Routing Virtual IP traffic through VPN gateway
-
@kultigsptrizigfrisch
So the hostname get resolved to a vitual IP assigned to pfSense itself, as I got you.
Then again, how should the proxy know that the traffic should be directed to the remote network without stating the target IP? -
@viragomann said in Routing Virtual IP traffic through VPN gateway:
@kultigsptrizigfrisch
So the hostname get resolved to a vitual IP assigned to pfSense itself, as I got you.
Then again, how should the proxy know that the traffic should be directed to the remote network without stating the target IP?We're going circles here and both wasting our time. I explained how SNI proxy works above:
SNIproxy "Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine."
If that's not enough than I guess Google "SNI proxy geoblocking".
It's ironic that you assume I don't pay attention to what you're suggesting, meanwhile you seem to not pay attention yourself.
-
@kultigsptrizigfrisch
So I'm wondering, why you don't answer the question, how the proxy should forward the traffic to the desired backend, since you don't tell him its IP address.I can imagine, how the sniproxy is meant to work this way you've it set up. That works for outside requests, where the traffic is routed to the proxy, while it forwards the traffic according to the hostname resolution in the internal DNS (split DNS).
But if that's not possible for what ever reason in your case, you can as well state a backend IP in the proxy settings. And I'm wondering why you don't do that.
Also again, this all can be done in HAproxy. HAproxy is as well capable to determine the SNI hostname without providing the TLS certificate and forward the traffic to the proper backend IP.