Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Seeting up Subdomains in pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 7 Posters 11.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pfanatic
      last edited by

      Hello,

      I have a problem that I am trying to solve and I do not believe I will be able to do without some help, so I appreciate any directions.

      I want to setup various subdomains for main domain (example.com) that point to different IP addresses or different ports. Here is an example:

      www.example.com –--> pfSense ---> webserver (10.10.10.10)

      www.mail.example.com ----> pfSense ---> mailserver (10.10.10.11:3030)

      www.calendar.example.com ----> pfSense ---> mailserver (10.10.10.11:4040)

      I want pfSense to determine which server in my internal network the traffic should be router based the subdomain used. I am looking around the web find a step by step instructions on this, but I was not able to find anything that is clear. The packages that seem to be recommended for this setup are the HAproxy, Squid3, and Apache with mod_security-dev

      From what i saw I think the Apache might be the way to go, but I am not sure how to go about configuring it.

      Does anyone knows what I will need to use and how should I set it up?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        dns has nothing to do with ports..

        Are you wanting for this to for external access, and you only have 1 public IP?  Or internally?

        If you want externally users that hit your 1 public IP via a name to get sent to different private IPs you have to setup a reverse proxy for that.  If you want to serve up different sites via same server internally that is quite simple via any httpd server.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          A redirection proxy server could do the job as well, if the Squid is able to do so I would give him a try.

          1 Reply Last reply Reply Quote 0
          • F Offline
            firewalluser
            last edited by

            @pfanatic:

            Hello,

            I have a problem that I am trying to solve and I do not believe I will be able to do without some help, so I appreciate any directions.

            I want to setup various subdomains for main domain (example.com) that point to different IP addresses or different ports. Here is an example:

            www.example.com –--> pfSense ---> webserver (10.10.10.10)

            www.mail.example.com ----> pfSense ---> mailserver (10.10.10.11:3030)

            www.calendar.example.com ----> pfSense ---> mailserver (10.10.10.11:4040)

            I want pfSense to determine which server in my internal network the traffic should be router based the subdomain used. I am looking around the web find a step by step instructions on this, but I was not able to find anything that is clear. The packages that seem to be recommended for this setup are the HAproxy, Squid3, and Apache with mod_security-dev

            From what i saw I think the Apache might be the way to go, but I am not sure how to go about configuring it.

            Does anyone knows what I will need to use and how should I set it up?

            Thank you!

            Have you seen this thread? https://forum.pfsense.org/index.php?topic=23533.0

            How have you got your domains setup with whoever who is looking after them? For example do you have to create the subdomains with whoever looks after your domain name or have you got it setup to forward to your pfsense setup for all DNS lookups?

            If you have multiple fixed ip addresses and your domain name is handled by some other company not your pfsense fw, one way you can do this is to create a subdomain with the outside domain name company that points to one of your fixed ip's then on pfsense port forward the fixed ip to the relevant device or service.

            eg

            mail.domain.com –> 1.2.3.4 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service
            diary.domain.com --> 1.2.3.5 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service
            cam1.domain.com --> 1.2.3.6 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service
            cam2.domain.com --> 1.2.3.7 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service

            Just be aware some devices like webcams are easy to hack, then install firmware with built in brute force cracker to then brute force test the main network. Brute force is slow over the internet, but getting a device like a webcam or automatic number plate recognition cam and upgrading its firmware means you are restricted by the speed of the local network behind pfsense which will be fast, some of my customers had fibre (splicing is an art) to web cams due to the 100m restriction CAT5/6 presents so make sure you have a proper DMZ in place to reduce your risks.

            You security is only as good as the public facing services (mail, web servers, cams, voip, etc) you choose to employ and how they are isolated from other devices/services on the network.

            Just so you know.

            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

            Asch Conformity, mainly the blind leading the blind.

            1 Reply Last reply Reply Quote 0
            • P Offline
              pfanatic
              last edited by

              What I need to do as mentioned on my initial post is to have requests coming to my one public IP and have them redirect to proper server or website within my network.

              www.example.com –--> pfSense ---> webserver (10.10.10.10)

              www.mail.example.com ----> pfSense ---> mailserver (10.10.10.11:3030)

              www.calendar.example.com ----> pfSense ---> mailserver (10.10.10.11:4040)

              example.com is the public domain that is redirected to my one public IP and from there based on the sub-domain used I want the request to go to the proper server or service within the same server...as shown above.

              I do not want to setup the sub-domains in my domain registrar all requests to *.example.com will go to my public ip.

              I am aware that i need to use reverse proxy, but I was looking for some direction as to which package will be the best to do that in pfsense. and also does anyone has step by step instructions for setting this up in pfsense?

              Thank you!

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                You can't steer connections to certain ports with DNS unless the protocol/service you're dealing with understands some other type of record, like SRV records.

                There is no facility to specify a port in a normal A or AAAA record.  They are (A)ddress records.

                You really need to specify what you expect the outside ports to be.  www.mail.example.com:??? www.calendar.example.com:???

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P Offline
                  pfanatic
                  last edited by

                  I will not be using DNS or A records.

                  The sub-domains will be handled by a Reverse Proxy. Please read the example and do not post comments that are missing the point about the problem I am trying to solve.

                  All I need is if anyone knows or can point to step by step instructions on how to setup a Reverse Proxy in pfSense. Perhaps with using Squid3, HAproxy or what ever the best option will be.

                  Thank you.

                  1 Reply Last reply Reply Quote 0
                  • ? This user is from outside of this forum
                    Guest
                    last edited by

                    nginx or Squid3 as a reverse-proxy would do the job for you.

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      dkrizic
                      last edited by

                      or HAProxy

                      1 Reply Last reply Reply Quote 0
                      • G Offline
                        gabe
                        last edited by

                        If you are only dealing with http(s) and don't want that your clients have to type the port numbers for other services besides usual http(s) 80/443 (and so dealing with NAT), you need a reverse proxy.
                        Considering your calendar and mail servers are just web servers as well, any reverse web proxy will do the job, but personally I'd go with nginx (small, fast and well documented). Specifically, you're going to need the proxy_pass function. https://www.nginx.com/resources/admin-guide/reverse-proxy/
                        Hope it helps.

                        1 Reply Last reply Reply Quote 0
                        • F Offline
                          firewalluser
                          last edited by

                          @pfanatic:

                          What I need to do as mentioned on my initial post is to have requests coming to my one public IP and have them redirect to proper server or website within my network.

                          My bad:
                          http://serverfault.com/questions/577103/how-to-configure-haproxy-to-route-by-port-without-using-multiple-frontend-or-lis
                          https://cbonte.github.io/haproxy-dconv/configuration-1.5.html
                          earlier manual
                          http://www.haproxy.org/download/1.4/doc/configuration.txt

                          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                          Asch Conformity, mainly the blind leading the blind.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Online
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            So your using a wildcard record..  Not really a good idea if you ask me.. What happens when user goes to sljdflsjdfljdljflsjdff.example com ??  What gets served?  Your default page?

                            In your example you have 2 private side Ips, .10 and .11 – if you this was all just on one box then you don't need a reverse proxy.  Your httpd can see the host headers and serve up whatever site you want to serve be it www.example.com or mail.example.com or whatever.example.com

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.