How to setup local web hosts behind pfSense with full fqdn.

help4bis · Mar 25, 2021, 4:26 AM

Ok be nice... lol I am new here... Saying that I am confused is an understatement.

I am a bit dyslexic and some other damages hence i have some trouble reading the stuff. Pictures are my thing LOL.

What is working sofar:

I can get to the internet from computers that are in-network 10.20.20.x
On the hyper-v server I have two vEthernet connections wone with IP 192.168.0.10 and the lan one has IP 10.20.20.100. From the hyper-V pc I can connect to 10.20.20.x
So that seems to work.

What is not working is :

Getting to 10.20.20.x from any other pc on the 192.168.0.x network.
Getting to 10.20.20.3 or 10.20.20.4 from the internet.

See image

What I liek to do is, be able to type in mydomain1.com and get to that website, both from within the 192.168.0.x network and from the internet. I had i working on windows2012 but now upgraded to windows 2019 I figured i start fresh using pfsense....

any help will be appreciated
thanks
h

DaddyGo · Mar 25, 2021, 5:35 PM

@help4bis said in How to setup local web hosts behind pfSense with full fqdn.:

Getting to 10.20.20.3 or 10.20.20.4 from the internet.

Hi,

Okay then this is not a local web hosts task...(!?)
(as the title of the topic suggests)

if it's a public web server installation, I don't see the point to put a web server(s) behind pfSense

-it may be a good solution...
(cheap but well executed as follows)

https://www.ssdnodes.com/pricing/ - Performance VPS Ubuntu 20.0.4 or Debian 10

CF Pro plan with CF firewall, etc.
Virtualmin / Cloudmin (Xen) - https://www.webmin.com/index.html
in case of high load, + HA proxy

in fact the pfSense is not designed in front of web server(s) and I think it is unnecessary, - unless you install it as a transparent mode firewall....
(but it also definitely slows down web traffic)

the complexity of your installation scheme raises the issue of redundancy and availability and requires a lot of setup to work well

BTW:
@help4bis "Ok be nice... lol I am new here... "

I hope I was nice

PS:
if you want to run a web server in your home environment, you are out in the shop window...
so a separate interface for the "web" is the mandatory requirement

SteveITS · Mar 25, 2021, 5:45 PM

The incoming HTTPS request from the Internet needs to be forwarded to 10.20.20.3. So if these are all routers in your picture it would mean:

publicIP:443 -> 10.0.0.1:443 -> 192.168.0.1:443 -> 10.20.20.1:443 -> 10.20.20.3:443

That is a long chain.

Another problem is that one can't direct port 443 to two places for two web servers. So there is no way using NAT port forwarding to connect publicIP:443 to 10.20.20.4:443. You would need some sort of reverse proxy on at least the 10.0.0.1 router that forwards the two sites by domain name to 192.168.0.1:443 for mydomain1.com and 192.168.0.1:444 for mydomain2.com, and forward those ports all the way to 10.20.20.3 and 10.20.20.4.

DaddyGo · Mar 25, 2021, 5:55 PM

@teamits said in How to setup local web hosts behind pfSense with full fqdn.:

publicIP:443 -> 10.0.0.1:443 -> 192.168.0.1:443 -> 10.20.20.1:443 -> 10.20.20.3:443

Yup, that's what I was trying to point out...

@teamits "Another problem is that one can't direct port 443 to two places for two web servers"

PfSense solves this problem, but it costs all resources...

squid reverse proxy multiple web servers
HA proxy

it all exists

BTW:
but I still say it makes no sense to slow down a web server with pfSense

help4bis · Mar 25, 2021, 6:39 PM

Wow.. thanks for the replies guys (and yes you are nice LOL).

Ok.. so lets backup ut the truck a little, as perhaps what I am doing is either not the smartest way or should not be done in the first place... bot is posible.

For this to work I should go
10.0.0.1 -> 192.168.0.x

On 192.168.0.x I have a webserver and all my non webserver stuff.

Doing the 10.0.0.1 -> 192.168.0.x I expose all my non-webserver stuff and the webserver to the web.... this is the shop window scenario... and not really desirable...

What I should be doing is get another NIC in the box, so I have two NIC's have one nic to to 192.168.0.x and the other nic directly to 10.20.20.x

Would that work... or is this a scenario of... dude.... you are on the wrong planet....

See my provider gives me one public IP, that ip goes to 10.0.0.1 (for some reason I cannot change the IP on that modem to go on the 192.168.0.x network.. hence the complexity)

(Now if I go to fare of the reservoir let me know...)

Thanks in advance.
H

DaddyGo · Mar 25, 2021, 7:03 PM

@help4bis said in How to setup local web hosts behind pfSense with full fqdn.:

See my provider gives me one public IP, that ip goes to 10.0.0.1

I haven’t even noticed this, it’s probably a silly provider CGNAT solution, so you’re in even bigger trouble...

Well, if you want to go to the shop window

You would need a lot of port forwarding...
@teamits as the colleague correctly described

I would try to get a modem bridge mode at the ISP and connect directly to the pfSense WAN

-the rest as described,....... HA proxy, Squid reverse proxy, etc (for load balancing and 2 web server)

BTW:
I would not use VLAN for this purpose, ergo yes a separate 4 port NIC configured separately for WEB

+++edit:
@help4bis "Doing the 10.0.0.1 -> 192.168.0.x I expose all my non-webserver stuff and the webserver to the web.... this is the shop window scenario"

no, no here we are not talking about internet 10.0.0.0 and 192.168.0.0 is still just RFC1918
= private address ranges - (this is the stupidity from your provider )

https://tools.ietf.org/html/rfc1918

help4bis · Mar 25, 2021, 7:13 PM

@DaddyGo thanks so much for your patience

Re provider, they provide me with a public IP, that turns into 10.0.0.1 on my side of the fence.... (yea not happy either).

Ok.. ill dig up a nic and go from there.. again thanks so much ... most appreciated.

H

DaddyGo · Mar 26, 2021, 11:10 AM

@help4bis said in How to setup local web hosts behind pfSense with full fqdn.:

provide me with a public IP, that turns into 10.0.0.1 on my side of the fence

Yup,

How serious an public IP is what they turn to 10.0.0.0 for the first step, so that's nonsense.

Then by NAT to 192.168.0.0 it's really frenetic, so you're still in trouble.

It’s like keeping a bird in two cages and you lost the key to the first cage.
The bird will never fly high.

itpp21 · Mar 26, 2021, 12:42 PM

There is nothing magic about this, route port 80 and 443 to your local webserver, in the webserver you configure which host(fqdn) goes to which configuration as all http/https traffic will pass as is. Your ISP modem will have to be in bridge mode though, double NAT doesn't always work and CGNAT does not work at all.