Last updated: 99.05.12

Background

Many LAN to Internet routers use NAT (Network Address Translation) to masquerade as a single IP address for the whole LAN. This creates a special circumstance and requirement for the configuration of the DNS (Domain Name Server) entries for services provided by that LAN.

---

When a LAN is connected to the Internet via a router which employs NAT (Network Address Translation), also known as IP Masquerading, all of the machines on the LAN appear to the outside world as one single IP address.

Here is an example of how the problem first appears.

1. Your email client is set to get email from mail.mydomain.com.
   
2. Your TCP/IP control panel points to the DNS of your ISP.
   
3. The DNS returns the IP address 203.57.42.254 (or whatever is allocated to you by your ISP).
   
4. Your email client tries to contact 203.57.42.254.
   
5. Since your internal LAN cannot see this outside IP address, the connection fails.
   
6. But when you connect to the Internet via a separate PPP connection, you can get and send email OK via your LAN's email server.
   
   

Basically, the problem is that:

1. Your server (eg mail server or web server) appears at one IP address to the outside world and a different IP address to your internal LAN users.
   
2. Since the internal and external users are resolving your domain name via the same DNS, only one IP address is being provided, so either the external or internal users will not be able to connect.
   
   

   ---

Below is the typical scenario with NAT.

1. Your NAT router (eg Vicom Internet Gateway, IPNetRouter or WebRamp) connects to your ISP at address 203.57.42.254 (or whatever is allocated). This is the address at which the outside world sees all of your LAN.
   
   
2. You have a mail server at an internal IP address of 192.168.1.1 (or whatever).
   
   
3. Your NAT router inbound mapping table is configured to map all inbound requests for port 25 (SMTP) and perhaps 110 (POP) to internal IP address 192.168.1.1.
   
   
4. So, now, your SMTP server can be reached:
   
   1. From the outside world at address 207.181.250.132.
      
   2. From inside your LAN at address 192.168.1.1.
      
      
5. Because we humans don't like dealing with cryptic numbers, we usually use host names. So we would refer to the SMTP server (eg via the settings in our email client) at something like smtp.mydomain.com. It is up to our designated (in our TCP/IP control panel) DNS (Domain Name Server) to translate the host name into the correct IP number.
   
   
6. But since the translation of the host name has to give one of two different results, depending on whether you are inside your LAN or in the outside world, at least two possible solutions exist:
   
   
   1. Set up your own internal DNS for answering queries from internal LAN users for internal servers.
      

      eg: mail.mydomain.com = 192.168.1.1
      The DNS parent server should be set to that of your ISP's DNS so that all requests for outside domain names are also handled.
      
      If, instead of being hosted by your ISP, your domain's DNS is already on an internal computer which lists the external address 203.57.42.254 for the outside world, then you will need to set up a second DNS. Or you could ask your ISP to list your external addresses, freeing your internal DNS to list your internal addresses.
      
      Using this setup, any client (inside the LAN or external) connection to www.mydomain.com will reach the same server. There is no need for URLs to change according to location. Simple for the user, but a bit more work initially for the administrator.
      
      

      Set up a special host name just for internal users, still hosted on your current DNS. This would be something like:
      
      

      mail.mydomain.com = 203.57.42.254 for the outside connections
      mail.lan.mydomain.com = 192.168.1.1 for internal LAN connections
      
      Then configure your internal email clients etc to point to mail.lan.mydomain.com instead of mail.mydomain.com, or web browsers to www.lan.mydomain.com instead of www.mydomain.com.
      
      This set up just requires a pair of entries in the DNS, one for inside LAN users, the other for the external public. No need to set up an extra DNS, so fairly easy for the administrator. But since the users have to change the host names in their web and email clients as they change from LAN to external, it could be confusing. The internal users would have to remember to quote different addresses to outside users (eg telling clients where to find your web page). When the internal users go home and dial in via the Internet, they have to remember to change all their settings.
      
      So, for simplicity and mobility for the user, we recommend solution 1.
      

.


---

If you are interested in an intranet or Internet solution for your business or have any questions, please email solutions@tandb.com.au.


Return to Home Page