pfSense port forward configuration with multiple web servers
-
@hypernova You are wrong, you need ha_proxy and no port forwards. Host override is something completely different.
-
@bob-dig Hi thanks for the reply.
In this case, what is the purpose of host overrides?
Where can I find the options for ha_proxy and how should I configure this?
Also... How does it work without port forwarding enabled?
Thanks
-
haproxy used as a reverse proxy.. It listens on your wan IP, on the port(s) you want. And then sends them to whatever server you want behind pfsense based on the fqdn sent by the client outside.
example out on the public internet
something.yourdomain.tld resolves to 1.2.3.4 (your public IP)
otherthing.yourdomain.tld resolves also to 1.2.3.4.When haproxy sees traffic to something.yourdomain.tld on your wan IP its sends to say 192.168.1.100
When it sees traffic trying to go to otherthing.yourdomain.tld it says sends it to 192.168.1.101
Lots of ways this could be done - all comes down to what exactly your servers on your network are listening on, etc.
Host overrides are used by devices on your network, pointing to pfsense as their dns that just resolve say otherthing.domain.tld to 192.168.1.101, and something.yourdomain.tld to 192.168.1.100
-
@hypernova don't bother with port forwarding and instead use HAPROXY for managing your incoming http/s connections like the other poster recommended. It has tons of options to manage your web connections and there is probably nothing it can't do for you. It can also manage other types of SSL connections as well and not just for HTTP/S.
The only time I see port forwarding being beneficial is if the service you are reverse proxying to doesn't recognize the X-FORWARD-FOR protocol and you need to identify the source IP address (useful for fail2ban). Some older SMTP and DNS services do not recognize X-FORWARD-FOR so you will need to port forward to those services. But for Apache/NGINX et al HAPROXY is the way to go. Just make sure you configure those services so they are able to read the original source IP address.
-
@johnpoz Ok I see, so host overrides is for internal traffic, both otherwise, for external requests, one uses haproxy?
-
@papdee Would one use port forwarding for services such as ssh in this case?
-
If you only had one thing you wanted to forward port X too - then port forward is fine. But when you have multiple traffic coming into the same IP and the same Port. Haproxy is the to look at the headers or sni being sent by the client to figure out where to send the traffic too.
This also could be accomplished on the server your hosting the services on.. But if you want to send to 2 different lan side ips, or what is listening on server is different services - then yes haproxy is the way to accomplish what you want.
-
@hypernova host overrides is a DNS issue so I am not sure how this relates to what you are trying to achieve. If all you want is to manage connections to your www servers just install HAPROXY then load up youtube and search for HAPROXY config and watch a 30-minute video on how to configure HAPROXY.
Simple.
-
@hypernova I think you might also be struggling with understanding virtual web servers and how running multiple websites off a single public IP address. That is not a pfSense issue and you should go to the forum of the whatever web server you are using and learn about configuring virtual servers for your web server.
-
@hypernova I guess you are trying to SSH into different backend servers from a single public IP address. SSH supports SNI but I am not sure if the HAPROXY on pfSense supports TLS yet (i didn't see it in the menu options but I could be wrong).
If you find the answer is that pfSense package of HAPROXY has yet to implement TLS then you will need to setup different ports for each of your SSH servers and port forward into them using the different port numbers.
-
@papdee It could be because I have multiple subdomains behind my pfsense system, perhaps?
What is the typical application/use of hostoverrides in the context of DNS?
-
Not sure what your not getting here..
Doesn't matter if you had a 100 different domains all pointing to your public IP.
The context of host overrides is when you want say something.domain.tld on your local network to resolve to 192.168.1.100 vs say the public IP on public dns to 1.2.3.4
Or you just want something on your network whatever.domain.tld to resolve to xyz..
A host override is no different than an A record you would put in any local NS.. Be it its a local domain your using or you want www.google.com to resolve to 192.168.14.12 on your local network..
-
@johnpoz Your answer isn't especially clear to me but I have two questions which may help...
1: Is the purpose of host overrides to redirect traffic from my internal users?
For example: To redirect traffic to www.google.com to 192.168.0.10.
Why would anyone want to do that?
2: Is the purpose to do DNS translation when I am the authoritive DNS server.
Aka: I tell my domain name provider to direct *.mydomain.com to 123.456.789.123 (my public IP)
and then if someone tries to go to blog.mydomain.com the host override is to direct them to the correct internal server managing "blog." ?
-
- Doesn't have to be redirection. Its simple name resolution. Do you want the clients using your dns to resolve xyz to what?
