Aug 22, 2011
tom

Loopback to public IP address in local network

Question

I have following situation

We host internal web pages on our Windows Server 2003 for business proposals [purposes?] which we can access on 192.168.0.X:80 on the local network. We also have a FreeBSD router for our internet gateway which hosts static IP addresses in the 217.199.X.X subnet. Our external locations have internet access and they are coming into the local network through static IP and forwarding some ports on different local IP addresses depending on what type of services they are calling. One part of our business uses customized IE with predefined shortcuts for many local web pages on IE.

What I want to do is to create those shortcuts in the customized Internet Explorer that are going to be the same for clients from the local network as they are from the public network.

To be more clear here is one example:

If I want to access ReportServer from my internal network I call

http://192.168.1.1%3A80/ReportServer

for that same report server outside of my local network I can get it from

http://217.199.133.42%3A80/reportserver

But if from the local network I call

http://217.199.133.42%3A80/reportserver

I can’t access my report server.

What can I do?
One of the things that I’m already doing is that clients from outside the local network use a VPN to get access to the local network, but in that case they are losing their internet connection for other services.

Thank You in advance

Answer

What you’re looking for is called “hairpin NAT”. Requests from the internal interface for an IP address assigned to the external interface should be NAT’ted as though they came in from the external-side interface.

I don’t have any FreeBSD familiarity at all, but reading the “pf” manual for OpenBSD (http://www.openbsd.org/faq/pf/rdr.html) the proposed solutions of split-horizon DNS, using a DMZ network, or TCP proxying lead me to believe that “pf” doesn’t support hairpin NAT.

I’d look at going the route of split-horizon DNS and not using IP addresses in URLs internally but, instead, using names.

Related posts:

  1. DNS servers on Local Area Connection should include the loopback address, but not as first entry issue
  2. Can I have web server on a home network with 1 public IP address?
  3. Is there a way to determine if a certain MAC address is on the local network from a Synology Cubestation, which doesn’t have arp?
  4. Securing access through specific ports on public IP address
  5. Why can’t my local network access the internet site hosted by a server on that network?

Leave a comment