NAT for the same ports to different LAN IPs

viragomann

@iulianteodor
Yes, HAproxy is the way you can do this on pfSense.
Another option is to run a proxy directly on one of your backend servers, so that it forwards traffic destined to the other.

I run an Apache web server with some websites and run the proxy module on it to forward two other domains to different servers.
The Apache proxy is quite simple to set up and does its job flawlessly.

iulianteodor

@kiokoman
I tried. I can't get them to go:
One WAN IP to
"mail.domain.com" - LAN IP 192.168.1.3 -> 80 and 443
"www.domain.com" - LAN IP 192.168.1.4 -> 80 and 443
The truth is that I have never used HAProxy and I can't even find a step by step tutorial exactly on this situation.
Something escapes me and I don't know what.
I appreciate any help!

Derelict

@iulianteodor You are looking to do something more complicated than just a port forward so it will require more study.

This is probably a good place to start:

https://www.youtube.com/results?search_query=haproxy+on+pfsense+

iulianteodor

@iulianteodor said in NAT for the same ports to different LAN IPs:

192.168.1.4

I managed to set it up but I have a problem.
"mail.domain.com" - LAN IP 192.168.1.3 -> 80
"www.domain.com" - LAN IP 192.168.1.4 -> 8080
4 sites in the 192.168.1.4:8080 backend are simple html sites and one is with mysql database.
The four html sites work for me to access, but in the fifth one with mysql I have the message:
"503 Service Unavailable No server is available to handle this request."
Where am I wrong or what should I do?
alt text

johnpoz

@iulianteodor said in NAT for the same ports to different LAN IPs:

503 Service Unavailable No server is available to handle this request.

I have seen 503 when the backend doesn't pass the health check. You could try changing it to basic or just off.. Does it work then?

iulianteodor

@johnpoz said in NAT for the same ports to different LAN IPs:

have seen 503 when the backend doesn't pass the health check. You could try changing it to basic or just off.. Does it work then?

By simply NAT on WAN on port 80 to 192.168.1.4 port 8080 works

On the same IP (192.168.1.4:8080) there are 4 more sites (simple html) that go through HAProxy only one has mysql database (XAMP with mysql))

johnpoz

@iulianteodor you posted up haproxy - assumed all connections were going through haproxy.

I have seen 503 errors in haproxy when the backend check fails.

iulianteodor

@johnpoz
alt text

kiokoman

@iulianteodor

haproxy show 503 when it points to a non-existent backend server aka broken configuration

try with health check -> none anyway

Services / HAProxy / Settings
the last button is SHOW automatically generated configuration.
post that, hide sensitive data

iulianteodor

@kiokoman

Automaticaly generated, dont edit manually.

Generated on: 2022-06-03 22:53

global
maxconn 1000
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend frontend80
bind xx.xx.xx.xx:80 name xx.xx.xx.xx:80
mode http
log global
option http-keep-alive
timeout client 30000
acl expressite var(txn.txnhost) -m beg -i www.expresxxxx.com
acl expresmail var(txn.txnhost) -m beg -i mail.expresxxxx.com
acl ramsite var(txn.txnhost) -m beg -i www.ramxxxx.ro
acl nappasite var(txn.txnhost) -m beg -i www.nappaxxxx.ro
acl emisite var(txn.txnhost) -m beg -i www.emimaragro.ro
acl expresrosite var(txn.txnhost) -m beg -i www.expresxxxx.ro
acl rammail var(txn.txnhost) -m beg -i mail.ramxxxx.ro
acl nappamail var(txn.txnhost) -m beg -i mail.nappaxxxx.ro
http-request set-var(txn.txnhost) hdr(host)
use_backend backend-http8080_ipvANY if expressite
use_backend backend-http80_ipvANY if expresmail
use_backend backend-http8080_ipvANY if ramsite
use_backend backend-http8080_ipvANY if nappasite
use_backend backend-http8080_ipvANY if emisite
use_backend backend-http8080_ipvANY if expresrosite
use_backend backend-http80_ipvANY if rammail
use_backend backend-http80_ipvANY if nappamail

backend backend-http8080_ipvANY
mode http
id 100
log global
option log-health-checks
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server website 192.168.1.4:8080 id 101 check inter 1000 weight 250

backend backend-http80_ipvANY
mode http
id 102
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server webmail 192.168.1.3:80 id 103 check inter 1000