Layer7
-
OK, I'm back [queue ta da].
I've been bashing my head on this for too long.
I've setup ISA, now how the heck does it get configured as a reverse proxy without being a firewall? Also, how the heck do I forward queries from PFsense to ISA for all traffic coming in from the WAN?
I thank you for putting up with me!
-
You just NAT to the WAN interface of ISA from the LAN side of pfsense…...
Regarding the reverse proxy...let it use the firewall capability of ISA to handle L7 traffic to and from the reverse proxy. Thereby you dont get any unwanted traffic in to the servers.
-
So the network would end up like so:
LAN
WAN –----- PFsense -------- ISA ------- SubnetBut in this case, how am I supposed to route to the DMZ? My network is like so:
Subnet
|
| (Wireless)
|
| LAN
WAN ------- PFsense -------- ISA ------- Subnet
|
| DMZ
|
Subnet -
Give ISA an extra interface called DMZ and route the traffic through ISA instead. :)
-
I really hate ISA…
-
I did to….until I got to know it. It is difficult, but a fantastic tool!
PFSense would be a firewall to be deployed in many a company, if they got L7 implemented in an intuitive way.
-
Well, yeah, though I'd say "L7 implemented".
It got me thinking, because I've seen quite a number of posts about this issue on the forums, it might be worthwhile writing an app that does L7 routing/reverse proxy for PFsense when I finish the current contract and have some free time on my hands.
Or perhaps a packaging of Pound.
-
On another note, doesn't PFsense use Lighttpd? Couldn't we use that as a reverse proxy? I'm certain we'd need to move the web configurator to another port, but wouldn't it work?
Also, since portsnap is not installed in pfsense, how can you install something like nginx? I could use that or pound or whatever.
The reason I ask is because I don't think I can re-setup my network with ISA on its own station or VM, the servers are hard pressed for resources. If I absolutely must, then I think I can have a lightweight *nix VM with nginx for that, but if I can do it on the PFsense box, then that would be ideal.
-
I run the ISA in an VMWare loadbalanced cluster with DRS and HA. Works flawlessly and currently using 124m hz of cpu and 760mb ram….
So it is not hard on ressources.
-
https://help.ubuntu.com/community/Nginx/ReverseProxy
ngninx/squid/apache as reverse proxy on a small linux/BSD vm or if it absolutely has to run on the FW, which i don't suggest, in a jail. (ngninx&apache are in the ports collection)
but actually, i din't understand the whole question or has this discussion nothing to do with layer7/2.0 beta at all?
-
Well, it started off with setting layer7 routing on PFsense (I have one public IP with several servers and I need to route to each accordingly, so that email.myweb.com goes to the exchange server [which is sent as email.myweb.com/owa] and camera.myweb.com goes to the DVR whilst www.myweb.com goes to the webserver. You get the picture.]
Then this evolved to some saying that I should be able to do this with a reverse proxy such as squid that comes with pfsense, banged my head on the desk till I bled, couldn't get it to work so I wanted to move to nginx, then supermule [he's super helpful] suggested I use ISA and after trying to go down that route, I discovered I can't set up a new VM on any of the servers because they are overloaded as is with other VMs. The only option was for me to setup a reverse proxy on the FW. Now on 2.0, I can't find ports so I won't be upgrading to that yet, but will be sticking to 1.2.3 for now until 2.0 is rock solid.
If you have suggestions on RP, I'll be much obliged :)
-
any news on L7 working efficiently to block bittorrent without a crash on the alix using nanobsd
-
Wouldn't have a clue my friend. In the end, if you followed the thread since the beginning, we got the ISP to "donate" some Static IPs so that issue has been resolved, but I worry about it in the future when I might have another installation.