Additional IP for cPanel
-
Can someone help me with this one:
I am looking to put a new server behind pfsense 2.0.1 for hosting via cPanel. I already have the server installed and working using 1:1 NAT, however, this is unsupported by cPanel and although it works for the most part, it gets complicated when I start to install SSL certificates [which I will need to do]. I have other [non cPanel] servers behind this same pfsense using a combination of forwarding and 1:1 with no problems.
Can someone tell me if it is possible to assign a public IP to the cPanel server and have it route correctly, without having to sacrifice the NAT that I use for everything else. I know that NAT can be disabled for this scenario, but that will cause problems for my other services. This cPanel is the only server that I want to be directly exposed to the greater internet.
If it is possible to do this, can someone give me a run down of how I actually configure it? It is a production system so I am trying to ensure I understand what I am doing before making any drastic changes to the pfsense box.
Matthew
-
Is the webserver hosted on its own dedicated machine? If so, you may be better off setting up a local firewall on the box, and connecting it outside of pfsense.
Internet gateway > Switch > Pfsense
> WebserverFound an interesting thread:
http://forums.cpanel.net/f145/support-1-1-nat-installation-thus-vmware-vcloud-deployments-197011.htmlFrom that thread, they suggest modifying some templates/scripts:
http://forums.cpanel.net/f5/using-cpanel-nat-urgent-39978.html#post671342
http://forums.cpanel.net/f5/cpanel-behind-nat-dns-zone-template-233952.html#post998332 -
Thanks for your reply. I have read those forum posts. I am currently using the alterations required for cPanel behind NAT. However, I am dreading when I need to install additional SSL certificates with this method.
Unfortunately, in my current setup, the gateway is pfsense. So in order to implement the changes as you suggest, I would need to install another gateway router in the path. I had considered this, but I had hoped there was another way.
Is it the case that I simply cannot combine a second routed subnet alongside NAT in pfsense? I am starting to think this could be the case.
Matthew
-
I wish I could help with 1:1 NAT'ing, I only understand the concept of it and can't provide a lot of solid help there.
However PFsense has a "jail" you can create a virtual machine so to speak. Maybe it's possible running the jail you can achieve a pure gateway setup.
-
I have managed to make this work. For anyone else out there needing this the solution is below.
1. Create a new interface in pfsense with a static IP _2. Assign a UNIQUE IP from your assigned subnet to your server behind the pfsense box. It is important to get the subnet mask correct for the subnet assigned and the default gateway is the IP from step 1
3. Create a rule in pfsense allowing all traffic on your new interface [you can refine this later after testing]
4. Create a WAN rule allowing all traffic with the destination set as the IP you have assigned to the new server [you can refine this later after testing]You should now be able to route traffic both in and out of the new server via the pfsense box. With the allow all rules you should also be able to still communicate with the rest of the network attached to pfsense. In my setup, I have a /28 block of IPs, I have sucessfully used the above method for 1 server, whilst all other servers are using either port forwarding or 1:1 NAT, so you can combine this with port forwarding and 1:1 within the same subnet. Just ensure you do not have any port forwarding on 1:1 setup for the IP assigned to the new server.
Matthew_
-
With the way I understand your setup is that you're not using 1:1 for the webserver, merely that since the webserver and virtual interface share a subnet they're talking to each other. This makes it appear as though your pfsense is a fancy switch.
If it's still not in production, could you try blocking port 80 or what-ever service your server is listening on, and see if it actually stops the traffic? Otherwise you essentially have a huge hole in your firewall.