6 Replies Latest reply on Sep 6, 2013 10:27 AM by levi

    Web Server Access

    dogma New Member

      Our router is a Netvanta 3448.  We have a server on our LAN that hosts applications for users on the LAN to access.  This has been in place for several years and works fine.  We recently added a web application to the server's functions, to allow the pubic to access certain information via a link on our website (website is hosted by a third party, not at this location).  The link on the website points to one of our static WAN IP address.  When I first set this up I tried port forwarding to the server LAN IP address without a specific port number (default to port 80), but could not gain access to the server's web interface from either the LAN side or the WAN side.  I have since added a random port number to the IP address on the website, and translated that port to port LAN port 80 in a Public policy.  Access from the WAN side now works fine.  However, when users inside the LAN go the website and click the link, they are still unable to access the server's web application.  Direct access via the LAN IP address does work for LAN clients, but what they need is to be able to gain access via the website.

       

      I assume I'll need to provide more details, but maybe that's enough to get started.  I have two questions:

       

      1.  Why didn't port forwarding to the web server work on port 80?  (already changed the Netvanta http interface to a different port number.)

      2.  How can I get the LAN clients to access the webserver via the WAN link on the website?

        • Re: Web Server Access
          Employee

          dogma - I would probably need to see your configuration before I could answer your first question for you. However, if I had to guess, I'm guessing there was a firewall entry that may have been catching the port 80 traffic before it hit your port forward rule. It is important to keep in mind that even if you change the HTTP port on an AOS device, if you specify "HTTP" in an admin access rule in the GUI, or specify a well-known port of "www" in the CLI, it will always translate to port 80...even if you change the HTTP port.

           

          As far as your second question goes, this application is often referred to as a "hairpin". It refers to LAN users attempting to access a server using the public IP address that is forwarded to it. Unfortunately, AOS does not support this function. However, there are a couple of workarounds that can be implemented to get this to work. Information on setting this up can be found in the following post: Re: Hairpin Prevention

           

          I hope this answers your questions, however, if you have any questions, please do not hesitate to respond to this post. Also, as I mentioned, it may be helpful to see your configuration file as well. Please remember to edit any information that may be sensitive to your network.

           

          Thanks,

          Noor

          1 of 1 people found this helpful
            • Re: Web Server Access
              dogma New Member

              Noor,

               

              Thanks for the reply.  I followed your link.  I copy/pasted the relevant sugestions below, along with my follow-up questions in Bold.


              1. The easiest solution is to point local devices to an internal DNS server. In your internal DNS server, you will need to add a static host entry that points the hostname to the internal IP address of the server. I am currently using the Netvanta as a DNS server.  However, I do not think that the issue can be addressed this way.  Since the website is hosted elsewhere, and only a single link on the site points to our internal server (identified by the WAN IP and port number), I don't have a hostname to re-direct.

               

              2. If you do not have an internal DNS server, the AOS device can act as a proxy DNS server. You would need to point local devices to the AOS device as their DNS server. Then enable DNS proxy and configure the public DNS servers on the AOS device. Finally, add a static entry in the AOS device's host table that points the hostname to the internal IP address of the server. This can be done in the GUI by navigating to System -> Hostname/DNS. The command to add a host entry in the CLI is ip host <name of host> <private IP address>. Same issue as above.

               

              3. Another solution is to put the server on a different subnet and configure a destination NAT in the Private policy that matches any traffic going to the public IP address or hostname on the specified port. You will want to make sure that this rule is placed above the NAT rule you have setup for internet access. This may be the only option, although it is undesireable since more than 50 machines already look for the server on the existing subnet for non-web related applications.  Maybe an alternative would be to add a second NIC to the server and put it in a different subnet or DMZ?


              Any other suggestions are welcome.  I have to say that the inability to "hairpin" traffic is a frustration.  I've run into it before in setting up network cameras for web access.  Inevitably the local users don't understand why they can't get to the camera from the website, and subsequently report that the camera or website must be broken.  It would be great if there were a more elegant programming solution that solved this, as we are finding that it is a rapidly growing need. 

                • Re: Web Server Access
                  Employee

                  dogma - I would suggest contacting your Adtran Sales rep and letting them know about your need for this feature.

                   

                  Does the link on your website reference an IP address or a hostname? If it references an IP address, would it be possible to link it to a hostname instead?

                   

                  Thanks,

                  Noor

                    • Re: Web Server Access
                      dogma New Member

                      Noor,

                       

                       

                       

                      The website link is referenced by a WAN IP address and port number.  I

                      don’t think I understand your question about linking it via hostname.  The

                      hostname would work inside the LAN, but without the IP address the public

                      would lose access on the WAN side.  How would the server’s local hostname

                      be resolved by PCs that are outside of our network?  Isn’t that the purpose

                      of the port forward?  Maybe I’m not understanding your question…

                       

                       

                       

                      Thanks.

                        • Re: Web Server Access
                          Employee

                          dogma - What I was trying to ask is if the link could be modified to point to a hostname (website) and port number instead of the WAN IP address and port number. If you are able to use a hostname, then the outside clients would resolve the hostname using their public DNS servers to the WAN IP address. The internal clients would resolve the hostname to the private IP based on the host entry you would enter in either the NetVanta or your internal DNS server (options 1 and 2 in my original response). If this is not possible, then it appears that the third option would be the best workaround for you.

                           

                          Thanks,

                          Noor

                          1 of 1 people found this helpful
                  • Re: Web Server Access
                    levi Employee

                    dogma:

                     

                    I marked this post as "assumed answered," but please do not hesitate to reply if you have further questions.

                    Levi