Sure you could use it for redirection. Say you want to block www.google.com - so locally you resolve it to 127.0.0.1, or point it to some webserver on your network that says BLOCKED for anything that hits it it on port 80..
Quite often its used when something.domain.tld on the public resolves to your public 1.2.3.4, which you host on 192.168.1.100.. And there is no point for your clients on your local network to use nat reflection or hit your proxy, when they are on 192.168.1.99 for example..
- Unbound is not meant to be an authoritative name server. The host override is just a record in your local dns that says whatever.domain.tld resolves to ABC... Its a simple A record like you would do with any nameserver..
Have no idea where your coming up with dns translation?
-
@johnpoz Sorry but I can't follow what you're trying to explain. It's too unclear
-
Hard to teach someone how to play gin rummy if you don't even understand what a deck of cards are..
Do you not understand what dns is and does?
DNS resolves a name, something.domain.tld to an IP.. What do you not understand about a host override being and entry in your dns to resolve that name to an IP..
Do you not get why you might want to resolve an IP on your network 192.168.1.100 with a name say server.mydomain.net ?
-
@johnpoz Obviously I understand what DNS is... This is not a simple thing we are discussing here. We are not discussing "what is DNS" in general terms, we are talking about a particuar case. If I were to guess the answer in advance there could essentially be almost infinite possibilities, because we are discussing an entire network infastructure, not just one small part of it.
My question is what is the purpose of a host override. Why would I want to translate server.mydomain.net using a host override, if this only works for computers already inside of my network.
-
@hypernova for your original purpose of serving websites from your internal webservers through pfSense DNS host overrides is not what you should be fixated on. I recommend you open youtube and search for a video from Lawrence Systems where he does an excellent job explaining HAPROXY in really simple terms and enough to get you going at least.
If it puts this thing finally to rest I will explain how to use DNS host overrides: My 192.168.1.0/24 corporate network is entirely walled off. I have an SMTP server that listens on all networks 0.0.0.0/24 and serves both outside connections (public IP let's assume 123.456.789.100) and internal connections listening on 192.168.1.20.
Without host overrides my internal computers when doing a DNS lookup for smtp.mycorp.com will get 123.456.789.100 but cannot connect because they are walled off.
With host overrides smtp.mycorp.com => 192.168.1.20 the internal computers will now be able to connect to the SMTP server from inside pfSense.
-
@hypernova said in pfSense port forward configuration with multiple web servers:
Why would I want to translate server.mydomain.net using a host override
Because you don't want to hit a nat reflection, or the public IP at all.. Since your right there anyway.
Same reason you don't go out your front door to come back in go from your bedroom to the bathroom.
If your on 192.168.1.100, and your server is on 192.168.1.101.. And server.mydomain.net resolves to 1.2.3.4 (your wan IP on the internet).. Via public dns..
Why would you hit your 1.2.3.4 address just to be reflected or proxied back in? Your traffic is now hairpinned over your interface to your router. Your router is now having to do work it shouldn't have to do, be that simple nat reflection or in the case of haproxy, proxied.
Why would you do this
Vs this?
Not sure why this is even having to be asked??
Another reasons for host overrides. You have some IP on your network you want to resolve via a fqdn. Another reason you don't want some client that resolves something.whatever.tld to go to the public IP at all.. I have some iot devices that try and hit ntp servers. time.nist.gov for example.. There is no reason for them to go ask time.nist.gov for ntp.. I have a perfectly valid ntp server on my local network. And there is no way to tell the client to use a different fqdn for their ntp source - so I create dns entry in my local dns (host override) that just points time.nist.gov to my local ntp servers IP 192.168.3.32
Or as already stated, maybe you want to stop some client from going to host.domain.tld on the public - so you resolve that locally to 127.0.0.1, or 0.0.0.0 or point it to your webserver that shows a block page..
If you understand dns like you say you do - then it should be obvious when and why you would use a entry in your local dns to resolve something. Be it that you don't want to whatever some fqdn is on the public internet, or you just want to resolve something locally.
I access my nas via nas.local.lan (192.168.9.10), So either I register this via dhcp leases in unbound, or I setup a dhcp reservation and register those in unbound. Or I create a host override that points nas.local.lan to 192.168.9.10
Still all comes down to an entry in my local dns that resolve some fqdn to an IP I want it to resolve too..
-
@johnpoz I disagree - it is not necessarily so obvious. Why configure a host override for a local server when this requires more configuration steps than simply allowing the request to go through NAT and come back again.
One may argue that this is inefficient - yes that is correct - but on the other hand it is a more maintainable configuration, would you not agree?
