Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with Pfsense nat forward :(

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 3 Posters 962 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheMac
      last edited by TheMac

      I have two local servers (proxmox)that I would like to be able to access from outside my local network. To do this and created two subdomains (nextcloud.mydomain.com gitlab.mydomain.com) I add it as fqdm to the respective servers and create the corresponding rules in NAT / Port Forward.

      My problems is that I can only access from outside my network with the subdomain that is first in the Nat rules.

      Why does this happen? I have to do some additional configuration in pfsense so that it can access the two servers regardless of which one is placed first in the NAT rules.

      cap1.png

      cap2.png

      cap3.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @TheMac
        last edited by viragomann

        @themac
        The first match wins.
        Both of your rules match to the same traffic. These parameters are responsible for matching:

        • interface
        • protocol
        • source address
        • source port
        • destination address
        • destination port

        pfSense cannot look into the host headers by default.
        You can install and configure the HAproxy packet to manage your forwardings.
        As well you can forward the whole HTTPS traffic to one server and run a proxy module on its web server. But in this case, when this server goes down you lose connection to the other as well.

        T 1 Reply Last reply Reply Quote 0
        • T
          TheMac @viragomann
          last edited by TheMac

          @viragomann said in Problem with Pfsense nat forward :(:

          @themac
          The first match wins.
          Both of your rules match to the same traffic. These parameters are responsible for matching:

          • interface
          • protocol
          • source address
          • source port
          • destination address
          • destination port

          pfSense cannot look into the host headers by default.
          You can install and configure the HAproxy packet to manage your forwardings.
          As well you can forward the whole HTTPS traffic to one server and run a proxy module on its web server. But in this case, when this server goes down you lose connection to the other as well.

          The machines are mounted in proxmox, both machines have been assigned a physical network card with different destination IPs. You can observe the captures.

          Having different destination IPs, this shouldn't happen or maybe it does? In any case, how could I solve this?

          KOMK V 2 Replies Last reply Reply Quote 0
          • KOMK
            KOM @TheMac
            last edited by

            @themac His last three sentences give you two different options. Maybe try one of those? Or you could get another IP address from your ISP, map it to a pfSense VIP and then forward from that. Or host both of your websites on the one server.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann @TheMac
              last edited by

              @themac said in Problem with Pfsense nat forward :(:

              Having different destination IPs, this shouldn't happen or maybe it does?

              The destination IP is "WAN address" in both rules, so they are not different.

              In any case, how could I solve this?

              Get a second public IP and assign it to the WAN as virtual IP.
              Or set up a reverse proxy, as already mentioned, but this would be a bit more difficult.

              Okay, @KOM was faster. 😃

              T 1 Reply Last reply Reply Quote 0
              • T
                TheMac @viragomann
                last edited by TheMac

                @viragomann
                My ISP is not going to give me a second IP or joke. I had to report them to get me out of the cgnat. If a fiber using cgnat incredible but true.

                Using the two sites in the same server is not possible, they do not get on very well with each other :).

                I would have to use the third reverse proxy option, but I am not sure how to do this. Network ing is not my strength. :(
                Some video documentation where you can inform me of this.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  @themac
                  You can find some turorials in the web. E.g. https://docs.deeztek.com/books/pfsense/page/pfsense-haproxy-softether-vpn
                  There are also some videos available on YT. Do a search.
                  I did my first view steps with HAproxy for now, so I can't tell you much.

                  Since the proxy has to respond to HTTPS request, you will also have to install the certs on pfSense or the ACME packet if you use Let's Encrypt.

                  There is a proxy section in this forum to ask specific questions: https://forum.netgate.com/category/52/cache-proxy

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.