No, it gives no real security advantages except a bit of obscurity. Anyone on your LAN can still access the web site by its IP address, and when accessing the web site from your LAN they will have no more privileges than accessing it from the internet.

Sorry for delay in replying been super busy.

And thank you for your detailed responce

I'm assuming leaving it as it is and working behind a VPN will have more security advantages than it would if I open it up to Lan?

Short version: Sounds like you need 'split horizon' DNS. Split horizon DNS makes it so that your internal hosts can be listed in the ClearOS DNS cache.

Simply add the hostname to the DNS Server application with the INTERNAL IP address. Network >> Infrastructure >> DNS Server. Use ClearOS as your DNS resolver for all internal traffic. It is much, much faster to do it here for your servers and workstations. Even if you use Active Directory (click here if you do).


Long version: What is happening technically is that ClearOS does not allow for hairpin NAT access. This thread on reddit covers what hairpins are good for. Hairpins look like this:

1.2.3.4 is the IP for the A record myserver.example.com
myserver.example.com has a private IP of 192.168.1.10 and is behind the firewall with a private IP of 192.168.1.1 and an external IP 1.2.3.4.
1.2.3.4, the firewall, forwards ports 80 and 443 to 192.168.1.10

Sound familiar? Now here is what your box is trying to do:

192.168.1.100 looks up myserver.example.com and retrieves the public record 1.2.3.4. The .100 workstation knows that 1.2.3.4 is not on its network so it sends it to the gateway. The gateway sees that 1.2.3.4 is its address and receives the packet. Now here is what ClearOS won't do... a hairpin NAT rule reroutes the packet inbound. Here is what ClearOS does do...drop the packet, this is bad traffic.

Why is split horizon DNS so much better?


Much faster DNS resolution. By resolving this internal address in the local cache, lookups to this resource does not have to happen externally
Much faster traffic. With the resolution to the internal IP, traffic on LAN becomes UNICAST between 192.168.1.100 and 192.168.1.10
Increased security at the firewall. Because the firewall never sees it, traffic between the two servers is not compromised if the firewall falls.
Increased security in the routing tables. Because we aren't routing, spoofs against the firewall can not use your internal LAN segment as a tool against your external firewall.
Increased security at the switch. Unicast traffic between your .100 and .10 hosts do not involve the firewall at all.