Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing Virtual IP traffic through VPN gateway

    Scheduled Pinned Locked Moved Firewalling
    23 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @wrobelda
      last edited by

      @kultigsptrizigfrisch
      So the hostname get resolved to a vitual IP assigned to pfSense itself, as I got you.
      Then again, how should the proxy know that the traffic should be directed to the remote network without stating the target IP?

      W 1 Reply Last reply Reply Quote 0
      • W
        wrobelda @viragomann
        last edited by wrobelda

        @viragomann said in Routing Virtual IP traffic through VPN gateway:

        @kultigsptrizigfrisch
        So the hostname get resolved to a vitual IP assigned to pfSense itself, as I got you.
        Then again, how should the proxy know that the traffic should be directed to the remote network without stating the target IP?

        We're going circles here and both wasting our time. I explained how SNI proxy works above:

        SNIproxy "Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine."

        If that's not enough than I guess Google "SNI proxy geoblocking".

        It's ironic that you assume I don't pay attention to what you're suggesting, meanwhile you seem to not pay attention yourself.

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @wrobelda
          last edited by

          @kultigsptrizigfrisch
          So I'm wondering, why you don't answer the question, how the proxy should forward the traffic to the desired backend, since you don't tell him its IP address.

          I can imagine, how the sniproxy is meant to work this way you've it set up. That works for outside requests, where the traffic is routed to the proxy, while it forwards the traffic according to the hostname resolution in the internal DNS (split DNS).

          But if that's not possible for what ever reason in your case, you can as well state a backend IP in the proxy settings. And I'm wondering why you don't do that.

          Also again, this all can be done in HAproxy. HAproxy is as well capable to determine the SNI hostname without providing the TLS certificate and forward the traffic to the proper backend IP.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.