NAT for the same ports to different LAN IPs
-
Behind pfsense I have two servers.
One webmail (mail.domain.com) in LAN IP 192.168.1.3 and one website (www.domain.com) in LAN IP 192.168.1.4.
Both operate on ports 80 and 443.
How do I do NAT?
mail.domain.com - LAN IP 192.168.1.3 -> 80 and 443
www.domain.com - LAN IP 192.168.1.4 -> 80 and 443 -
@iulianteodor
you need Haproxy
https://docs.netgate.com/pfsense/en/latest/packages/haproxy.html
https://www.youtube.com/watch?v=KkRHqxbWvAM -
@kiokoman
Won't it affect the rest of my already created and functional NATs? -
@iulianteodor
no, you need to nat 80 and 443 to pfsense itself, haproxy will take care of the rest, no other NAT rules will be affected̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
Please do not use chat/PM to ask for help
we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
Don't forget to Upvote with the 👍 button for any post you find to be helpful. -
@iulianteodor you will basically setup pfSense to act as a http proxy for your servers
you can also create a third internal server and designate that to act as the internal http proxy -
@iulianteodor
Yes, HAproxy is the way you can do this on pfSense.
Another option is to run a proxy directly on one of your backend servers, so that it forwards traffic destined to the other.I run an Apache web server with some websites and run the proxy module on it to forward two other domains to different servers.
The Apache proxy is quite simple to set up and does its job flawlessly. -
@kiokoman
I tried. I can't get them to go:
One WAN IP to
"mail.domain.com" - LAN IP 192.168.1.3 -> 80 and 443
"www.domain.com" - LAN IP 192.168.1.4 -> 80 and 443
The truth is that I have never used HAProxy and I can't even find a step by step tutorial exactly on this situation.
Something escapes me and I don't know what.
I appreciate any help! -
@iulianteodor You are looking to do something more complicated than just a port forward so it will require more study.
This is probably a good place to start:
https://www.youtube.com/results?search_query=haproxy+on+pfsense+
-
@iulianteodor said in NAT for the same ports to different LAN IPs:
192.168.1.4
I managed to set it up but I have a problem.
"mail.domain.com" - LAN IP 192.168.1.3 -> 80
"www.domain.com" - LAN IP 192.168.1.4 -> 8080
4 sites in the 192.168.1.4:8080 backend are simple html sites and one is with mysql database.
The four html sites work for me to access, but in the fifth one with mysql I have the message:
"503 Service Unavailable No server is available to handle this request."
Where am I wrong or what should I do?
-
@iulianteodor said in NAT for the same ports to different LAN IPs:
503 Service Unavailable No server is available to handle this request.
I have seen 503 when the backend doesn't pass the health check. You could try changing it to basic or just off.. Does it work then?
-
@johnpoz said in NAT for the same ports to different LAN IPs:
have seen 503 when the backend doesn't pass the health check. You could try changing it to basic or just off.. Does it work then?
By simply NAT on WAN on port 80 to 192.168.1.4 port 8080 works
On the same IP (192.168.1.4:8080) there are 4 more sites (simple html) that go through HAProxy only one has mysql database (XAMP with mysql))
-
@iulianteodor you posted up haproxy - assumed all connections were going through haproxy.
I have seen 503 errors in haproxy when the backend check fails.
-
-
haproxy show 503 when it points to a non-existent backend server aka broken configuration
try with health check -> none anyway
Services / HAProxy / Settings
the last button is SHOW automatically generated configuration.
post that, hide sensitive data -
Automaticaly generated, dont edit manually.
Generated on: 2022-06-03 22:53
global
maxconn 1000
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
server-state-file /tmp/haproxy_server_statelisten HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000frontend frontend80
bind xx.xx.xx.xx:80 name xx.xx.xx.xx:80
mode http
log global
option http-keep-alive
timeout client 30000
acl expressite var(txn.txnhost) -m beg -i www.expresxxxx.com
acl expresmail var(txn.txnhost) -m beg -i mail.expresxxxx.com
acl ramsite var(txn.txnhost) -m beg -i www.ramxxxx.ro
acl nappasite var(txn.txnhost) -m beg -i www.nappaxxxx.ro
acl emisite var(txn.txnhost) -m beg -i www.emimaragro.ro
acl expresrosite var(txn.txnhost) -m beg -i www.expresxxxx.ro
acl rammail var(txn.txnhost) -m beg -i mail.ramxxxx.ro
acl nappamail var(txn.txnhost) -m beg -i mail.nappaxxxx.ro
http-request set-var(txn.txnhost) hdr(host)
use_backend backend-http8080_ipvANY if expressite
use_backend backend-http80_ipvANY if expresmail
use_backend backend-http8080_ipvANY if ramsite
use_backend backend-http8080_ipvANY if nappasite
use_backend backend-http8080_ipvANY if emisite
use_backend backend-http8080_ipvANY if expresrosite
use_backend backend-http80_ipvANY if rammail
use_backend backend-http80_ipvANY if nappamailbackend backend-http8080_ipvANY
mode http
id 100
log global
option log-health-checks
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server website 192.168.1.4:8080 id 101 check inter 1000 weight 250backend backend-http80_ipvANY
mode http
id 102
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server webmail 192.168.1.3:80 id 103 check inter 1000
