1:1 NAT with IIS and multiple subdomains / websites



  • Hello all,
    Making a transition from a Zywall Firewall to Pfsense
    I setup pfsense and upgraded to the latest
    I setup my static IP and virtual IP block as IP Aliases
    I setup 1:1 NAT to internal servers
    I setup firewall rules to internal servers

    Testing from external WAN
    I hit my wordpress server public domain - works
    I hit my remote desktop gateway server - works with UDP
    I hit my PTRG https server - works
    I hit my SQL report server - works
    I hit my sharepoint single domain sites - works
    I hit my FTP server - works
    you get the idea

    I have 3 web servers NLB in a farm.
    I hit my IIS prodfarm public domains- fail
    I hit my IIS srv1 public domains - fail
    I hit my IIS srv 2 public domains - fail
    I hit my IIS srv 3 public domains- fail

    so it seems there is a problem I haven't figured out yet with having multiple website / subdomains on IIS behind pfsense.

    Googling it seems there are some suggestions and I need to be pointed in the right direction. Possible problems they listed
    Host headers could be the problem
    Outbound NAT could be the problem
    I need a reverse proxy like squid/haproxy

    what do you guys think?

    update: sometimes I can hit the public subdomain1.srv1.com and it will work however if I hit subdomain2.srv1.com IIS w3wp.exe crashes and I get a .NET error thrown on the server to debug. I can replicate this on each of the servers.

    update2: an IRC user has confirmed for me that he has 1:1 NAT VIPs towards his httpd with multiple domains without hiccups or special trickery. Unfortunately for me im using IIS and he is using nginx and previously apache.



  • Hi,
    there is a nice hangout video for relayd/HAproxy, maybe it will fit your needs? https://www.youtube.com/embed/FJSHMyrd29E

    -Rico



  • I started this but its long and got distracted with some other people trying to help. A Beloved Freenode user says, I JUST WENT THROUGH ALL THIS. Pfsense does not pass headers with NAT and you have to use haproxy to assist.

    The channel went ballistic on pfsense saying that is rather stupid and down right ridiculous pfsense does this and that NAT is layer 3 based and it should pass the packets unaltered.

    Guess im watching this whole video. :P


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy