Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi IPs Port forwarding to a single server

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 2 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bruceeanderson
      last edited by

      I am brand new green to pfSense.  I want to setup multiple SSL connections to a single web server (MS IIS) and would like to know if this kind of configuration is possible with pfSense.

      I have a block of IP addresses (x.x.x.104 /29) from my ISP and I would like to use port 443 on each of my 5 useable addresses.  I want port forward to a single web server in this fashion:
        x.x.x.105-109:80 -> 192.168.1.2:80 
        x.x.x.105:443      -> 192.168.1.2:443
        x.x.x.106:443      -> 192.165.1.2:8443
        x.x.x.107:443      -> 192.165.1.2:8444
        x.x.x.108:443      -> 192.165.1.2:8445
        x.x.x.109:443      -> 192.165.1.2:8446
      This way, my server has 5 web sites, each with a certificate, and each web site handles https over the default port as far as the outside world is concerned.  My question: Is this possible with pfSense?

      Thank you for your time and your wisdom.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Yes this is possible.
        Just set up normal portforwardings.

        But wouldn't it be easier to set up multiple virtual hosts on the server which serve different content based on the http-request?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • B
          bruceeanderson
          last edited by

          SSL encryption occurs at the port, so the domain name in the header of the user's request is unreadable by IIS.  Thus the request cannot be directed to a virtual host based on the domain name; IIS directs encrypted traffic on port number.  The rub is most corporate firewalls restrict their users to ports 80 and 443 only, and web sites using alternate ports, like https://mydomain.com:8443, will be blocked.  I am trying to slip 5 different clients (5 unique certificates), each using the default https port, into one web server.

          But…I can be possessed with profound ignorance, it's happened before, and, if there is a simple and/or smart way to do this, I would love to know it.  I do know this kind of port forwarding is impossible on the lower end small business routers, such as the Linksys RV016. And system design is not my strength in any way, so what you term "normal port forwardings" is magic to me, and I want to see more, please.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            You can have "normal" portforwardings in the sense of:
            I forward from this ouside-port to this inside-port.
            The state-table will see to it that traffic comming in on a specific VIP will leave via the correct VIP again.
            You can have multiple "normal" portforwards from different VIPs to the same server.

            Then there are 1:1 NAT forwardings which forward all ports from a VIP to a server.
            You can only have one 1:1 NAT forwarding per VIP/server at a time.

            Just install pfSense and start playing.
            It's pretty much streight forward and selfexplaining.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • B
              bruceeanderson
              last edited by

              What is "VIP"?  I assume it is the public side IP, but I don't get the "V".

              The inadequacy in my earlier approach was I could not differentiate among different WAN IPs at the port level.  There was only "one" port 443 and only one forwarding rule for it, whether it was from x.x.x.1:443 or x.x.x.2:443. 
              I have a workstation marked for conversion to pfSense duty, just need to get a second NIC for it.

              Thank you for your explanations and advice.

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                As i said: install pfSense and start playing.
                You'd know what a VIP is if you'd look at the GUI.

                It stands for Virtual IP.
                Since you want to have multiple IP's on the WAN you need to add the additional IPs as VIP.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.