Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple services forwarded to DMZ servers

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      renatohtpc
      last edited by

      Still struggling with the migration from ipcop to pfsense.  I am rethinking the right approach rather than just replicating ipcop's functionality.

      I have a registered domain with no-ip.com (i.e. mydomain.net)

      My no-ip account has the following hosts associated:

      mydomain.net 98.114.XXX.YYY 
      ftp.mydomain.net 98.114.XXX.YYY
      messenger.mydomain.net 98.114.XXX.YYY
      www.mydomain.net 98.114.XXX.YYY

      I am looking to implement the following:

      reroute traffic to the right DMZ server on the basis of the port number(s):

      80, 443 -> 192.168.3.3 (hostname: web.mydomain.net)
      8025,143,993 -> 192.168.3.5 (hostname: mail.mydomain.net)
      5060, 10000:20000 -> 192.168.3.6 (hostname: phone.mydomain.net)
      5022 -> 192.168.3.3 (hostname: web.mydomain.net)

      Question.

      For clients (SIP phone, Jabber messenger, thunderbird mail etc) to be able to connect to these services from both inside and outside the LAN, should I augment to the list of hosts on no-ip for each service and then implement a corresponding Split DNS for the same hosts on pfSense? Or is there another approach?

      Thanks
      Renato

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        reroute traffic to the right DMZ server on the basis of the port number(s):

        80, 443 -> 192.168.3.3 (hostname: web.mydomain.net)
        8025,143,993 -> 192.168.3.5 (hostname: mail.mydomain.net)
        5060, 10000:20000 -> 192.168.3.6 (hostname: phone.mydomain.net)
        5022 -> 192.168.3.3 (hostname: web.mydomain.net)

        Piece of cake.  But you didn't list any destination port translations. As outlined below, that can cause problems.

        For clients (SIP phone, Jabber messenger, thunderbird mail etc) to be able to connect to these services from both inside and outside the LAN, should I augment to the list of hosts on no-ip for each service and then implement a corresponding Split DNS for the same hosts on pfSense? Or is there another approach?

        If they are all configured to connect to an FQDN, I'd just put DNS host overrides to the inside local IP addresses and use split dns.  Doesn't look like you need to do anything on the hostnames.  Where you run into trouble is when you translate ports, too.  Say, if you translated connections to web.mydomain.net:8080 to 192.168.3.3:80.  They would need to add the socket when connecting from the outside and not add it on the inside.

        If you want the URLs/Bookmarks to be the same inside and out, you can't do that.  Or you at least have to translate the ports between LAN and DMZ too.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • BBcan177B Offline
          BBcan177 Moderator
          last edited by

          If you want the URLs/Bookmarks to be the same inside and out

          An option is to open a second port or create a forward/redirect on the local server to have the same external port number.

          This would allow the same bookmark to work for both the external and internal addresses.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • R Offline
            renatohtpc
            last edited by

            Derelict

            Thanks for the quick reply.  Let me make sure I understand.

            Let's say I create a new hostname on no-ip, say sip.mydomain.net.

            I then create a split DNS entry in pfSense (i.e. DNS Resolver) for sip.mydomain.net pointing to 192.168.3.6.

            Next I create:

            1. a new Firewall Alias IP for sip.mydomain.net (pointing to 192.168.3.6), say Elastix_Server.
            2. a new Firewall Alias Ports for ports 5060, 10000-20000,  say Elastix_Ports
            3. Lastly, I create a NAT Port Forward rule:
                  i) Interface: WAN
                  ii) Protocol: UDP
                  iii) Source Address: *
                  iv) Source Port: *
                  v) Destination Address: WAN address
                  vi) Destination Ports: Elastix_Ports
                  vii) NAT IP: Elastix_Server
                  viii) NAT Ports: Elastix_Ports

            Questions:

            1. Will this work?
            2. Will I be able to configure the SIP client to point to "Domain" sip.mydomain.net and make sure that the softphone will be able to connect both inside and outside the LAN? Note: The SIp Phones and Softphones will be connecting to 192.168.1.X.

            Thanks for the clarification
            Renato

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              As long as your destination ports and NAT ports are the same, you shouldn't have any trouble.

              Note: The SIp Phones and Softphones will be connecting to 192.168.1.X.

              Are you saying that when they are local, they will be on the 192.168.1.X subnet?

              That's fine.  As long as when they look up sip.mydomain.net they get 192.168.3.6 and there are firewall rules passing their traffic to that address you should be set.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • R Offline
                renatohtpc
                last edited by

                OK, not sure if what I am seeing is a feature or a problem.

                I have registered a host sip.mydomain.net      98.114.XXX.YYY  on no-ip.  I can ping it without any problems from my ipcop setup.

                I switched over to pfsense. I then went to DNS Resolver and checked the following:

                1. Enabled DNS Resolver
                2. Enabled DNSSEC Support
                3. Enabled Forwarding Mode
                4. Enabled Register DHCP lease in the DNS Resolver
                5. Enabled Register DHCP static mapping in the DNS Resolver

                I then created a new entry under Host Overrides:
                Host: sip
                Domain: mydomain.net
                IP: 192.168.3.6

                I then went to Diagnostics -> DNS lookup and entered  sip.mydomain.net in the field.  The DNS lookup returned 98.114.XXX.YYY!

                I repeated the command some 6-7 times. only once it returned 192.168.3.6, the other times it returned the outside IP.

                What is causing this?

                Thanks again for the help
                Renato

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.