Multi IPs Port forwarding to a single server

  • I am brand new green to pfSense.  I want to setup multiple SSL connections to a single web server (MS IIS) and would like to know if this kind of configuration is possible with pfSense.

    I have a block of IP addresses (x.x.x.104 /29) from my ISP and I would like to use port 443 on each of my 5 useable addresses.  I want port forward to a single web server in this fashion:
      x.x.x.105-109:80 -> 
      x.x.x.105:443      ->
      x.x.x.106:443      ->
      x.x.x.107:443      ->
      x.x.x.108:443      ->
      x.x.x.109:443      ->
    This way, my server has 5 web sites, each with a certificate, and each web site handles https over the default port as far as the outside world is concerned.  My question: Is this possible with pfSense?

    Thank you for your time and your wisdom.

  • Yes this is possible.
    Just set up normal portforwardings.

    But wouldn't it be easier to set up multiple virtual hosts on the server which serve different content based on the http-request?

  • SSL encryption occurs at the port, so the domain name in the header of the user's request is unreadable by IIS.  Thus the request cannot be directed to a virtual host based on the domain name; IIS directs encrypted traffic on port number.  The rub is most corporate firewalls restrict their users to ports 80 and 443 only, and web sites using alternate ports, like, will be blocked.  I am trying to slip 5 different clients (5 unique certificates), each using the default https port, into one web server.

    But…I can be possessed with profound ignorance, it's happened before, and, if there is a simple and/or smart way to do this, I would love to know it.  I do know this kind of port forwarding is impossible on the lower end small business routers, such as the Linksys RV016. And system design is not my strength in any way, so what you term "normal port forwardings" is magic to me, and I want to see more, please.

  • You can have "normal" portforwardings in the sense of:
    I forward from this ouside-port to this inside-port.
    The state-table will see to it that traffic comming in on a specific VIP will leave via the correct VIP again.
    You can have multiple "normal" portforwards from different VIPs to the same server.

    Then there are 1:1 NAT forwardings which forward all ports from a VIP to a server.
    You can only have one 1:1 NAT forwarding per VIP/server at a time.

    Just install pfSense and start playing.
    It's pretty much streight forward and selfexplaining.

  • What is "VIP"?  I assume it is the public side IP, but I don't get the "V".

    The inadequacy in my earlier approach was I could not differentiate among different WAN IPs at the port level.  There was only "one" port 443 and only one forwarding rule for it, whether it was from x.x.x.1:443 or x.x.x.2:443. 
    I have a workstation marked for conversion to pfSense duty, just need to get a second NIC for it.

    Thank you for your explanations and advice.

  • As i said: install pfSense and start playing.
    You'd know what a VIP is if you'd look at the GUI.

    It stands for Virtual IP.
    Since you want to have multiple IP's on the WAN you need to add the additional IPs as VIP.

Log in to reply