Resolving DNS through IPCop firewall/proxy

Ok, this is really driving me nuts, now!!

It must be something simple I'm missing, surely!

I know I don't understand enough stuff about how you resolve domainnames, but I thought I had a vague enough idea...

Here's my setup. I run IPCop (linux distro) as a firewall / router for my cable connection. IPCop has 3 NICS in it - GREEN (192.168.0.1) goes to hub for LAN; RED goes to cable modem and resolves to ISP's allocated IP; and ORANGE goes to a DMZ for my web/mail/FTP server (192.168.1.1). Now, IPCop doesn't let anything from ORANGE got to GREEN, so the web traffic to the webserever is blocked outa the LAN. But GREEN traffic can go to ORANGE OK. That's the basics.

Almost everything works fine. IPCop is set as a DNS, but not DCHP: all IP's are manually set. I can get on the web fine in both GREEN and ORANGE boxes; I can resolve webpages by IP or URL fine....

EXCEPT.... I can't resolve my own domain name from my ORANGE webserver on my GREEN LAN!

I can access mail from the ORANGE server (by IP) on GREEN, and I can access server webpages and FPT by IP - but not by URL.

The normally helpful folk on the IPCop list told me to put the domain name in the hosts file of the windows machine on GREEN, so I did. No better. They also suggested I put the domainname in IPCop's hosts file, so I did that too, as well as in the ORANGE server's hosts file (all machines except IPCop are running winXP Pro). Didn't help.

So, can anyone help me, please?

Thanks
Mick the frustrated

[DVNT1]

Actually that doesn't sound very odd for many NAT devices. I'm not sure what to expect from IPCOP though.

From a green LAN client, I suspect you can resolve your Internet host name but just not do the NAT from internal to internal. So normally, you would create a host file with your FQDN that points to the internal IP address of the server you want to access.

If this is what you did, next step is to ping that FQDN to see what it resolves to.

A nslookup from GREEN gives me this:

H:\>nslookup www.mickwish.is-a-geek.com
Server: ipcop
Address: 192.168.0.1

Non-authoritative answer:
Name: www.mickwish.is-a-geek.com
Address: 192.168.1.2

That should be fine, as 192.168.0.1 is IPCop, which is my DNS server, and 192.168.1.2 is the ORANGE server.

Pings fine too, from GREEN:

H:\>ping www.mickwish.is-a-geek.com

Pinging www.mickwish.is-a-geek.com [192.168.1.2] with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time=12ms TTL=127
Reply from 192.168.1.2: bytes=32 time=2ms TTL=127
Reply from 192.168.1.2: bytes=32 time=2ms TTL=127
Reply from 192.168.1.2: bytes=32 time=2ms TTL=127

Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 12ms, Average = 4ms

Any other thoughts?

Thanks for your help
Mick

[DVNT1]

Quote:

EXCEPT.... I can't resolve my own domain name from my ORANGE webserver on my GREEN LAN!

I can access mail from the ORANGE server (by IP) on GREEN, and I can access server webpages and FPT by IP - but not by URL

Keep in mind I'm mentally burnt out tonight from IPSEC problems; but right now I don't understand what exactly is the problem...especially the part "ORANGE webserver on my GREEN LAN". Could you state it a different way because I thought the "orange webserver" was on the Orange interface and not the Green interface (aka Green LAN).

OK. Sorry if I'm confusing. What I can't do is view webpages by URL that are served from the ORANGE (DMZ) webserver in a browser on a PC on the LAN that is connected to the GREEN NIC in IPCop. I can see the pages if I use the IP, but not the URL.

[Bear in mind that no traffic is allowed from ORANGE NIC to GREEN NIC by IPCop rules.]

Does that make sense?

Thanks
Mick

[Siliconjunkie]

In IPCop are there any rules regarding traffic from Orange to Green? It sounds like something is blocking 80. Is there a proxy involved?

IPCop is set up as a web proxy. All PC's have IPCop set as default gateway.

Yes, there are rules about no traffic allowed from ORANGE to GREEN, but traffic is allowed from GREEN to ORANGE.

What I want is for the wepages served on ORANGE to be seen via the RED (cable modem) NIC by URL.

Thought: If the RED NIC is set for the ISP's allocated IP, then should I put a hosts entry on IPCop that links the RED IP with the fqdn?? At the moment the hosts file on IPCop links the ORANGE webserver IP with the fqdn.

Maybe that's what I did wrong? can't test it until I get home tonight, though. Can't even SSH into IPCop from work - all the ports are blocked, and I haven't got a tunnel set up.

What do you think?

Thanks
Mick

edit: fixed up a messy bit

[Siliconjunkie]

NAT has problems with going out and right back in. Tends to confuse it. I would bet thats the problem you are having. But if you are proxying via IPCop and it knows the Orange address of the web server it should be able to retrieve the page. Is it possible that you have your browser set to not use the proxy for local addresses?

That's a new thought, but since the browser isn't "set" to use a proxy address in IE, I doubt it. IPCop caches webpages (ie is a web proxy), but is not listed as a proxy server in IE.

But it's a new line of thought, and I'll check that tonight.

Thanks for the idea!

Cheers
Mick

[Siliconjunkie]

Ah, so its a transparent proxy. Hmmmm, but it is also the DNS, and it is giving you the Orange IP. Hmmmmm, now ya got me thinking. Just doesn't make sense. Is IPCop logging anything? Like if it is blocking the requests?

What keeps getting me is that you can ping from Green to Orange tho you arent supposed to be able to. Green would be able to get to Orange but Orange wouldnt be able to reply. The idea of a DMZ is to isolate traffic. What if you do a tracert? Is it going thru IPCop? Is there any other possible path? Sorry for all the questions, just putting what comes to mind.