Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Seeting up Subdomains in pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 7 Posters 11.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      A redirection proxy server could do the job as well, if the Squid is able to do so I would give him a try.

      1 Reply Last reply Reply Quote 0
      • F Offline
        firewalluser
        last edited by

        @pfanatic:

        Hello,

        I have a problem that I am trying to solve and I do not believe I will be able to do without some help, so I appreciate any directions.

        I want to setup various subdomains for main domain (example.com) that point to different IP addresses or different ports. Here is an example:

        www.example.com –--> pfSense ---> webserver (10.10.10.10)

        www.mail.example.com ----> pfSense ---> mailserver (10.10.10.11:3030)

        www.calendar.example.com ----> pfSense ---> mailserver (10.10.10.11:4040)

        I want pfSense to determine which server in my internal network the traffic should be router based the subdomain used. I am looking around the web find a step by step instructions on this, but I was not able to find anything that is clear. The packages that seem to be recommended for this setup are the HAproxy, Squid3, and Apache with mod_security-dev

        From what i saw I think the Apache might be the way to go, but I am not sure how to go about configuring it.

        Does anyone knows what I will need to use and how should I set it up?

        Thank you!

        Have you seen this thread? https://forum.pfsense.org/index.php?topic=23533.0

        How have you got your domains setup with whoever who is looking after them? For example do you have to create the subdomains with whoever looks after your domain name or have you got it setup to forward to your pfsense setup for all DNS lookups?

        If you have multiple fixed ip addresses and your domain name is handled by some other company not your pfsense fw, one way you can do this is to create a subdomain with the outside domain name company that points to one of your fixed ip's then on pfsense port forward the fixed ip to the relevant device or service.

        eg

        mail.domain.com –> 1.2.3.4 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service
        diary.domain.com --> 1.2.3.5 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service
        cam1.domain.com --> 1.2.3.6 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service
        cam2.domain.com --> 1.2.3.7 --> pfsense Virtual IP - Allow Rule from ip with relevent port open to relevant device/service

        Just be aware some devices like webcams are easy to hack, then install firmware with built in brute force cracker to then brute force test the main network. Brute force is slow over the internet, but getting a device like a webcam or automatic number plate recognition cam and upgrading its firmware means you are restricted by the speed of the local network behind pfsense which will be fast, some of my customers had fibre (splicing is an art) to web cams due to the 100m restriction CAT5/6 presents so make sure you have a proper DMZ in place to reduce your risks.

        You security is only as good as the public facing services (mail, web servers, cams, voip, etc) you choose to employ and how they are isolated from other devices/services on the network.

        Just so you know.

        Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

        Asch Conformity, mainly the blind leading the blind.

        1 Reply Last reply Reply Quote 0
        • P Offline
          pfanatic
          last edited by

          What I need to do as mentioned on my initial post is to have requests coming to my one public IP and have them redirect to proper server or website within my network.

          www.example.com –--> pfSense ---> webserver (10.10.10.10)

          www.mail.example.com ----> pfSense ---> mailserver (10.10.10.11:3030)

          www.calendar.example.com ----> pfSense ---> mailserver (10.10.10.11:4040)

          example.com is the public domain that is redirected to my one public IP and from there based on the sub-domain used I want the request to go to the proper server or service within the same server...as shown above.

          I do not want to setup the sub-domains in my domain registrar all requests to *.example.com will go to my public ip.

          I am aware that i need to use reverse proxy, but I was looking for some direction as to which package will be the best to do that in pfsense. and also does anyone has step by step instructions for setting this up in pfsense?

          Thank you!

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            You can't steer connections to certain ports with DNS unless the protocol/service you're dealing with understands some other type of record, like SRV records.

            There is no facility to specify a port in a normal A or AAAA record.  They are (A)ddress records.

            You really need to specify what you expect the outside ports to be.  www.mail.example.com:??? www.calendar.example.com:???

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P Offline
              pfanatic
              last edited by

              I will not be using DNS or A records.

              The sub-domains will be handled by a Reverse Proxy. Please read the example and do not post comments that are missing the point about the problem I am trying to solve.

              All I need is if anyone knows or can point to step by step instructions on how to setup a Reverse Proxy in pfSense. Perhaps with using Squid3, HAproxy or what ever the best option will be.

              Thank you.

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                nginx or Squid3 as a reverse-proxy would do the job for you.

                1 Reply Last reply Reply Quote 0
                • D Offline
                  dkrizic
                  last edited by

                  or HAProxy

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    gabe
                    last edited by

                    If you are only dealing with http(s) and don't want that your clients have to type the port numbers for other services besides usual http(s) 80/443 (and so dealing with NAT), you need a reverse proxy.
                    Considering your calendar and mail servers are just web servers as well, any reverse web proxy will do the job, but personally I'd go with nginx (small, fast and well documented). Specifically, you're going to need the proxy_pass function. https://www.nginx.com/resources/admin-guide/reverse-proxy/
                    Hope it helps.

                    1 Reply Last reply Reply Quote 0
                    • F Offline
                      firewalluser
                      last edited by

                      @pfanatic:

                      What I need to do as mentioned on my initial post is to have requests coming to my one public IP and have them redirect to proper server or website within my network.

                      My bad:
                      http://serverfault.com/questions/577103/how-to-configure-haproxy-to-route-by-port-without-using-multiple-frontend-or-lis
                      https://cbonte.github.io/haproxy-dconv/configuration-1.5.html
                      earlier manual
                      http://www.haproxy.org/download/1.4/doc/configuration.txt

                      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                      Asch Conformity, mainly the blind leading the blind.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Online
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        So your using a wildcard record..  Not really a good idea if you ask me.. What happens when user goes to sljdflsjdfljdljflsjdff.example com ??  What gets served?  Your default page?

                        In your example you have 2 private side Ips, .10 and .11 – if you this was all just on one box then you don't need a reverse proxy.  Your httpd can see the host headers and serve up whatever site you want to serve be it www.example.com or mail.example.com or whatever.example.com

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.