[BlueOnyx:01302] Re: Cannot see vsite from the internet

Michael Stauber mstauber at blueonyx.it
Mon May 25 20:04:51 -05 2009 

Hi Tony,

> I have a BQ box behind a Bridged Modem/IPCOP installation and I have
> forwarded port 80 to the BQ box and I see in TCPDUMP (on the BQ machine);
>
> [root at xxxxxx ~]# tcpdump -lnn port 80
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:54:54.044762 IP 203.194.x.x.1247 > 192.168.0.200.80: S
> 1843694543:1843694543(0) win 16384 <mss 1400,nop,nop,sackOK>
> 15:54:57.244309 IP 203.194.x.x.1247 > 192.168.0.200.80: S
> 1843694543:1843694543(0) win 16384 <mss 1400,nop,nop,sackOK>
> 15:55:03.775379 IP 203.194.x.x.1247 > 192.168.0.200.80: S
> 1843694543:1843694543(0) win 16384 <mss 1400,nop,nop,sackOK>
>
> ... so I cannot figure out why Apache simply does not show me the vsite?
>
> I am using the correct FQDN from the internet and the vsite works on the
> local lan so I am at a loss as to why this is happening.
>
> Does anyone have any ideas??????

It's - unfortunately - a bit more complicated than that.

The sites on BlueOnyx run as virtual hosts. Means: When you point your browser 
to the primary IP (or the hostname of the server itself), then you get the 
default start page of the server. That always ought to work, providing your 
forwarding is configured correctly.

Now lets say you have created the website "www.company.com" on your server. 
When you connect to "www.company.com" (and your DNS points to your public IP 
203.194.x.x), then the connection DOES get forwarded to your Apache that runs 
on the internal IP 192.168.0.200.

Apache then does some magic and notices "Hey, he wants to see the site 
"www.company.com". So it checks the DNS for "www.company.com" and notices that 
your DNS for it points to the *public* IP. 

At that point Apache says: "Hmkay, that's none of the IP's *I* serve, so this 
ain't my business!", so it will - at best - show the generic start page. If 
anything.

With emails matters are similarly screwy. Because Sendmail will do the same. 
If an email for "tony at company.com" arrives, it'll do an NSLOOKUP on 
company.com, will check the MX record and will then say: "The IP 203.194.x.x 
ain't one of mine, so I will not relay your stuff!".

The work around here (one of them - there are others as well) is:

You have to have two different DNS servers. One external and one internal. The 
external DNS server has all the information with the corresponding *public* IP 
addresses.

The internal DNS server has the very same set of DNS records, but instead of 
the public IP's it has the private IP's.

You then configure your BlueOnyx to use the internal DNS server for all DNS 
queries. So when Apache, Sendmail or FTP on your server handle anything that 
deals with one of your DMZ'ed local domains, then they'll automatically use 
the correct internal IP's and are able to route traffic correctly.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list