Re: Domain Forwarding on OpenWrt/Dnsmasq

Christopher Parker wrote:
> Hello,
>
> I'm trying to make dnsmasq on my WRT54G (OpenWrt Whiterussian RC5)
> forward domain names from the router to machines "behind" the router.
>
> Here's an example of my setup:
>
> "router" is the OpenWrt machine, providing DHCP to the 192.168.1.x
> network. It has an IP of 192.168.1.1
>
> "machine" is a client machine behind the router. It gets its IP
> address via DHCP from dnsmasq on the wrt.
>
> I have an external DNS server pointing "router.example.com" to the
> router's static WAN IP. I also have machine.example.com pointing to
> that same IP. I want dnsmasq to "forward" machine.example.com to the
> client machine.
>
> What I have so far is working, but only from inside the 192.168.1.x
> network. From the outside, machine.example.com points to the router's
> info page instead of the client machine.
>
> Here's my /etc/hosts, pretty straightforward:
>
> 127.0.0.1 localhost OpenWrt
> 192.168.1.1     router
> 192.168.1.2     machine # forces pseudo-static IP address for client machine
>
> Here's my dnsmasq.conf, sans comments:
>
> domain-needed
> bogus-priv
> filterwin2k
> localise-queries
> local=/lan/
> domain=example.com
> expand-hosts
> dhcp-host=router
> dhcp-authoritative
> dhcp-leasefile=/tmp/dhcp.leases
> read-ethers
>
> The only thing I can think of is changing the local line to say
> local=/example.com/. Right now, if I ping another machine from inside
> the network, the hostname for that machine shows up as machine.lan.
> Would this be my problem (part of the default OpenWrt install)?
>
> TIA,

If I've understood you correctly, then I think you need to step back a 
bit, and consider the larger problem. What you are trying to do: use a 
server behind a NAT router, is fairly common, but you cannot do it using 
DNS tricks only. There's only one IP, the router's WAN IP, which gets 
packets from the global internet to your box. No matter what you do to 
DNS, the names will be resolved to that IP in the end, and turn up at 
the router.

The normal way to do this is port-forwarding: you tell network subsystem 
on the router to treat packets which are sent to the router's global IP 
address and a certain port (or ports) specially. Instead of receiving 
the packets, it changes their destination field to the (192.168,...) IP 
address of the internal machine, and sends them to that machine over the 
internal network.

The magic to do this looks like this, which forwards port 8080 on the 
router to port 80 on 192.168.1.2

iptables -t nat -D PREROUTING -p tcp --destination-port 8080 \
     -j DNAT --to-destination 192.168.1.2:80


If you run that command on the router, then you will be able to access 
the webserver on 192.168.1.2 as

http://router.example.com:8080/

from anywhere.

It's also possible to forward port 80 on the router to port 80 on the 
server, but be careful: that might also forward port 80 when accessing 
the router from the internal network, blocking access to the router 
config pages.

I just re-read you message, and I see that you are using OpenWRT: that 
almost certainly has a config page to set up port-forwarding, so you 
won't need to run iptables commands directly: just fill in the web-form.


HTH


Simon.