Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Routing between two pfsense on ISP's with proxy behind

    General pfSense Questions
    2
    2
    23
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ephi last edited by ephi

      I have two pfsense. PFSense A is the "main" pfsense which should handle all public traffic. PFSense B is for the internal webserver. Both pfsense are located in different datacenters and each has its own WAN interface.
      To connect these both I use a site to site openvpn.

      The main reason why I use two pfsense is, "Datacenter B" is able to provide better servers while "Datacenter A" gives me more traffic and has a free Anti-DDOS service. Thats the only reason for using these second "Pfsense A".

      network_sample.JPG

      My issues now...

      mywebsite.com is pointing to the WAN IP of PFsense A.
      There is a firewall rule which says everything on port 80/443 go to 172.16.60.2 on port 8080 (which is the reverse proxy on "pfsense B" and forwards it to port 80/443 to the webserver)

      But I can't access it via the proxy.

      1.) Which Interface do I need to set the reverse proxy to listen on? The "pfsense B" gets the traffic from the wan, but its through the vpn on 10.0.8.0/24. So in the firewall logs in see these traffic on the vpn interface which should mean, that the vpn interface is the right one? Or do I need to say "listen on LAN" because the webserver itself ls also on the LAN? I am confused.

      2.) Under Gateway / Routes there is a option to say "Default Gateway". In my mind I am thinking about to give PFsense B the option and select the VPN Gateway because pfsense B should never send out anything from itselfs WAN and should always go the way over PFSense A.

      3.) For best practice, would you guys set up the HA Reverse Proxy on Pfsense A or Pfsense B?

      Thank you so much!

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        The proxy musy be listening on the OpenVPN interface since that's where the traffic arrives.

        You should be able to put the proxy at either end but I would probably put it at A since that's where traffic is arriving. I'm not sure how the proxy would reply to traffic at B either.

        Importantly you must have the OpenVPN interface assigned at B and make sure the rules passing the traffic are on the assigned interface and not on the OpenVPN tab. Without that you will not get reply-to tags on the states and the replies from the server (or proxy) will just go out the WAN rather than back over the VPN. That creates an asymmetric route and traffic will be blocked.

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense Plus
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy