On Sun, Apr 08, 2012 at 06:42:51PM -0700, Aaron Clausen wrote: > On 2012-04-08, at 6:08 PM, /dev/rob0 <rob0@xxxxxxxxx> wrote: > > On Sun, Apr 08, 2012 at 05:10:19PM -0700, Aaron Clausen wrote: > >> I'm trying to sort out how to do NAT reflection off the public > >> interface where that interface's IP address is supplied via DHCP > >> from the ISP. Any thoughts? > > > > I would guess that by "NAT reflection", you mean that you think > > you want to NAT internal clients to an internal host for various > > requests of your external name. This only makes sense if you are > > using some kind of dynamic DNS service to give you an "external > > name". > > And this works fine except for some devices which ignore my DNS and > use external ones like Google's and thus fail when trying to access > our public resources from our internal WiFi network. So reconfigure those devices to use your internal DNS. Why are such devices needing to contact you by your external hostname? Have them use an internal hostname and nameserver. BTW dnsmasq is not just a nameserver, it is also a DHCP server. You might want to have your devices use DHCP, thus giving centralized control over such matters. Getting back on topic, you can also hijack their DNS queries ... iptables -vt nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT iptables -vt nat -A PREROUTING -i wlan0 -p tcp --dport 53 -j REDIRECT > Hence the need of reflection/loop back/whatever-you-call-it. And I gave you two links to tell you how to do that. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
