Grant, That would definitely solve the DNS part of the problem. Pascal Hambourg questioned why I really need to replicate the external view to an internally only machine. After we sat down today we found that this really didn't need to be done as the secondary DNS server is colocated somewhere else. The internal lookup could never really happen on the internal network with the confirmation that it's in now. As long as our internal DNS never references the external block we are fine. FWIW it would be nice to be able to hit the public IP from within the firewall but it's not the end of the world in this case. Gary Wayne Smith > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Grant Taylor > Sent: Friday, January 12, 2007 9:45 PM > To: Mail List - Netfilter > Subject: Re: Need to solve a NAT problem, any takers. > > On 01/11/07 21:35, Gary W. Smith wrote: > > Internally our DNS server are split giving us internal IP's when queried > > internally and external's when queried externally. This works fine. > > Our second DNS server internally slaves the primary. Because we are > > using this split functionality when it slaves the internal IP's it gets > > the internal IP configuration. Works great. But in order to replicate > > the external range it must do so by replicating from the external IP. > > This fails at the IP's is NAT'd in by port only. Years ago we solved > > this by running a second POSTROUTING rule and an OUTPUT rule on the > > firewall. When I load these rules now > > I know this is not an IPTables / NAT answer, but I think it may possibly > be an answer to your need. What if you add a different subnet to your > two DNS servers that each of them consider to be for the external view. > Tell your secondary to contact the primary on it's IP in this external > view subnet. > > Just a thought. > > > > Grant. . . .
