DNS maps external domain name to internal address

I have external domain which has a pot forwarding to an internal host. E.g. port external port 25 to port 2525 on some internal serer. NS server however maps the exernal domain name to the internal adress thus circumventing the hairpin nat. The internal host has no port 25 open, but jut 2525.

As an effect., I can read /write emails when on an exernal network but not when I am on the internal one.

This is a bug, external adresse must be answerd for the external domain name. At least thee should be an open to this.


Hi Carsten

Mail MUST be available on Port 25 - using any other port CAN NOT be considered a bug!
(Any other Port usage is NOT Mail as defined per RFCs…)

Even for an Internal mail server I NEVER change the standard Ports - too much hassle with mobile phones and also with Notebooks. I make sure they can use the same entry internally and externally, even if this means that an internal name is externall exposed on DDNS. So what?

All my NethServers are named XXYY-NethServer.domainname.com. The XX is the short form of the company, the YY is the short form of the site.

You CAN change Postfix’s response using SET variables… As you said, the mailserver should give the correct, expected response, or you’re going to have mailing problems!

Another additional option would be to have the Internal NethServer listen to both 25 and 2525 internally (25 is ONLY available internally direct), so clients can use port 25 as configured, no matter if in or outside the LAN. (Externally port 25 gets forwarded as Port 2525 to the Internal NethServer, but clients do not notice this!

Hope this helps!

My 2 cents

The problem is that the port forwarding is inconsistent. SMTP was just one example. And SMTP for mail clients does NOT to have to be port 25. Is is mostly different. The standard port in NS is 587. So the example was the perfectly described.

I have two client NS behind a Nethserver server0 with a single internet IP. To allow client IMAP and SMTP access I map
1143 to server1:143, 1587 to server:587
2143 to server2:143, 2587 to server:587

However now access from internal networks are not possible any more, because of the DNS entries not pointing to the external fixed internet IP but two the internal servers. Now an internal client tries to connect to server1:1143 instead of server0:1143 which is forwarded to server1:143. I edited dnsmask.conf and /etc/hosts and deleted the entries. Then everything works.

To make port forwards work for the internal network, you may need to enable hairpin NAT in the firewall settings:


I did activate hairpin, but this doesn’t seem to change the DNS entries, so the problem with wrong port numbers remains. The DNS entries seem to come from https reverse proxy entries. Maybe we need another checkbox there (“Do not add DNS entries for proxy destiniations”).

What does this checkbox “Hairpin” actually do?

Do you use split DNS? Then you need to check that the names are resolved correctly.

It follows port forwards for the internal network as if it were external.

What is split DNS?
The problem is as said, that the external domain names are resolved to internal adresses because of the extra DNS entries generated by reverse proxy hosts.


Hello Carsten

Split DNS, or more exactly, Split Brain DNS simply refers to having two different DNS, which answer differently…

Usually one DNS is an internal DNS, and can answer all queries internally, giving out mostly internal IP Addresses. I use my OPNsense firewall and NethServer at home (Also for my Clients) as internal DNS. An internal DNS can also resolve ANY Internet host / address…

The other DNS is a normal DNS, usually at some hoster. This will resolve any Internet Address, but only gives out external, true Internet IP Addresses!

The first can know everything about your LAN, eg Printers, NAS, VoIP, whatever.

The second only resolves what is needed to know for the Internet. The Internet does not need to know the IPs / Names of your internal infrastructure (Servers, NAS, Printers, VoIP, etc).

Note: The Internal DNS do NOT NEED any Google or Provider DNS to function. This provides more security, as eg Google can’t evaluate their DNS to track you at home!

Split DNS would specifically solve your problem of reaching the wrong hosts, or the right hosts from the wrong side of the firewall!

