Can't access internal webserver from within LAN

[max]

I have a B3 whith Wifi. The B3 is set up like Router + Firewall + Server. I also have a webserver on the LAN and port 80 forvard to that webserver. The problem is that I can conect to that webserver from wifi (wlan0), but not when I am conected via wire (eth1). eth1 and wlan0 are bridged thogether as br0, B3 standard config. There are no problem conecting to the webserver from the internet. What do I have to do to be able to conect to the webserver from wired LAN?

[Gordon]

How do you connect to that webserver?

Normally if you're on the same wired network you'd make a direct connection to it and thus never pass any other machine like the B3. An exception would be that you're using the external DNS name and need the B3 to DNAT that address to the internal webserver, *or* have dnsmasq respond the internal address rather than the original address (your WAN address).

[max]

Vell the web server is actualy a vserverhost with multiple vservers and with diferent DNS names. What I don't undarstand is why I can connect with wifi and not by wire, using the external DNS names. Both are on br0, right?

[Gordon]

I agree - that is strange. However a bridge does imply there is some type of routing involved (I'm not totally familiar with the fundamentals on this) *and* shurely you must have added a DNAT rule to the firewall to transfer incoming traffic to the webserver. What may be happening here is that your traffic moves from wlan0 to eth0 to eth1, but it can not travel from eth1 to eth0 and back again. I'd suspect if you could enable the webserver (or just any protocol) on a wifi device the problem would be reversed (access from wire but no access on wifi).

What you need is a firewall rule that prevents the traffic that should go to the webserver to enter the internal router on the B3 and in stead "bounce off" - a routeback rule.

Code: Select all

iptables -t nat -A PREROUTING -i br0 -d <internet address> --dport http -j DNAT --to-destination <webserver LAN address>

Within the simple context of the B3 firewall configuration you may combine this with the rule you already have for DNAT'ing external trafic to that webserver (it can get hard if you read this back later and need to understand what you did before - e.g. you might want to include or exclude a dial-in device):

Code: Select all

iptables -t nat -A PREROUTING -i ! lo -d <internet address> --dport http -j DNAT --to-destination <webserver LAN address>

[max]

Hmm... If I disable Wifi it works, but then I'm out of Wifi ...
Is it possible to split br0 into wlan0 and eth1?

[Gordon]

Hmm... If I disable Wifi it works, but then I'm out of Wifi ...
Is it possible to split br0 into wlan0 and eth1?

Of course you can - it's bridging that's out of the ordinary. It will probably cause problems with DNSmasq (and its integrated DHCP) though and you may have to switch to something more advanced like ISC dhcpd and Bind.

Edit: I just looked into the bridging mechanism and from what I understand once you get to the bridge interface br0 you're actually already one step too far in the routing process to be able to get back to the original physical interface (i.e. eth1). The solution would therefore be to have the DNAT rule act on the physical interface, which may very likely be achieved by using the physdev match in iptables (but is a bit difficult to verify because the corresponding module is not part of the Bubba distribution).

[max]

Well I guess I have to go back to my dd-wrt Linksysrouter. Thank you anyway Gordon, for your help on this one.