On Sat, May 25, 2019 at 02:31:43AM -0000, Erik Calco wrote:
I have public IPs and am using firewalld for a router to provide
Internet access for the internal network as well as forward ports for
the public IPs to internal servers.
I have masquerade enabled on the external network, and no problem
accessing the internet internally. The public internet has no problem
reaching internal servers via port forwarding.
But, I cannot access anything via the public IPs from the internal
network
That is expected. You added the forward ports to the external facing
zone. Therefore, the forward ports are only considered for traffic that
comes in from that zone's interfaces/sources.
unless the internal network also has masquerade.
How did you enable masquerade? Is the internal network a separate zone?
> While I can access servers via their internal IP, there are plenty of
> links using public host names, preventing this from being an
> acceptable limitation.
>
> If I enable masquerade on the internal network, all servers can be
> accessed internally via their public IP, but the SMTP server becomes
> an open relay as it sees all incoming external traffic as originating
> from the router and trusts it. Nothing can properly log or control
> access via source external IPs.