Hi hubertzw,

Thank you for replying to my question.

We are running local network behind firewall with local private IP's.  All outbound traffic source addresses are SNATed to the external interface IP of the firewall.

My question is how FG100E handles the traffic from internal network to the external interface network,  that is, the source address of the packet is the internal address like 192.168.1.x and the destination address is one of the public addresses from the subnet of the external interface like 64.60.158.x/29 including the one assigned to the external interface itself.

Can it smartly find out the destination locally and DNAT implicitly or we need to do DNAT ourselves ?

Hi, for the outbound traffic FG keeps session about specific connection including source IP, SNAT usually with unique port, destination, etc. For the returning traffic FG tries to find the existing session and for that one you don't need DNAT. But when you initiate connection from outside (incoming traffic) you need a policy with destination IP of the VIP object (policy NAT) or real (inside) host IP and then mapping in the DNAT table (only with the central NAT settings).

Split-DNS is what you want? So when www.yourdomain.com is mapped to the rfc1918 address on a nslookup from the inside hosts

Ken Felix

Hi emnoc,

Is that what you call split-DNS?

From internal network, if the packet destination address is one of the public ip's assigned to external interface subnet, I need that destination address is translated into local ip of local hosted server.

Let's say we have local hosted servers with private ip:

   Web Server : 192.168.1.20

   DB Server : 192.168.1.10

WAN Interface has public ip 75.36.85.249 from WAN subnet 75.36.85.248/29

I defined two VIP's:

   75.36.85.250 => 192.168.1.10

   75.36.85.251 => 192.168.1.20

So from outside traffic into our local servers are correctly managed by Security policy with VIP.

Now from inside local station,  if the client enter "http://www.mycompany.com" on Web browser,  it will get 75.36.85.251 from DNS server.  I want to translate that 75.36.85.251 into 192.168.1.20.  Will it be done automatically if I have VIP defined? Or do I need to do split-DNS?  If I need to do split-DNS,  can you tell me how to?

Maybe look into dnstranslation. 

e.g.

config firewall dnstranslation     edit 1         set src 75.36.85.250         set dst 192.168.1.10         set netmask 255.255.255.255     next     edit 2         set src 75.36.85.251         set dst 192.168.1.20         set netmask 255.255.255.255     next end

Either you need to have local DNS entries to resolve the internal IPs, or create a loopback rule.

Source interface LAN, destination interface LAN, and destination object as the VIPs you create.

VIPs are essentially routes, they are active regardless if they are applied to any policies. So you need to allow the traffic to pass.

Thank you for all supports you provided.

I think DNS Translation function will work for me.

It should be under Security Profiles=>DNS Filter=>DNS Translation,  but I could not find it on FG100E firmware v6.0.3build0200.  I could not enable it on GUI with Feature Visibility either.

Is it available with the inspection mode "proxy" only?  If it is,  can we set the inspection mode to "proxy" only for "DNS Filter" profile?  If that function can be set only through CLI,  can you provide me with the scripts?