Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No NAT but route split on TCP & UDP ports (COVID-19 contributed system)

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    1 Posts 1 Posters 191 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kita-tech
      last edited by kita-tech

      Hello,

      We were told to call to the pfsense community of experts to help out on this contribution we make to doctors and other parents of schools during the COVID-19 period.

      We struggle to config pfsense for adding a system for schools, any advice help is appreciated and may be referred to on our donated project's contributors page. The system is virtual classroom bigbluebutton.org "BBB".

      This BBB system requires to see directly the public IP address to work.

      Problem is we can't add a dedicated IP address quickly enough (due to local regulations that tightly restrict the internet use here) so we attempt to share an already used IP address. That's where the challenge lies.

      Would someone let us know if pfsense can achieve this requirement, and how ? Here is a simple drawing of what we would ideally like to achieve:
      6fffc3b8-8d3d-4cbe-8cdc-4522a1122dc3-image.png
      Questions:

      • Can pfsense be configured as pictured where:
        ** the public IP address is transparently passed to one server for a limited list of TCP/UDP ports on one hand, and
        ** on the other hand is passed to an other NIC where we NAT and forward ports from a non-overlapping, distinct list of TCP/UDP ports to a few preexisting servers

      • If not, what would be an alternative design advice with these constraints:
        ** we can ONLY use one public IP address (we can NOT use STUN or TURN servers as a workaround like suggested by the BBB doc)
        ** we need to continue serving pre-existing web or ssh servers on this public IP address with different ports than those used by BBB
        ** we have flexibility on:
        *** how many domains point to that IP address
        *** how many VMs and VLANS we create within our environment (everything below the ISP gateway)
        *** hence how we cable everything below the L3 switch, as this all can be configured freely with our VLANS and VMs
        ** we do not intend to add additional hardware or expenses whatsoever, we must do with what we have

      Notes:

      • a workaround solution is to have the BBB server do this special routing with IPTABLES or other firewall like ufw, but shouldn't pfsense be superior in features and manageability than such manual tricky configuration ? I bet it is.
      • as I'm finishing writing I'm wondering whether nginx wouldn't be more suitable for such use case. Any suggestions welcome.

      Thanks a thousand for any contribution, heartfelt from the battlefield against the virus.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.