Can pfsense detect requests and routing to set hostname

sysbitnet

Hello,

In the picture, i have one lab test whereas as you can see i have one ProxMox.

Inside have 3 Virtual Machines, one of those three is pfSense, and the other two are independent web servers with different content but need to have the same configuration with ports.

How can easily manage inside Firewall / Aliases / IP

And manage the port inside the Firewall / Aliases / Ports

And how can routing inside Firewall / NAT / Port Forward do like this

My idea is when i am in the browser enter web1.domain.com to get content from VM 1, but when i enter browser web2.domain.com to get content from VM 2

The point is not to set inside URLs like web1.domain.com:CustomPort or web2.domain.com:CustomPort how can get content.

I tried HAProxy to configure it but again can not figure out what is the problem.

In Services / HAProxy / Backend create two profiles.

Web1 and Web2 and configured like this.

For example, this is how it looks Web1
Mode: active
Name: web1
Forward to: Address+Port
Address: 192.168.100.1
Port: 443
Encrypt(SSL): yes checked
SSL checks: empty
And in the Health check method set: none

In Services / HAProxy / Frontend
For example, this is how it looks Web1
External address
Listen address: WAN address (IPv4)
Port: 443
SSL Offloading: yes checked

In Access Control lists inside the same Services / HAProxy / Frontend
Name: web1
Expression: Host matches
CS: empty
Not: empty
Value: web1.domain.com
In part Actions inside the same Services / HAProxy / Frontend

Action use Backend the name that i set on Web1
Condition acl names: the same name that i set in Access Control lists web1

In SSL Offloading inside the same Services / HAProxy / Frontend

In part, the Certificate uses an SSL certificate which i import on System / Certificates / Certificates

And click Save

When i try to visit web1.domain.com is not working if inside Firewall / NAT / Port Forward disable rules which you can see with a screenshot from the main post.

When are the rules able to help me fix my cases, if i create rule who

Interface: WAN
Protocol: TCP/UDP
Source Address: ! WAN address
Source Ports: *****
Dest. Address: ! Local address
Dest. Ports: AllWebPort
NAT IP: Local address
NAT Ports: AllWebPort
To explain Local address is 192.168.100.xx/24

Inside AllWebPort in Firewall / Aliases / Ports i set port 80 and port 443 how can not any time enter, In this case just call Aliases.

But again is not working, any help or idea what can be a problem, what did i do wrong?

Many thanks in advance :)

viragomann

@sysbitnet
First off remove the port forwarding rules. They are pretty useless anyway.

In the backend enable basic health check. Then check on the statsFS pages, if the backend is shown up as online (green).
So you get an idea if HAproxy can see the backend server.

As the backend is configured for port 443 + encryption, it is required to install a SSL certificate on the backend.

Also you can remove one of the port aliases, since both have the same values.

When are the rules able to help me fix my cases, if i create rule who

On the WAN just create a firewall rule to allow port 80 and 443 to "WAN address".
In the HAproxy frontend you should then add port 80 and add a redirection for port 80 to 443.
This can be achieved by this ACL

and this action

stephenw10

Yeah you need to use a reverse proxy for this like haproxy. pfSense cannot see the host data to use for routing.

It can also be done using Reverse Squid which is simpler to configure but a lot less flexible.

sysbitnet

This does not help me, again i get not working.

If inside Firewall / NAT / Port Forward only have one active rule like this

And if i have active HAProxy not get valid final routering.

Like when i visit web1.domain.com to go on VM1 where is the host that site with his SSL.

And when i want to go on web2.domain.com to go on another VM2 where is the host that site with an SSL certificate

stephenw10

What do you expect that port forward to do? Is that for the webservers?

When you use a proxy for the web traffic you should not have a port forward, the traffic is proxied instead of forwarded.

sysbitnet

@stephenw10

Ok, in that can so how does it work?
Can you please explain ?

If Firewall / NAT / Port Forward does not have any active rule, how can HAProxy know what to do?

Because before I decided to write anything and ask for help to solve this lab i tried so many options.

But not successful any time request web1.domain.com to open content from VM1 and when i wont to visit web2.domain.com to see content from VM2

viragomann

@sysbitnet
The HAproxy service is running on pfSense itself and is listening on the interface IPs, you've configured in the frontend.

So why you want to forward the traffic and to where, which is meant to be treated by pfSense itself?

stephenw10

HAProxy runs on the firewall and listens for incoming requests on the WAN dircetly. It looks at the request and depending on how it's configured it opens a connection to one of the backend hosts and sends the request to it.

