How to setup local web hosts behind pfSense with full fqdn.
-
Ok be nice... lol I am new here... Saying that I am confused is an understatement.
I am a bit dyslexic and some other damages hence i have some trouble reading the stuff. Pictures are my thing LOL.
What is working sofar:
- I can get to the internet from computers that are in-network 10.20.20.x
- On the hyper-v server I have two vEthernet connections wone with IP 192.168.0.10 and the lan one has IP 10.20.20.100. From the hyper-V pc I can connect to 10.20.20.x
So that seems to work.
What is not working is :
- Getting to 10.20.20.x from any other pc on the 192.168.0.x network.
- Getting to 10.20.20.3 or 10.20.20.4 from the internet.
What I liek to do is, be able to type in mydomain1.com and get to that website, both from within the 192.168.0.x network and from the internet. I had i working on windows2012 but now upgraded to windows 2019 I figured i start fresh using pfsense....
any help will be appreciated
thanks
h -
@help4bis said in How to setup local web hosts behind pfSense with full fqdn.:
Getting to 10.20.20.3 or 10.20.20.4 from the internet.
Hi,
Okay then this is not a local web hosts task...(!?)
(as the title of the topic suggests)if it's a public web server installation, I don't see the point to put a web server(s) behind pfSense
-it may be a good solution...
(cheap but well executed as follows)https://www.ssdnodes.com/pricing/ - Performance VPS Ubuntu 20.0.4 or Debian 10
- CF Pro plan with CF firewall, etc.
- Virtualmin / Cloudmin (Xen) - https://www.webmin.com/index.html
- in case of high load, + HA proxy
in fact the pfSense is not designed in front of web server(s) and I think it is unnecessary, - unless you install it as a transparent mode firewall....
(but it also definitely slows down web traffic)the complexity of your installation scheme raises the issue of redundancy and availability and requires a lot of setup to work well
BTW:
@help4bis "Ok be nice... lol I am new here... "I hope I was nice
PS:
if you want to run a web server in your home environment, you are out in the shop window...
so a separate interface for the "web" is the mandatory requirement -
The incoming HTTPS request from the Internet needs to be forwarded to 10.20.20.3. So if these are all routers in your picture it would mean:
publicIP:443 -> 10.0.0.1:443 -> 192.168.0.1:443 -> 10.20.20.1:443 -> 10.20.20.3:443
That is a long chain.
Another problem is that one can't direct port 443 to two places for two web servers. So there is no way using NAT port forwarding to connect publicIP:443 to 10.20.20.4:443. You would need some sort of reverse proxy on at least the 10.0.0.1 router that forwards the two sites by domain name to 192.168.0.1:443 for mydomain1.com and 192.168.0.1:444 for mydomain2.com, and forward those ports all the way to 10.20.20.3 and 10.20.20.4.
-
@teamits said in How to setup local web hosts behind pfSense with full fqdn.:
publicIP:443 -> 10.0.0.1:443 -> 192.168.0.1:443 -> 10.20.20.1:443 -> 10.20.20.3:443
Yup, that's what I was trying to point out...
@teamits "Another problem is that one can't direct port 443 to two places for two web servers"
PfSense solves this problem, but it costs all resources...
- squid reverse proxy multiple web servers
- HA proxy
it all exists
BTW:
but I still say it makes no sense to slow down a web server with pfSense -
Wow.. thanks for the replies guys (and yes you are nice LOL).
Ok.. so lets backup ut the truck a little, as perhaps what I am doing is either not the smartest way or should not be done in the first place... bot is posible.
For this to work I should go
10.0.0.1 -> 192.168.0.xOn 192.168.0.x I have a webserver and all my non webserver stuff.
Doing the 10.0.0.1 -> 192.168.0.x I expose all my non-webserver stuff and the webserver to the web.... this is the shop window scenario... and not really desirable...
What I should be doing is get another NIC in the box, so I have two NIC's have one nic to to 192.168.0.x and the other nic directly to 10.20.20.x
Would that work... or is this a scenario of... dude.... you are on the wrong planet....
See my provider gives me one public IP, that ip goes to 10.0.0.1 (for some reason I cannot change the IP on that modem to go on the 192.168.0.x network.. hence the complexity)
(Now if I go to fare of the reservoir let me know...)
Thanks in advance.
H -
@help4bis said in How to setup local web hosts behind pfSense with full fqdn.:
See my provider gives me one public IP, that ip goes to 10.0.0.1
I havenโt even noticed this, itโs probably a silly provider CGNAT solution, so youโre in even bigger trouble...
Well, if you want to go to the shop window
You would need a lot of port forwarding...
@teamits as the colleague correctly describedI would try to get a modem bridge mode at the ISP and connect directly to the pfSense WAN
-the rest as described,....... HA proxy, Squid reverse proxy, etc (for load balancing and 2 web server)
BTW:
I would not use VLAN for this purpose, ergo yes a separate 4 port NIC configured separately for WEB+++edit:
@help4bis "Doing the 10.0.0.1 -> 192.168.0.x I expose all my non-webserver stuff and the webserver to the web.... this is the shop window scenario"no, no here we are not talking about internet 10.0.0.0 and 192.168.0.0 is still just RFC1918
= private address ranges - (this is the stupidity from your provider)
https://tools.ietf.org/html/rfc1918
-
@DaddyGo thanks so much for your patience
Re provider, they provide me with a public IP, that turns into 10.0.0.1 on my side of the fence.... (yea not happy either).
Ok.. ill dig up a nic and go from there.. again thanks so much ... most appreciated.
H
-
@help4bis said in How to setup local web hosts behind pfSense with full fqdn.:
provide me with a public IP, that turns into 10.0.0.1 on my side of the fence
Yup,
How serious an public IP is what they turn to 10.0.0.0 for the first step, so that's nonsense.
Then by NAT to 192.168.0.0 it's really frenetic, so you're still in trouble.
Itโs like keeping a bird in two cages and you lost the key to the first cage.
The bird will never fly high. -
There is nothing magic about this, route port 80 and 443 to your local webserver, in the webserver you configure which host(fqdn) goes to which configuration as all http/https traffic will pass as is. Your ISP modem will have to be in bridge mode though, double NAT doesn't always work and CGNAT does not work at all.