i host some websites a media server etc but when ever i try to access using internal network i get connection refused....so
domain.com (connection refused)
domain.com:8443 to access plesk (connection refused)
domain.com:32400 to access plex (connection refused)
domain.com:81 to access clearos (connection refused)
all above with external i.p connection refused
if i use internal i.p with port numbers it work (excluding domain.com)
if i hide behind VPN all the above including domain.com works fine (internal i.p wont work with vpn)
please any ideas as its a pain in the butt for me working on the websites
i have checked firewall etc but may have missed something
thanks in advanced
domain.com (connection refused)
domain.com:8443 to access plesk (connection refused)
domain.com:32400 to access plex (connection refused)
domain.com:81 to access clearos (connection refused)
all above with external i.p connection refused
if i use internal i.p with port numbers it work (excluding domain.com)
if i hide behind VPN all the above including domain.com works fine (internal i.p wont work with vpn)
please any ideas as its a pain in the butt for me working on the websites
i have checked firewall etc but may have missed something
thanks in advanced
Share this post:
Responses (3)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Short version: Sounds like you need 'split horizon' DNS. Split horizon DNS makes it so that your internal hosts can be listed in the ClearOS DNS cache.
Simply add the hostname to the DNS Server application with the INTERNAL IP address. Network >> Infrastructure >> DNS Server. Use ClearOS as your DNS resolver for all internal traffic. It is much, much faster to do it here for your servers and workstations. Even if you use Active Directory (click here if you do).
Long version: What is happening technically is that ClearOS does not allow for hairpin NAT access. This thread on reddit covers what hairpins are good for. Hairpins look like this:
1.2.3.4 is the IP for the A record myserver.example.com
myserver.example.com has a private IP of 192.168.1.10 and is behind the firewall with a private IP of 192.168.1.1 and an external IP 1.2.3.4.
1.2.3.4, the firewall, forwards ports 80 and 443 to 192.168.1.10
Sound familiar? Now here is what your box is trying to do:
192.168.1.100 looks up myserver.example.com and retrieves the public record 1.2.3.4. The .100 workstation knows that 1.2.3.4 is not on its network so it sends it to the gateway. The gateway sees that 1.2.3.4 is its address and receives the packet. Now here is what ClearOS won't do... a hairpin NAT rule reroutes the packet inbound. Here is what ClearOS does do...drop the packet, this is bad traffic.
Why is split horizon DNS so much better?
Much faster DNS resolution. By resolving this internal address in the local cache, lookups to this resource does not have to happen externally
Much faster traffic. With the resolution to the internal IP, traffic on LAN becomes UNICAST between 192.168.1.100 and 192.168.1.10
Increased security at the firewall. Because the firewall never sees it, traffic between the two servers is not compromised if the firewall falls.
Increased security in the routing tables. Because we aren't routing, spoofs against the firewall can not use your internal LAN segment as a tool against your external firewall.
Increased security at the switch. Unicast traffic between your .100 and .10 hosts do not involve the firewall at all.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »