Use pfSense to redirect HTTP requests from public IP1 to public IP2

mauro.tridici

Dear Users,

I'm a newbie and II would like to understand if the request you can find below makes sense or not.

One of my colleagues ask me to:

• assign a DNS alias, let's say "web.domain.com", to the current pfSense DNS A name;
• configure pfSense two redirect every HTTP request from "web.domain.com" to "web.domain.github.com"

So, pfSense should redirect from an existing public IP to another external public IP. Does it make sense? Can it be done? If yes, how can I do it properly?

In addition, I would like to ask you if it could be a transparent redirection or I should open the 80 and 443 port on WAN interface of pfSense.

Sorry for this stupid question, but I'm still at the beginning.
Thank you in advance.

stephenw10

Requests from behind pfSense? From clients using pfSense as their DNS server?

Or external requests to the pfSense public IP?

Steve

mauro.tridici

@stephenw10 sorry, I'm in the second case. Request from external IPs to pfSense.

Thank you

stephenw10

Ah, then you need an http redirect which would normally be on a webserver not the firewall/router.

You might be able to do that using HAProxy if you have to. That's not something I've ever tried though.

Steve

viragomann

@mauro-tridici said in Use pfSense to redirect HTTP requests from public IP1 to public IP2:

One of my colleagues ask me to:

assign a DNS alias, let's say "web.domain.com", to the current pfSense DNS A name;
configure pfSense two redirect every HTTP request from "web.domain.com" to "web.domain.github.com"

So, pfSense should redirect from an existing public IP to another external public IP.

pfSense can simply redirect packets based on destination IP / port by NAT port forwarding.
But if you only want to redirect a certain host name you will need haproxy as already mentioned.

In either way you have to masquerade the redirected packets to ovoid asymmetric routing issues or allow sloppy states on both, the pfSense which is redirecting and on the destination target.
Masquerading means, pfSense has to replace the origin source address in forwarded packets with its own WAN address.

Does it make sense?

Depends. If it should be a temporary setup, this is a way to take a domain over to another site without interruption.

Can it be done?

Yes, but with some caveats due to the masquerading or sloppy states.

In addition, I would like to ask you if it could be a transparent redirection

Only when allowing sloppy states.

I should open the 80 and 443 port on WAN interface of pfSense.

A rule to pass the traffic is necessary in any rate. But since you can stated to destination IP, it's not really opening a port into your network.
This can also be done in the NAT rule directly by selecting "pass" at firewall rule association.

mauro.tridici

@viragomann thank you for your lesson I really appreciated it. Your explanation is very useful.

stephenw10

If you want to redirect traffic that arrives at the pfSense WAN to some other external webserver at a different location then you don't want to be routing that at all. You need to respond to the request with an http redirect so the client then connects to the new location directly.

HAProxy can do that but oy would normally be done on an existing webserver. Installing HAProxy just to send 302 redirects would be a very unusual application. I would only do that if there is no other choice.

Steve

viragomann

@stephenw10
Ah, yeah. That's an option, of course.

@mauro-tridici
However, if you do it on HTTP layer and it's an TLS encrypted page (HTTPS), consider that you need to install the TLS certificate on the local pfSense.

mauro.tridici

@stephenw10 thank you for your help :)