Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to address multiple servers in DMZ from Internet and LAN

    Scheduled Pinned Locked Moved
    NAT
    3
    10
    811
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darkcorner
      last edited by

      I need to implement a scenario with4 servers in DMZ.
      srv1, srv2 and srv3 provide services and are accessible on both port 443 and dedicated ports. All 3 servers have the same domain (srv1/2/3.mydomain.tld)
      Instead, srv4.mydomain.tld is an Apache server with multiple domains. One of them is registered with the same domain (apps1.mydomain.tld).

      Some of these servers must be accessible from the Internet.
      With NAT port forwarding I can address those that have a dedicated port, but how do I address those that use the standard port?
      I should be able to say srv1.mydomain.tld => its IP Address in DMZ.

      All of them must also be accessible from the LAN, possibly using the name and not the IP Address.
      In this case I could use DNS Forwarder, but I wouldn't want to create conflicts with the rules in NAT.

      I'm reading various posts in forums and online, but I'm confused about the correct and best way to go.

      Thank in advance for any advice.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @darkcorner
        last edited by

        @darkcorner That looks like you want haproxy.

        D 1 Reply Last reply Reply Quote 0
        • D
          darkcorner @Bob.Dig
          last edited by

          @Bob-Dig said in How to address multiple servers in DMZ from Internet and LAN:

          @darkcorner That looks like you want haproxy.

          We are talking about a small office, without much traffic from the Internet.
          I knew HAProxy as a Load Balancer for high traffic contexts.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @darkcorner
            last edited by

            @darkcorner
            HAproxy is also a reverse proxy. And this is what you need if you have

            • only a single WAN IP,
            • pointed multiple public domains to it on the same ports (80, 443)
            • and want to forward the domains to different servers in your LAN.

            This can only be done on layer 7 and for this you need HAproxy on pfSense or even any other reverse proxy within your LAN.

            Basically pfSense is a router and firewall, which works on layer 3. But the domains / host names are not seen on this layer, so pfSense cannot forward it to different devices.
            If you use a different external port for each domain you can forward them also with a simple NAT rule.

            D 2 Replies Last reply Reply Quote 0
            • D
              darkcorner @viragomann
              last edited by

              @viragomann
              I saw it and it seems very interesting.
              I have already installed and configured it with a server, but I still can't reach it.
              From the LAN yes, but I can't ping from the WAN.
              Right now in DMZ there is only one "all open" rule

              1 Reply Last reply Reply Quote 0
              • D
                darkcorner @viragomann
                last edited by

                @viragomann
                Even disabling "Block private networks and loopback addresses" and "Block bogon networks" on the WAN tab, I am unable to ping from WAN to a PC in LAN or the server in DMZ.
                At this point I can't understand if I can't access the server from the internet due to DNS, HAProxy or my pfSense configuration.
                At the moment LAN and WAN have everything open.
                This is my configuration in Cloudflare DNS.
                There are A records only for the domain and for the servers in the domain, all attested in the DMZ.
                In HProxy I have configured only one and access with the domain from LAN works.

                DNS-Cloudflare.png

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @darkcorner
                  last edited by

                  @darkcorner
                  How did you set up HAproxy?
                  Are the backends states "online"?

                  Check Services > HAProxy > StatsFS.

                  Does your setup even work without HAproxy?
                  Just add a port forwarding to WAN for port 443 or whatever you use and point it to one of the backend servers. So this would bypass HAproxy and at least the one which is set as target should work from outside.

                  Also possibly the Cloudflare proxy makes something different. But I'm not familiar with it.

                  In the HAproxy settings enable the logging by entering the path "/var/run/log".

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    darkcorner @viragomann
                    last edited by

                    @viragomann
                    On the Status / Services page, HAProxy is active.
                    In the StatFS appears the message:

                    In the "Settings" configure a internal stats port and enable haproxy for this to be functional. Also make sure the service is running.

                    I deactivated the proxy from Cloudflare.

                    I created this NAT rule

                    • Interface: WAN
                    • Protocol: TCP
                    • Destination: WAN Net
                    • Destination Ports: HTTPS
                    • Redirect Traget IP: Single Host / Server Address

                    I entered /var/run/log in "Remote syslog host" and set "Syslog level" to both "Error" and "Debugging", but nothing appears in "Status / Package Logs / haproxy"

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @darkcorner
                      last edited by

                      @darkcorner said in How to address multiple servers in DMZ from Internet and LAN:

                      In the StatFS appears the message:

                      In the "Settings" configure a internal stats port and enable haproxy for this to be functional.

                      So do this first.

                      I created this NAT rule
                      Destination: WAN Net

                      The destination has to be "WAN address", assuming you have only a single.

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        darkcorner @viragomann
                        last edited by

                        @viragomann
                        I'm having more than one DNS issue, not just mine.
                        At the moment I preferred to do two things: move all my DNS back to the original ISP and install a new pfSense, testing it step by step with every change because now the only way to make it work is to have an "all open" rule, but this is not possible.
                        I put this thread on stand-by and if necessary I open a new one for DNS.

                        In the meantime, I thank you

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post