Problem with Pfsense nat forward :(

TheMac

I have two local servers (proxmox)that I would like to be able to access from outside my local network. To do this and created two subdomains (nextcloud.mydomain.com gitlab.mydomain.com) I add it as fqdm to the respective servers and create the corresponding rules in NAT / Port Forward.

My problems is that I can only access from outside my network with the subdomain that is first in the Nat rules.

Why does this happen? I have to do some additional configuration in pfsense so that it can access the two servers regardless of which one is placed first in the NAT rules.

viragomann

@themac
The first match wins.
Both of your rules match to the same traffic. These parameters are responsible for matching:

• interface
• protocol
• source address
• source port
• destination address
• destination port

pfSense cannot look into the host headers by default.
You can install and configure the HAproxy packet to manage your forwardings.
As well you can forward the whole HTTPS traffic to one server and run a proxy module on its web server. But in this case, when this server goes down you lose connection to the other as well.

TheMac

@viragomann said in Problem with Pfsense nat forward :(:

@themac
The first match wins.
Both of your rules match to the same traffic. These parameters are responsible for matching:

• interface
• protocol
• source address
• source port
• destination address
• destination port

pfSense cannot look into the host headers by default.
You can install and configure the HAproxy packet to manage your forwardings.
As well you can forward the whole HTTPS traffic to one server and run a proxy module on its web server. But in this case, when this server goes down you lose connection to the other as well.

The machines are mounted in proxmox, both machines have been assigned a physical network card with different destination IPs. You can observe the captures.

Having different destination IPs, this shouldn't happen or maybe it does? In any case, how could I solve this?

KOM

@themac His last three sentences give you two different options. Maybe try one of those? Or you could get another IP address from your ISP, map it to a pfSense VIP and then forward from that. Or host both of your websites on the one server.

viragomann

@themac said in Problem with Pfsense nat forward :(:

Having different destination IPs, this shouldn't happen or maybe it does?

The destination IP is "WAN address" in both rules, so they are not different.

In any case, how could I solve this?

Get a second public IP and assign it to the WAN as virtual IP.
Or set up a reverse proxy, as already mentioned, but this would be a bit more difficult.

Okay, @KOM was faster.

TheMac

@viragomann
My ISP is not going to give me a second IP or joke. I had to report them to get me out of the cgnat. If a fiber using cgnat incredible but true.

Using the two sites in the same server is not possible, they do not get on very well with each other :).

I would have to use the third reverse proxy option, but I am not sure how to do this. Network ing is not my strength. :(
Some video documentation where you can inform me of this.

viragomann

@themac
You can find some turorials in the web. E.g. https://docs.deeztek.com/books/pfsense/page/pfsense-haproxy-softether-vpn
There are also some videos available on YT. Do a search.
I did my first view steps with HAproxy for now, so I can't tell you much.

Since the proxy has to respond to HTTPS request, you will also have to install the certs on pfSense or the ACME packet if you use Let's Encrypt.

There is a proxy section in this forum to ask specific questions: https://forum.netgate.com/category/52/cache-proxy