2.5.1: Can't access webserver in green zone from green/blue zone by external URL

[Guest]

[X-Dimension]

Hi!
We have the following setup:
Endian Firewall 2.5.1 Community Edition
Green zone: 192.168.1.0/24
Gateway IP: 192.168.1.1
Blue zone: 192.168.2.0/24
Webserver in green zone: 192.168.1.100

To access the webserver by its external URL mywebsite.com i set a port forwarding rule from uplink main port 80 to 192.168.1.100.
This works fine from the red zone, and everybody can reach our webserver by its URL.
But from green or blue zone i can't access my webserver by mywebsite.com, it only works when i input the ip address 192.168.1.100 in the webbrowser.

With Endian 2.4.1 a workaround was to set a source NAT rule from 192.168.1.0/24 to 192.168.1.1 (gateway), and it works fine.
I've imported the settings from Endian 2.4.1 in 2.5.1, but it doesn't work anymore.

Does anybody know how i must configure Endian 2.5.1 to access my webserver from green/blue zone by its external URL?

Thx for help!

[X-Dimension]

Here is the simple solution:
Go to
Network -> Edit Hosts and add an entry for the webserver!

Host IP: 192.168.1.100
Hostname: mywebsite
Domainname: com

Works fine here!

[endianupdate]

The solution you posted works but only if the client uses the EFW as it's DNS server.

If your clients are using another DNS server on the GREEN/ORANGE/BLUE zone e.g. Active Directory DNS server, then I think you will need to enter the host in that DNS server also.

[blyxx86]

I too am having this issue...

Adding hosts to a new active directory DNS zone for our company.com domain.  However, I realized there was one scenario that would never work.  We use one of our external IPs to forward port 80 to port 8080 on a server.

Adding the records to the DNS did work properly, but not 100%.

Adding Hosts to the "Edit Hosts" page had similar results if it is the primary DNS.  Again, port translations (External IP to port 80, translated to Internal IP 8080) won't work with that type of set up.

[blyxx86]

Okay... so I have been persistent in my research and I believe I have found the solution thanks to the messages in this thread (efwsupport.com/index.php?topic=1065.15)

But to summarize and put it all together.  This is what I needed to do to get access from GREEN->RED->GREEN.

Firewall->Port forwarding/Destination NAT (image 1)
Incoming IP
Type: Zone/VPN/Uplink
Interface: RED Uplink IP (Whatever IP is needed by your external IP)
Incoming Service/Port
TCP 80 (Or whatever ports you need)
Translate to
Type: IP
Insert IP: GREEN IP of server
Port/Range: 80 (or whatever it translates to, like 8081)
Access From
SourceType: Zone/VPN/Uplink
Filter policy: ALLOW
Interface: GREEN (May need to also enable from the RED if access from outside, I am testing on a small internal network and don't have the ability to test whether or not you need to allow from RED for them)
Enabled / Log / Remark (whatever you want)


After doing this, if you will see logs show up saying the ports are accepted, but no handshake takes place.  For that to happen we need to set up a Source NAT.

Firewall->Source NAT (image 2)
Source
Type: Network/IP
Network: GREEN NETWORK IP (e.g., 192.168.101.0/24) (Original post had 0.0.0.0/0 which worked, but I like to tighten things when i can)
Destination
Type: Zone/VPN/Uplink
Interface: GREEN
Service/Port
Service: ANY
Protocol: ANY
NAT
Type: NAT
To source address: AUTO
Enabled / Remark (Whatever)

[jay@heraldtech.net]

Hello, I have a similar situation.  I use EFW 2.5.1 with Microsoft Small Business Server and get dns from the server.  I have several domains on a webserver and it is not practical to create a hosts entry each time I add a domain.  I really need NAT loopback support.  My Sonicwall TZ-170 works great for loopback.  With EFW 2.5.1 I am unable to find a way to access my websites from inside my network.  Please let me know if there is a way.  Thanks.

[mrkroket]

The solution you posted works but only if the client uses the EFW as it's DNS server.

If your clients are using another DNS server on the GREEN/ORANGE/BLUE zone e.g. Active Directory DNS server, then I think you will need to enter the host in that DNS server also.

Not entirely true. What you can do is to add endian firewall as your 1st DNS forwarder on your AD DNS Servers. This way you dont use the Endian DNS directly, but works the same.
Or if your AD domain name = your web domain name you must create a local registry on the AD DNS to point that server by using the local IP.

[as3]

Apologies for reviving an old thread but it is exactly on-topic with one exception: I have two WAN uplinks on the Endian box I'm having trouble with.

More details: With just a RED interface (a single uplink) the solution in this thread worked fine. I now have a second uplink with a static IP address and port forwarding rules set up from that WAN IP to an internal server (HTTP/HTTPS/SSH/IMAP/SMTP). I need hosts on the GREEN segment to be able to use the FQDN for the server just like they can from outside the network. These rules don't work for that and I've tried obvious tweaks like adding the second uplink or ANY UPLINK selections to both the port forwarding and the SNAT rule, with no success.

Can anyone suggest a rule or setting that allows loopback to work from the GREEN to a host on the second uplink?

TIA,

AS

[Caseyj]

Here is the simple solution:
Go to
Network -> Edit Hosts and add an entry for the webserver!

Host IP: 192.168.1.100
Hostname: mywebsite
Domainname: com

Works fine here!

I go for this. Thanks so much ! ;-)