Iptables – access a NAT addressed host behind a gateway from the WAN side without DNS or VPN (with DNS if it’s not possible)

I have a very simple gateway running a minimal Linux which is serving as an IP router with NAT and DHCP on the LAN, and a static IP on the WAN. The gateway router from the LAN side goes to a big switch from which about 200 users gain access (DHCP assigns them NAT addresses). Of these 200 hosts on the LAN I have one which (call it Argon) that I'd like to access at a fixed static IP address from both within the LAN and from the WAN. Let's say my NAT is 192.168.1.0/24, the LAN address on my gateway is 192.168.1.1, Boron is a host on the LAN with IP 192.168.1.2, and Carbon is a host on the WAN with the IP 1.1.1.1.

Say that I own the IP 10.10.10.10. I'd like to assign 10.10.10.10 to Argon, and be able to send and receive both TCP and UDP traffic from both Boron (at 192.168.1.2) and from Carbon (at 1.1.1.1) where both Boron and Carbon would send messages to the IP address 10.10.10.10 to reach Argon.

I don't think my router has the capability to run DNS or VPN so I'd like to avoid these routes as solutions if possible. However if the constraints I've places make the problem unsolvable I'd prefer to set up a DNS as a solution rather than VPN so if anyone has a DNS solution for this problem (that isn't dynamic DNS) I'd appreciate those solutions too.

Apologies if the question is basic, or not on point; I'm definitely a networking novice.

Thank you for your help.

Best Answer

If 10.10.10.10 already points to the WAN interface on your router, you should just have to add a static route to the internal host on the router.

ip router add 10.10.10.10/32 dev eth1

Where eth1 is the LAN side nic on the router. (Ensure that ip forwarding is on for both interface wan and lan on the router).

Then just assign 10.10.10.10/32 to the nic on Argon. Unless it has a LAN IP in the 192.168.1.1/24 subnet, Argon will have to set it's route as:

ip route add 192.168.1.1/24 dev eth0
ip route add default via 192.168.1.1

internal clients should have no trouble. Packets will leave internal hosts via the NIC defined for the default gateway. The default gateway is your router. The route has a route to 10.10.10.10/32 back out it's LAN interface.

I think this should work. If it doesn't, you'll have to figure out how to deal with hairpin forwarding on your distribution. (I really think it should work by default in most cases...).

If you want to attempt to assign 10.10.10.10/32 to the router itself and then use NAT to direct everything to an internal IP for Argon the magical phrase becomes "Hairpin NAT". You can read more about that rabbit hole here: Can't access domain internally via public IP address

And for the sake of completion... if 10.10.10.10 does not currently point to your router's wan nic... you will have to talk to the provider about getting 10.10.10.10 routed to your router. (Consumer grade equipment won't cut it here)

For those that like pictures (I'm not great at diagrams and all I had installed was paint) here is what the routes look like without NAT:

Linux Hairpin Routing without NAT

Best Answer

Related Solutions

How to set up routing for a VPN gateway separate from the main gateway

Firewall – (Zywall USG 300) NAT bypassed when accessing in-house-server From LAN Via domain name

Related Topic