I have public IPs and am using firewalld for a router to provide Internet access for the internal network as well as forward ports for the public IPs to internal servers.
I have masquerade enabled on the external network, and no problem accessing the internet internally. The public internet has no problem reaching internal servers via port forwarding.
But, I cannot access anything via the public IPs from the internal network unless the internal network also has masquerade. While I can access servers via their internal IP, there are plenty of links using public host names, preventing this from being an acceptable limitation.
If I enable masquerade on the internal network, all servers can be accessed internally via their public IP, but the SMTP server becomes an open relay as it sees all incoming external traffic as originating from the router and trusts it. Nothing can properly log or control access via source external IPs.
On Sat, May 25, 2019 at 02:31:43AM -0000, Erik Calco wrote:
I have public IPs and am using firewalld for a router to provide Internet access for the internal network as well as forward ports for the public IPs to internal servers.
I have masquerade enabled on the external network, and no problem accessing the internet internally. The public internet has no problem reaching internal servers via port forwarding.
But, I cannot access anything via the public IPs from the internal network
That is expected. You added the forward ports to the external facing zone. Therefore, the forward ports are only considered for traffic that comes in from that zone's interfaces/sources.
unless the internal network also has masquerade.
How did you enable masquerade? Is the internal network a separate zone?
While I can access servers via their internal IP, there are plenty of links using public host names, preventing this from being an acceptable limitation.
If I enable masquerade on the internal network, all servers can be accessed internally via their public IP, but the SMTP server becomes an open relay as it sees all incoming external traffic as originating from the router and trusts it. Nothing can properly log or control access via source external IPs.
firewalld-users@lists.fedorahosted.org