You need to have firewall rules to allow that.

You usually need to move the webgui to a different port so that HAProxy is able to use ports 443 and 80 to listen on.

sysbitnet

Ok, I understand what you mean.

Sow what I do and how can function what is shown in the lab case photo.

Inside Firewall / NAT / Port Forward

I removed all I moved to manage inside HAProxy how can allow or not allow addresses or ports.

Inside Firewall / Rules / WAN create one rules with status PASS
Protocol: TCP/UDP
Source Address: Any
Source Ports: Any
Dest. Address: ! Local address
Dest. Ports: Any
And enable Log packets that are handled by this rule

Inside Services / HAProxy / Backend

Name: Back_VM1_443
Mode: active
Name: web1
Forward to: Address+Port
Address: 192.168.100.1
Port: 443
Encrypt(SSL): yes
SSL checks: yes
And in the Health check method set: basic

Name: Back_VM2_443
Mode: active
Name: web2
Forward to: Address+Port
Address: 192.168.100.2
Port: 443
Encrypt(SSL): yes
SSL checks: yes
And in the Health check method set: HTTP

===============

Name: Back_VM1_80
Mode: active
Name: web1
Forward to: Address+Port
Address: 192.168.100.1
Port: 80
And in the Health check method set: basic

Name: Back_VM2_80
Mode: active
Name: web2
Forward to: Address+Port
Address: 192.168.100.2
Port: 80
And in the Health check method set: HTTP

Inside Back_VM2_443 and Back_VM2_80 I set it up on purpose And in the Health check method set: HTTP
How can testing HTTP protocol to check on the servers' health be used for HTTPS servers(requires checking the SSL box for the servers).

How i configure On the Frontend part.

Services / HAProxy / Frontend
Name: Front_Port_443
External address
Listen address: WAN address (IPv4)
Port: 443
SSL Offloading: yes

In Access Control lists inside the same
Name: web1
Expression: Host matches
CS: empty
Not: empty
Value: web1.domain.com

Name: web2
Expression: Host matches
CS: empty
Not: empty
Value: web2.domain.com

In part Actions inside the same

Action Use Backend the name that i set on Back_VM1_443
Condition acl names: the same name that i set in Access Control lists web1

And second Use Backend the name that i set on Back_VM2_443
Condition acl names: the same name that i set in Access Control lists web2

And inside the same Additional certificates select SSL Offloading what i on System / Certificates / Certificates

And create one more rules for port 80

Name: Front_Port_80
External address
Listen address: WAN address (IPv4)
Port: 80
SSL Offloading: no

In Access Control lists inside the same
Name: web1
Expression: Host matches
CS: empty
Not: empty
Value: web1.domain.com

Name: web2
Expression: Host matches
CS: empty
Not: empty
Value: web2.domain.com

In part Actions inside the same

Action Use Backend the name that i set on Back_VM1_80
Condition acl names: the same name that i set in Access Control lists web1

And second Use Backend the name that i set on Back_VM2_80
Condition acl names: the same name that i set in Access Control lists web2

And i need to say i did not set a custom TCP port to access on pfsense inside System / Advanced / Admin Access TCP port "Enter a custom port number for the webConfigurator above to override the default (80 for HTTP, 443 for HTTPS). Changes will take effect immediately after save."

And with this configuration finally, lab it is working, what do you think guys?

stephenw10

I would set the destination on the WAN firewall rule to something that contains only the IPs you expect HAProxy to receive connections on. So maybe an alias with those IPs in it or set it to the WAN subnet if the VIPs are inside that.

sysbitnet

@stephenw10

You man inside Firewall / Rules / WAN where i create one rule with status PASS
Protocol: TCP/UDP
Source Address: ! WAN address
Source Ports: Any
Dest. Address: ! Local address
Dest. Ports: Any
And enable Log packets that are handled by this rule

I plan to test and create an inside Firewall / Aliases / Ports list of only ports that who lab user or service can use.

stephenw10

@sysbitnet said in Can pfsense detect requests and routing to set hostname:

Dest. Address: ! Local address

I mean that is too wide a match. It would match a lot of traffic that shouldn't be allowed. Though I don't know exactly what 'Local' is there. The only traffic you should allow into the WAN should have a destination of the IPs HAProxy is listening on. So at most the WAN address and/or the VIPs on the WAN.

