No NAT but route split on TCP & UDP ports (COVID-19 contributed system)
-
Hello,
We were told to call to the pfsense community of experts to help out on this contribution we make to doctors and other parents of schools during the COVID-19 period.
We struggle to config pfsense for adding a system for schools, any advice help is appreciated and may be referred to on our donated project's contributors page. The system is virtual classroom bigbluebutton.org "BBB".
This BBB system requires to see directly the public IP address to work.
Problem is we can't add a dedicated IP address quickly enough (due to local regulations that tightly restrict the internet use here) so we attempt to share an already used IP address. That's where the challenge lies.
Would someone let us know if pfsense can achieve this requirement, and how ? Here is a simple drawing of what we would ideally like to achieve:
Questions:-
Can pfsense be configured as pictured where:
** the public IP address is transparently passed to one server for a limited list of TCP/UDP ports on one hand, and
** on the other hand is passed to an other NIC where we NAT and forward ports from a non-overlapping, distinct list of TCP/UDP ports to a few preexisting servers -
If not, what would be an alternative design advice with these constraints:
** we can ONLY use one public IP address (we can NOT use STUN or TURN servers as a workaround like suggested by the BBB doc)
** we need to continue serving pre-existing web or ssh servers on this public IP address with different ports than those used by BBB
** we have flexibility on:
*** how many domains point to that IP address
*** how many VMs and VLANS we create within our environment (everything below the ISP gateway)
*** hence how we cable everything below the L3 switch, as this all can be configured freely with our VLANS and VMs
** we do not intend to add additional hardware or expenses whatsoever, we must do with what we have
Notes:
- a workaround solution is to have the BBB server do this special routing with IPTABLES or other firewall like ufw, but shouldn't pfsense be superior in features and manageability than such manual tricky configuration ? I bet it is.
- as I'm finishing writing I'm wondering whether nginx wouldn't be more suitable for such use case. Any suggestions welcome.
Thanks a thousand for any contribution, heartfelt from the battlefield against the virus.
-