My 2 cents

Ok, thanks, but this is a general comment not really touching the problem. I am using a standard Nethserver. The problem is, as said above, is that if a reverse proxy cloud.mydomain.de to mybackendserver.mydomain.lokal, Nethserver creates a DNS entry for cloud.mydomain.de which points to the internal address adress. If ports are the same, this is ok, but if ports are different, it does not work, because the hairpin NAT does not get used und therefor the ports are not translated by port forwarding.

1 Like

What if you change the reverse proxy DNS entry to the external address?

As said: If I just delete the special entries generated by the reverse proxy, the DNS server uses the normal external internet DNS servers which give the external address and then everything works.

So I think, we should maybe have a checkbox in the reverse proxy entries (“Do not generate local DNS entries”).

Sorry, I still don’t get it.
Are you using port forwarding or reverse proxy or both? As regards port forwards you need to enable hairpin NAT.

As regards reverse proxy:

When you create the reverse proxy an alias is added.

But usually a name reverse proxy should work from internal too if you use the correct name.
So I don’t understand why you need to remove the alias to make your config work.

Thanks for mentioning the System/Dashboard/Hostname/Alias setting, which I didn’t know until now.

I try to explain again my scenario:
I have a front-end Nethserver server0 on the internet which reverse proxies a domains to a backend Nethserver (with local IP-adresse and being not visible from the internet).

The Nethserver server0 has an Internet IP e.g. and an internal adress The backend server “server1” has

I create a Web server reverse proxy entry cloud.mydomain.de ->, then Nethserver server0 gets ans alias cloud.mydomain.de added, so from the internal network cloud.mydomain.de resolves to Web access to cloud.mydomain.de acess the apache revese proxy of server0 which proxies the request to server1, which is fine, because the external port 443/80 is the same as the internal port.

I also want to have imap access to the backend server by forwarding the external internet visible port 1143 to the internal server1 143 (because external port 143 is already taken by the server0).

When I now access cloud.mydomain.de:1143 from the outside everything works fine, however when I access cloud.mydomain.de1143 from the intranet, it tries to contact which fails, because the port port is not open, and there is no port forwarning from the internal address of server0 to server1.

If a delete the alias for cloud.mydomain.de, the internet DNS server resovles the name it to and the client from the inside tries to connect to which is port forwarded to, which is correct.

1 Like

OK, I think now I understand. You have a special configuration using reverse proxy and port forwarding with one domain. In this case it’s the best to just remove the alias so an external DNS is used which resolves correctly.

Is it possible for you to use another domain than cloud.mydomain.de for the reverse proxy like web.mydomain.de? Then the reverse proxy alias wouldn’t disturb the port forwarding anymore.

And you don’t unnecessarily pass server0 twice with internal traffic destined for server1…
At the moment, these must pass server0 twice to reach server1…

  1. For the web traffic one could go directly for server1 (because the ports are identical) but then there would be an TLS termination problem, because server1 und server0 must have the same SSL certificate. Currently only server0 has the SSL certificate for cloud.mydomain.de

  2. For connecting to IMAP it is not possible because ot the different ports. The traffic must go through the port redirection of server0 to have the port remapped correctly. The IMAP client configuration should be the same no matter whether the client is inside or outside the local network.

One solution could be to use the same ports on server0 and server1, but then there is still the problem with certificates.


In your situation, that’s right. I still tend to avoid that network layout having traffic pass through a box twice.
Except for a classic DMZ, most of my clients now use a single firewall, instead of two. (DMZ between two firewalls…).
IPs also have become much rarer than 25 years ago… :slight_smile:

I also “overdid” stuff sometimes, as you can see from my home LAN in 2003…

Not always the best solution, also financially not (Just the power bill!)…
But I did learn a lot!


My 2 cents

1 Like

I also only have one firewall: server0, but as firewall, SSL-terminal, IDS, reverse proxy. The backend servers are just application servers. I wanted to separate firewall and SSL-termination from backend serves and also have the possibility to host several seperate organisations with separate email and user databases with separate nethservers installations behind this one internet nethserver firewall.

Any better suggestions?

1 Like