IP forwarding using web address



  • I am trying to set up a web server at home. However I also have an Exchange server at home and it requires the same ports as the web server for webmail.
    My setup is a Vigor 2860 modem/router which I use to port forward the mail ports and the web ports to the exchange server on 192.168.0.3.

    Can I use pfSense to forward to different IP addresses based on the address? Example webmail.mynet.com gets forwarded to 192.168.0.3 and blog.mynet.com gets forwarded to 192.168.0.6. As I am sitting behind 1 IP for the internet connection I am finding it hard to work out. Tried to do it in the modem/router but does not seem to have an option to forward based on address only by port.




  • LAYER 8 Global Moderator

    I started skimming that link… Right from the start I see problems with this persons understanding how this works..

    "Under Destination select This Firewall (self) from the dropdown menu and then under Destination Port select HTTP (80) for both the From and To menus."

    Using this firewall (self) as destination on your wan firewall rule is not very good idea..  This built in alias includes all IPs of the firewall, not just the wan address.. Which would be the proper dest for traffic from outside pfsense hitting your wan IP.. Also you do not need to set http as to in the port selection.. Just setting http is fine your not setting a range.

    Nor did I see any mention to make sure your pfsense web gui is not using 80 or 443 for its ports.



  • I've been recently playing with haproxy on pfsense as well.  Here is what I've learnt .

    @johnpoz:

    "Under Destination select This Firewall (self) from the dropdown menu and then under Destination Port select HTTP (80) for both the From and To menus."

    haproxy (front end "SharedFrontend") should be bound to your WAN IP on port 80, where as your pfsense admin ui is bound to *:80.  This should allow both to co-exist and route accordingly.

    @johnpoz:

    Using this firewall (self) as destination on your wan firewall rule is not very good idea..

    My understanding of "this firewall (self)" is the ip associated with the interface referenced on the firewall rule.  Therefore, this rule will allow the internet to connect to the WAN ip:80 which is bound to haproxy, not pfsense.  haproxy will then forward request to the appropriate backend.


  • LAYER 8 Global Moderator

    No that is not the case that firewall (self) is just a built in alias that is all IPs on ALL interfaces on the firewall..

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics
    This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)

    If you want the dest to be the IP of an interface, then you should pick the drop down address of that interface, ie Wan Address.. Not this firewall..

    "haproxy (front end "SharedFrontend") should be bound to your WAN IP on port 80, where as your pfsense admin ui is bound to *:80.  This should allow both to co-exist and route accordingly."

    Again NO - since you are creating a RACE condition on what is going to bind to what on port 80…


Log in to reply