Solved ipfw, accessing web site on local webserver from LAN via WAN ip

1) I have a router with wan IP 62.117.93.14 and local net 192.168.0.0/16. NAT enabled, working.
2) in local net I have ngnix web site with IP 192.168.0.27 for domain is.some_domain.ru.
When I try to access to is.some_domain.ru from outside local net it works fine. But when I try to access to that site from localnet I've got ERR_CONNECTION_REFUSED
Code:
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
wan="re0" 
wan_ip="62.117.93.14"
lan="vr0"
ks="keep-state"
ipfw -q nat 1 config if $wan same_ports unreg_only reset \
                             redirect_port tcp 192.168.0.27:80 80 \
                             redirect_port tcp 192.168.0.27:443 443
$cmd 5 allow all from any to any via $lan
$cmd 10 allow all from any to any via lo0
$cmd 105 reass all from any to any in
$cmd 110 check-state
$cmd 120 allow tcp from any to $wan_ip 4322 in via $wan $ks
$cmd 130 allow all from $wan_ip to 8.8.8.8 53  out via $wan $ks
$cmd 1000 nat 1 ip from any to any via $wan

ipfw show
Code:
00005 5560098 4784045774 allow ip from any to any via vr0
00010       4        160 allow ip from any to any via lo0
00105 2968474 2748258948 reass ip from any to any in
00110       0          0 check-state :default
00120    6816     582784 allow tcp from any to 62.117.93.14 4322 in via re0 keep-state :default
00130      87       8203 allow ip from 62.117.93.14 to 8.8.8.8 53 out via re0 keep-state :default
01000 5593058 4786264615 nat 1 ip from any to any via re0
65535       7        392 deny ip from any to any
tcpdump -i vr0 src 62.117.93.14 or dst 62.117.93.14
Code:
16:00:45.868292 IP 192.168.2.135.1718 > 62.117.93.14.http: Flags [S], seq 3722626669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:00:45.868331 IP 62.117.93.14.http > 192.168.2.135.1718: Flags [R.], seq 0, ack 3722626670, win 0, length 0
16:00:46.372893 IP 192.168.2.135.1718 > 62.117.93.14.http: Flags [S], seq 3722626669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:00:46.372930 IP 62.117.93.14.http > 192.168.2.135.1718: Flags [R.], seq 0, ack 1, win 0, length 0
16:00:46.873407 IP 192.168.2.135.1718 > 62.117.93.14.http: Flags [S], seq 3722626669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:00:46.873448 IP 62.117.93.14.http > 192.168.2.135.1718: Flags [R.], seq 0, ack 1, win 0, length 0
16:00:47.376647 IP 192.168.2.135.1718 > 62.117.93.14.http: Flags [S], seq 3722626669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:00:47.376685 IP 62.117.93.14.http > 192.168.2.135.1718: Flags [R.], seq 0, ack 1, win 0, length 0
16:00:47.878100 IP 192.168.2.135.1718 > 62.117.93.14.http: Flags [S], seq 3722626669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:00:47.878119 IP 62.117.93.14.http > 192.168.2.135.1718: Flags [R.], seq 0, ack 1, win 0, length 0
as I see, no packets come to ngnix server, so resetting packets I received from a router, but I can't understand why
 
It doesn't work because the packets don't "know" how to get back the the machine(s) from LAN that is(are) trying to contact the web server(which is also in LAN). you need a new rule that basically says if the packets destination is the WAN interface and if they're coming from LAN route them back properly.
 
The redirect only works on incoming packets from the internet on the external ($wan) interface. A connection from inside your network to the external address never goes out the external interface, it already arrived at its destination (the host itself). Thus nothing comes back in either, and so the redirection is never applied. What you're trying to do is called hairpinning.
 
The redirect only works on incoming packets from the internet on the external ($wan) interface. A connection from inside your network to the external address never goes out the external interface, it already arrived at its destination (the host itself). Thus nothing comes back in either, and so the redirection is never applied. What you're trying to do is called hairpinning.
I tried to google how can I use nat loopback with ipfw but I cant. Maybe you can show me?
 
You can't. That's the point. You typically solve this by using a so-called "split-horizon" DNS for example. Then external DNS requests will resolve to the external address and internal requests resolve to the internal address.

Another way to solve this is by removing the redirection and instead using a (reverse) proxy like www/haproxy to "forward" the HTTP(S) traffic. The added benefit of using a proxy is that you can have multiple websites on the same external IP and forward each of them to different internal hosts.
 
Back
Top