Can't NAT domain to guests

Halfhidden

Ok I'll apologise for my lack of knowledge as I guess this is frustrating for you seeing posts like this. I've been a few weeks now and the problem is me, I'm (for some reason) having difficulty getting my head around the whole virtualization thing.

So, here's what I want to achieve:

Running either Proxmox or VMWare along with PfSense I want to be able to allow domain requests through to any of the guest VM's that reside on the virtual server (reverse proxy).
Example domain1.com is forwarded to guest vm 1 (as an example running WordPress or Nextcloud)
Domain2.com is forwarded to guest2vm and so on. So the vm guest has full access to run websites.
If that isn't possible, I can settle on using subdomains instead.

What have I done so far:
I have a Dell R710 and have connected three of the four NIC's to a router (I'll change this for a switch tomorrow instead). In turn the router is connected to a Fritzbox 3490. I’ve forwarded all the ports necessary from the external ip to the internal ip that is set as static for the VMWare. The Fritzbox is served by my internet provider with a static ip. I already have set up domain dns to point to that ip and set up PTR records with the domain and ip.
In this case I have tried both Proxmox and VMWare to install PfSense in a VM, but to save confusion, I'll only explain what I did in VMWare.
I can already access VMWare from my domain. Through https://mydomain.co.uk/ui
Before installing PfSense I created (in VMWare 6.7) two virtual switches and connected each to a physical Nic. One labelled WAN and the other labelled LAN. In VMWare I also created two port groups and selected the corresponding virtual switched (Lan for lan and Wan for wan).

I then created a VM guest and used the iso image (latest version) from this site of PfSense and followed the install instructions.
At the end, I ended up at the console configuration in PfSense with the lan port already selected and configured for ip 192.168.1.1 and my wan configured for 192.168.178.40/24 (which seems to be served from the Fritzbox)

This is as far as I have gotten because I've connected everything through a router rather than a switch so I can't access the PfSense through the ip because I'm connecting through the router with an ip served to me from the FritzBox (192.168.178.20) and that is the same subnet as the wan, so I'm guessing once the switch is in place, I can access PfSense through the ip 192.168.1.1.

So, I'm looking for some guidance on how to use either domain access to guest VM's or if it isn't possible to have a different domain pointing to each guest vm, I'd settle for one domain and point a sub of that domain to each guest vm. I'm trying to avoid access like https://mydomain.co.uk:2669 in favour for https://mydomain.co.uk or http://sub.mydomain.co.uk or even http://mydomain.co.uk/vrtual guest

As you can see, I'm just not getting how PfSense works. I've read and read for weeks now, and although I understand the principle of Nat, I just can't seem to work out what to do to actually achieve this with PfSense.

Can anyone point me to a guide that will do the above, or tell me how to achieve this. I really appreciate any help. I’m completely stuck

KOM

@halfhidden You're going to run into trouble with multiple routers and double-NAT configurations. Is there a reason you need to keep the Fritzbox if you are going to run pfSense?

If the traffic from the Fritzbox LAN is in the private address range (you said you were getting 192.168.178.40 from Fritz), then you need to tell pfSense WAN to not block those rfc1918 addresses via Interfaces - WAN - Reserved Networks - Block private networks and loopback addresses or it won't allow that forwarded traffic in.

stephenw10

Install some other guest OS in a VM connected to the LAN vswitch and you will be able to access the pfSense webgui from there.

Then you can add firewall rule to allow access from the WAN side directly.

Since it looks like you're going to be hosting a bunch of websites you might want to move the pfSense webgui to a port other than 443. Or port forward to localhost:443 from some other port to access it.

To forward traffic by host-header like that you need to use a reverse proxy as you say. So in pfSense that' the HAProxy or Squid packages.

Steve

Halfhidden

@kom I do have two fibre channels. One is a fixed ip and the other is with another provider but it is a dynamic address.
So do you suggest dropping the Fritzbox and connecting PfSense directly to my onc?

Halfhidden

@stephenw10 that is an excellent suggestion. ofcourse, the new os would be on the same subnet.
I'll give that a go.

KOM

@halfhidden Unless the Fritz does something that pfSense can't and you can't live without it, I don't see the point of running two routers.

Halfhidden

@kom that's a fair point.