCop and it knows the Orange address of the web server it should be able to retrieve the page. Is it possible that you have your browser set to not use the proxy for local addresses?

[mickwish]

That's a new thought, but since the browser isn't "set" to use a proxy address in IE, I doubt it. IPCop caches webpages (ie is a web proxy), but is not listed as a proxy server in IE.

But it's a new line of thought, and I'll check that tonight.

Thanks for the idea!

Cheers
Mick

[Siliconjunkie]

Ah, so its a transparent proxy. Hmmmm, but it is also the DNS, and it is giving you the Orange IP. Hmmmmm, now ya got me thinking. Just doesn't make sense. Is IPCop logging anything? Like if it is blocking the requests?

What keeps getting me is that you can ping from Green to Orange tho you arent supposed to be able to. Green would be able to get to Orange but Orange wouldnt be able to reply. The idea of a DMZ is to isolate traffic. What if you do a tracert? Is it going thru IPCop? Is there any other possible path? Sorry for all the questions, just putting what comes to mind.

[mickwish]

Thanks for thinking about this.

Tracert gives:

H:\>tracert www.mickwish.is-a-geek.com

Tracing route to www.mickwish.is-a-geek.com [192.168.1.2]
over a maximum of 30 hops:

1 2898 ms 3 ms 2 ms IPCop [192.168.0.1]
2 3 ms 3 ms 3 ms www.mickwish.is-a-geek.com [192.168.1.2]

Trace complete.

So it's resolving to the ORANGE webserver IP OK, according to that. But it still don't connect via URL.

Tried changing proxy server in IE - didn't help at all. Still had web access, but no diff for this prob.

Will try changing IP hosts file to RED IP. Wish me luck.

Thanks
Mick

[DVNT1]

Sounds like the proxy service in IPCOP only works with Host names. When that happens, you experience the common internal-NAT-internal problem.

Disabling the proxy service within IPCOP may fix it.

[mickwish]

Ok, I'll try that. I don't think I NEED the web proxy.

BRB.

Thanks Mick

[mickwish]

Oop - disabling the proxy cut me off the web on the GREEN lan.

Have to try again...

Cheers
Mick

[mickwish]

No, I need the web proxy to surf the web as IPCop is the gateway. I have disabled transparency, though - wonder if that helps?

Cheers
Mick

[mickwish]

Nope, same thing.

I get an error from IPCop when trying to access the page, which says:

ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: http://www.mickwish.is-a-geek.com/

The following error was encountered:

Connection Failed
The system returned:

(111) Connection refused
The remote host or network may be down. Please try the request again.

Your cache administrator is root.

--------------------------------------------------------------------------------
Generated Thu, 05 Jun 2003 12:32:55 GMT by ipcop (Squid/2.4.STABLE6)

Does that give any clues?

Ta
Mick

[DVNT1]

With transparent proxy disabled, do you have to enter a proxy server setting in your web browser? If so, try adding your LAN IP range to the exclusion list.

Otherwise I'm just out of ideas for now. Maybe someday I'll get around to trying IPCOP myself.

[mickwish]

Ah, well, thanks guys. Back to the IPCop mailing list and see if they can sort it out.

Cheers
Mick