Reply To: nat reflection

Forums Network Management ZeroShell nat reflection Reply To: nat reflection


Well, first things first, so: fluvio, thanks for this great product! I’ve been using zeroshell after trying both pfsense and monowall and this seems to be the best and most complete product for my needs.

Now that the tanks are taken care of, I’m going to bring this topic back from the dead.

NAT Reflection is one “feature” that allows you to access to servers behind PAT through your WAN ip. For example, you have a public name that has a public address… If you try to access this inside your local network, your packets are going to be directed to your firewall and don’t go through the WAN interface… So, if you have PAT defined with interface instead of the public ip, it doesn’t get done. I know that in beta11 we can define PAT through ip address but the previous scenario is especially necessary in cases where you have a dynamic public ip address…

I’ve been exploring the guts of zeroshell and i think it can be done with two changes:
1. Add the following line to the script router_patconfig: “iptables -t nat -A PREROUTING $IP -p $PROTOCOL –dport $LOCALPORT -j DNAT –to $REMOTEIP:$REMOTEPORT” where $IP=-d WAN_IP. This ip should be the WAN_IP address when it is defined to dhcp.
2. Using the hooks of the dhclient-script, refresh the ip in the nat table whenever dhclient updates WAN_IP.

Maybe step 2 can be the only one, I think the initial setup may be unnecessary…
What do you think? Can this be done? If so, in time for beta12? If not, how do you recommend me to solve this problem? In my opinion this is very important, especially in SOHO market, where most companies keep the internet connection behind a dynamic IP…