• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to setup local web hosts behind pfSense with full fqdn.

Scheduled Pinned Locked Moved DHCP and DNS
9 Posts 4 Posters 660 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    help4bis
    last edited by Mar 25, 2021, 4:26 AM

    Ok be nice... lol I am new here... Saying that I am confused is an understatement.

    I am a bit dyslexic and some other damages hence i have some trouble reading the stuff. Pictures are my thing LOL.

    What is working sofar:

    • I can get to the internet from computers that are in-network 10.20.20.x
    • On the hyper-v server I have two vEthernet connections wone with IP 192.168.0.10 and the lan one has IP 10.20.20.100. From the hyper-V pc I can connect to 10.20.20.x
      So that seems to work.

    What is not working is :

    • Getting to 10.20.20.x from any other pc on the 192.168.0.x network.
    • Getting to 10.20.20.3 or 10.20.20.4 from the internet.

    See image
    alt text

    What I liek to do is, be able to type in mydomain1.com and get to that website, both from within the 192.168.0.x network and from the internet. I had i working on windows2012 but now upgraded to windows 2019 I figured i start fresh using pfsense....

    any help will be appreciated
    thanks
    h

    D S 2 Replies Last reply Mar 25, 2021, 5:35 PM Reply Quote 0
    • D
      DaddyGo @help4bis
      last edited by Mar 25, 2021, 5:35 PM

      @help4bis said in How to setup local web hosts behind pfSense with full fqdn.:

      Getting to 10.20.20.3 or 10.20.20.4 from the internet.

      Hi,

      Okay then this is not a local web hosts task...(!?)
      (as the title of the topic suggests)

      if it's a public web server installation, I don't see the point to put a web server(s) behind pfSense

      -it may be a good solution...
      (cheap but well executed as follows)

      https://www.ssdnodes.com/pricing/ - Performance VPS Ubuntu 20.0.4 or Debian 10

      • CF Pro plan with CF firewall, etc.
      • Virtualmin / Cloudmin (Xen) - https://www.webmin.com/index.html
      • in case of high load, + HA proxy

      in fact the pfSense is not designed in front of web server(s) and I think it is unnecessary, - unless you install it as a transparent mode firewall....
      (but it also definitely slows down web traffic)

      the complexity of your installation scheme raises the issue of redundancy and availability and requires a lot of setup to work well ๐Ÿ˜‰

      BTW:
      @help4bis "Ok be nice... lol I am new here... "

      I hope I was nice ๐Ÿ˜‰

      PS:
      if you want to run a web server in your home environment, you are out in the shop window...
      so a separate interface for the "web" is the mandatory requirement

      Cats bury it so they can't see it!
      (You know what I mean if you have a cat)

      1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @help4bis
        last edited by Mar 25, 2021, 5:45 PM

        The incoming HTTPS request from the Internet needs to be forwarded to 10.20.20.3. So if these are all routers in your picture it would mean:

        publicIP:443 -> 10.0.0.1:443 -> 192.168.0.1:443 -> 10.20.20.1:443 -> 10.20.20.3:443

        That is a long chain.

        Another problem is that one can't direct port 443 to two places for two web servers. So there is no way using NAT port forwarding to connect publicIP:443 to 10.20.20.4:443. You would need some sort of reverse proxy on at least the 10.0.0.1 router that forwards the two sites by domain name to 192.168.0.1:443 for mydomain1.com and 192.168.0.1:444 for mydomain2.com, and forward those ports all the way to 10.20.20.3 and 10.20.20.4.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        D 1 Reply Last reply Mar 25, 2021, 5:55 PM Reply Quote 0
        • D
          DaddyGo @SteveITS
          last edited by Mar 25, 2021, 5:55 PM

          @teamits said in How to setup local web hosts behind pfSense with full fqdn.:

          publicIP:443 -> 10.0.0.1:443 -> 192.168.0.1:443 -> 10.20.20.1:443 -> 10.20.20.3:443

          Yup, that's what I was trying to point out... ๐Ÿ˜‰

          @teamits "Another problem is that one can't direct port 443 to two places for two web servers"

          PfSense solves this problem, but it costs all resources...