And yes the destination ports should probably be an alias of 443 and 80 only.

sysbitnet

@stephenw10

In the lab case, i have only one public IP but if I understand your suggestion.

I plan to see you for testing on Firewall / Aliases / IP

Name: web1
IP: 192.168.100.1

Name: web2
IP: 192.168.100.2

And create an inside Firewall / Aliases / Ports list of only ports that who lab user or service can use like.

Name: WWW
Ports: 80, 443

And to inside Firewall / Rules / WAN where i create a rule with the status PASS
Protocol: TCP/UDP
Source Address: ! WAN address
Source Ports: Any
Dest. Address: web1
Dest. Ports: WWW
And enable Log packets that are handled by this rule

sysbitnet

I just tried to add like new service wowza and when visited VM3 with http://192.168.100.3:8088 in the local host i saw see login page, but when i try to access wowza with a set domain name like http://wowza.domain.com:8088 i get this result

503 Service Unavailable
No server is available to handle this request.

when i check with the LISTEN port like this

root@dev:~# lsof -i -P -n | grep LISTEN
systemd     1            root   40u  IPv6 8353844      0t0  TCP *:22 (LISTEN)
systemd-r  96 systemd-resolve   14u  IPv4 8354932      0t0  TCP 127.0.0.53:53 (LISTEN)
java      123            root   25u  IPv4 8347558      0t0  TCP *:8088 (LISTEN)
java      287            root    8u  IPv4 8355219      0t0  TCP *:41183 (LISTEN)
java      287            root  164u  IPv4 8353064      0t0  TCP *:8087 (LISTEN)
java      287            root  172u  IPv4 8358134      0t0  TCP *:8083 (LISTEN)
java      287            root  187u  IPv4 8358172      0t0  TCP *:1935 (LISTEN)
java      287            root  191u  IPv4 8358176      0t0  TCP *:8086 (LISTEN)
master    358            root   13u  IPv4 8347603      0t0  TCP 127.0.0.1:25 (LISTEN)
master    358            root   14u  IPv6 8347604      0t0  TCP [::1]:25 (LISTEN)

I created the same as i did earlier for port 80 and port 443 but is not working.

I know i need to add SSL, but as i write this is lab testing, not production.

stephenw10

@sysbitnet said in Can pfsense detect requests and routing to set hostname:

Dest. Address: web1

That destination on the WAN would be the WAN address if you don't have any VIPs on it. web1 is an internal IP that could never be reached by an external host.

sysbitnet

@stephenw10

Do you maybe know what can be a problem why i get

503 Service Unavailable
No server is available to handle this request.

When i try to use another service like Wowza?

Port 80,443 its working perfect, but when i wont to add on the same case other port or services i get the same error

503 Service Unavailable
No server is available to handle this request.

Thank you

stephenw10

I don't know what Wowza is. What exactly have you added? How are you testing it? What do you expect to see?

sysbitnet

@stephenw10

Wowza is a video platform with industry-leading technology that delivers quality live and VOD streaming with integrated CMS, analytics, and more.

But i have the same problem when i try another service, like access on proxmox or any other service who requests another port number but is not port 443 and port 80

Any time i get
503 Service Unavailable
No server is available to handle this request.

stephenw10

Sounds like HAProxy it not configured to use that port so it just returns that 503 error.

sysbitnet

@stephenw10
I agree with you.

How can testing what is the problem only leave this service, for example, i used to test proxmox.

Inside Services / HAProxy / Backend

Name: PM_8006
Mode: active
Name: pm
Forward to: Address+Port
Address: 192.168.100.3
Port: 8006
Encrypt(SSL): yes
SSL checks: yes
And in the Health check method set: basic

How i configure On the Frontend part.

Services / HAProxy / Frontend
Name: PM_Front
External address
Listen address: WAN address (IPv4)
Port: 8006
SSL Offloading: yes

In Access Control lists inside the same
Name: pm
Expression: Host matches
CS: empty
Note: empty
Value: pm.domain.com

In part Actions inside the same

Action Use Backend the name that i set on PM_8006
Condition acl names: the same name that i set in Access Control lists pm

And inside the same Additional certificates select SSL Offloading what i on System / Certificates / Certificates

The same certificate and added inside proxmox, because is letsencrypt wildcard certificate

And when i try to visit https://pm.domain.com:8006/ the result is like this below message.

503 Service Unavailable
No server is available to handle this request.