Moving from 5 static IP to only 1. : (

Seeking Sense

Hello.

First let me apologize for the noob / hobbyist / enthusiast question(s)

Currently running pfSense with 5 static IPv4 address.

1 IP address is assigned to the WAN the other 4 are Virtual IP's and are NAT 1:1 to Internal IP addresses. I also have several VLANs defined.

The pfSense box is connected to a semi-managed smart switch and to that is connected my VM Host with multiple NIC cards installed.

The VM Host is running several VMs each doing specific tasks. VM #1 Web, VM #2 Mail, VM #3 NAS, etc...

Everything has been working well for a few years and I hate to think about fixing what is not broken but I am moving to a location that will only offer 1 static IP address.

This is all last minute and I am pressed for time and need as much guidance, instruction as this forum will provide.

Hoping that there is a solution that will allow me to maintain my setups existing functionality even though I will only have 1 static IPv4 address.

Looked briefly at HA Proxy and each tutorial seems to provided a different method and I am not certain that it will result in the expected outcome.

Thanks for the anticipated assistance.

bingo600

@seeking-sense

It all depends on what kind of services you were running on the "other 4 public IP's".

You would not be able to run two services using the same port, with just one public IP.

But you could change pfSense's WebGui port "away from 443" to ie. 4443.
And

WEB: "Port forward" port 80+443 to the internal webserver.
Mail : "Port forward" port 25 to the internal mailserver.
NAS : ??? - Have no idea what ports are used.

Might all be solvable, and still use the "existing" VM servers.

Seeking Sense

@bingo600 thanks for the fast reply.

@bingo600 said in Moving from 5 static IP to only 1. : (:

not be able to run two services using the same port

Was hoping that HA Proxy would allow routing to service based on name and not require fiddling with port numbers.

For example

www.somedomainname1.com <---> pfSense/HA Proxy <---> 192.168.10.2 / NIC 1 / VM 1

www.somedomainname2.com <---> pfSense/HA Proxy <---> 192.168.20.2 / NIC 2 / VM 2

imap.somedomainname3.com <---> pfSense/HA Proxy <---> 192.168.30.2 / NIC 3 / VM 3

etc....

bingo600

@seeking-sense

Re. HA-Proxy

As i see it ...
The "Name stuff" would only work on http(s) , where the name might be carried over in the request header.
There it can act on the name , like Apache's VHOSTS would do.

How would HA-Proxy be able to do anything meaningfull with MX records :
Ie. a remote mail that connects to your mail server , since the remote server resolves your dns mx-record locally, and then just makes a TCP/25 connection to the resolved dns ip.

If Ha-Proxy would listen on TCP/25 and "forward the request to a backend server, you would just have made an "advanced portforwarding/balancing".

It might be doable with HA-Proxy
https://www.linuxbabe.com/mail-server/smtp-imap-proxy-with-haproxy-debian-ubuntu-centos

But as i see it it would just be a "fancy portforwarding"

I haven't used HA Proxy, so someone else have to elaborate on why that is a good way to do it

viragomann

@seeking-sense said in Moving from 5 static IP to only 1. : (:

Was hoping that HA Proxy would allow routing to service based on name and not require fiddling with port numbers.

Yeah, @bingo600 is right. Redirecting packets to different backend hosts based on the host name requires that the name is even sent to the server by the client. But this is only included in a view certain protocols.

In the widely used HTTP protocol the host name is transferred in the host header, but it isn't in IMAP or SMTP.

So if the protocols use different ports anyway you can bind them all to a single IP address and forward them on pfSense by NAT rules based on the destination ports.
If you're using multiple web servers listening on port 80 and 443 though you can set up HAproxy to redirect the traffic to the respective hosts.

Seeking Sense

@viragomann got ya.

@bingo600 understand.

Was hoping that things had evolved to the point there would be a simple and elegant solution to address this situation but protocols and standards are what they are.

Are there any third party service that "tunnels" static / public IPv4 addresses? Likely it would be cost prohibitive if there is such an animal.

Thank you both for your input. Have a good weekend.

@bingo600 PS. regarding your pfSense setup in your signature how is it performing and how much power is it consuming?

bingo600

@seeking-sense said in Moving from 5 static IP to only 1. : (:

@bingo600 PS. regarding your pfSense setup in your signature how is it performing and how much power is it consuming?

The Qotom is performing excellent, and consumes 10..15W
At job I have Qotom i3-7130U's w. 6 x Intel lan that performs better using the same wattage.

Netgates 4100 or 6100 looks neat too.

viragomann

@seeking-sense said in Moving from 5 static IP to only 1. : (:

Are there any third party service that "tunnels" static / public IPv4 addresses? Likely it would be cost prohibitive if there is such an animal.

What do you want to tunnel and how should this work?

The thing is, there can only be a single service listen on the single port and IP.
So you have to declare what do your need exactly. What does this mean:

VM #1 Web, VM #2 Mail, VM #3 NAS, etc...

I guess you can run all these services on different ports on pfSense WAN address, apart from "web" (HTTP/S, port 80 and 443). The latter you can treat with the HAproxy package.
HAproxy can look into the HTTP host header and can redirect certain host names to different backend servers.
This works pretty well.