          1. squid reverse proxy multiple web servers
          2. HA proxy

          it all exists

          BTW:
          but I still say it makes no sense to slow down a web server with pfSense

          Cats bury it so they can't see it!
          (You know what I mean if you have a cat)

          1 Reply Last reply Reply Quote 0
          • H
            help4bis
            last edited by Mar 25, 2021, 6:39 PM

            Wow.. thanks for the replies guys (and yes you are nice LOL).

            Ok.. so lets backup ut the truck a little, as perhaps what I am doing is either not the smartest way or should not be done in the first place... bot is posible.

            For this to work I should go
            10.0.0.1 -> 192.168.0.x

            On 192.168.0.x I have a webserver and all my non webserver stuff.

            Doing the 10.0.0.1 -> 192.168.0.x I expose all my non-webserver stuff and the webserver to the web.... this is the shop window scenario... and not really desirable...

            What I should be doing is get another NIC in the box, so I have two NIC's have one nic to to 192.168.0.x and the other nic directly to 10.20.20.x

            Would that work... or is this a scenario of... dude.... you are on the wrong planet....

            See my provider gives me one public IP, that ip goes to 10.0.0.1 (for some reason I cannot change the IP on that modem to go on the 192.168.0.x network.. hence the complexity)

            (Now if I go to fare of the reservoir let me know...)

            Thanks in advance.
            H

            D 1 Reply Last reply Mar 25, 2021, 6:52 PM Reply Quote 0
            • D
              DaddyGo @help4bis
              last edited by DaddyGo Mar 25, 2021, 7:03 PM Mar 25, 2021, 6:52 PM

              @help4bis said in How to setup local web hosts behind pfSense with full fqdn.:

              See my provider gives me one public IP, that ip goes to 10.0.0.1

              I havenโ€™t even noticed this, itโ€™s probably a silly provider CGNAT solution, so youโ€™re in even bigger trouble...

              Well, if you want to go to the shop window ๐Ÿ˜‰

              You would need a lot of port forwarding...
              @teamits as the colleague correctly described

              I would try to get a modem bridge mode at the ISP and connect directly to the pfSense WAN

              -the rest as described,....... HA proxy, Squid reverse proxy, etc (for load balancing and 2 web server)

              BTW:
              I would not use VLAN for this purpose, ergo yes a separate 4 port NIC configured separately for WEB

              +++edit:
              @help4bis "Doing the 10.0.0.1 -> 192.168.0.x I expose all my non-webserver stuff and the webserver to the web.... this is the shop window scenario"

              no, no here we are not talking about internet 10.0.0.0 and 192.168.0.0 is still just RFC1918
              = private address ranges - (this is the stupidity from your provider ๐Ÿ˜‰ )

              https://tools.ietf.org/html/rfc1918

              Cats bury it so they can't see it!
              (You know what I mean if you have a cat)

              1 Reply Last reply Reply Quote 0
              • H
                help4bis
                last edited by Mar 25, 2021, 7:13 PM

                @DaddyGo thanks so much for your patience

                Re provider, they provide me with a public IP, that turns into 10.0.0.1 on my side of the fence.... (yea not happy either).

                Ok.. ill dig up a nic and go from there.. again thanks so much ... most appreciated.

                H

                D 1 Reply Last reply Mar 26, 2021, 11:10 AM Reply Quote 0
                • D
                  DaddyGo @help4bis
                  last edited by Mar 26, 2021, 11:10 AM

                  @help4bis said in How to setup local web hosts behind pfSense with full fqdn.:

                  provide me with a public IP, that turns into 10.0.0.1 on my side of the fence

                  Yup,

                  How serious an public IP is what they turn to 10.0.0.0 for the first step, so that's nonsense.

                  Then by NAT to 192.168.0.0 it's really frenetic, so you're still in trouble.

                  Itโ€™s like keeping a bird in two cages and you lost the key to the first cage.
                  The bird will never fly high.

                  Cats bury it so they can't see it!
                  (You know what I mean if you have a cat)

                  I 1 Reply Last reply Mar 26, 2021, 12:42 PM Reply Quote 0
                  • I
                    itpp21 @DaddyGo
                    last edited by Mar 26, 2021, 12:42 PM

                    There is nothing magic about this, route port 80 and 443 to your local webserver, in the webserver you configure which host(fqdn) goes to which configuration as all http/https traffic will pass as is. Your ISP modem will have to be in bridge mode though, double NAT doesn't always work and CGNAT does not work at all.

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received