Forwarding to Subdomains

  • I tried split DNS to do this, but since we've acquired a new domain name, I also registered a subdomain.  Where I used to port forward as follows: -> (local subnet) I was hoping to do the following:, however, I wasn't too sure on how to do that.  Another reason I ask is because I will have several other subdomains that need to be forwarded correctly on the internal side of the firewall.

    Split DNS didn't work for me and simple port forwarding won't work and I'm pretty certain NAT reflection is not the way to go.



    Wow, no answers yet? I'm surprised. Is it that much of a stumper or am I missing something that should be pretty obvious?

  • It's kind of confusing, as to what you're trying to do here. It sounds like you want different subdomains to be port forwarded to different internal IP addresses, or maybe just to different ports. The thing is, subdomains, like any domain, is just resolved to an IP address. NAT knows nothing about domains, so you need to be able to do NAT based on IP and port alone. This means that each sub-domain has to resolve to a different IP address, or you have to require that each sub-domain be accessed with a different port (which is not transparent to the user).

    It might best be handled by having every sub-domain use the same IP, and assuming this is HTTP traffic, let the web server sort it out using host headers.

    Split DNS and NAT reflection refer to methods of accessing domains that are accessible from outside with NAT, from behind the NAT, so this further confuses me. Some clarification on what you want to do would be helpful.

  • I assume you're talking about web sites?  Search the forums for posts on HA Proxy, which is what's usually suggested when people ask that question.

  • Briantist:

    Essentialy, I want the following to happen.

    Fireup a web browser and navigate to (or any other subdomain I choose), now, that would resolve to ip address (this works, dns resolution shows it) and then that request gets translated (upon reaching the firewall) to the local IP address of the server that handles whatever it is I'm trying. So cameras go to the DVR server, mail to the mail server, web to the web server and so on. This in accordance with rules that I specify on the firewall (I assume).

    Hence my trial with the split dns.

    Now, I currently have a working setup where I'm using port-forwarding that I want to change to the above described by using sub-domains instead.  Currently, on the local side of the network, each subdomain has its own IP address, but not so externally (they all resolve to the same IP address)

    Makes sense?

    Thanks for the help

  • Where you can forward a different port that's easy - just forward 25/TCP to the mail server, 80/TCP to the web server etc.  Note that for services other than HTTP there is no way to know what hostname the client used to connect to your server with and there is no way to do what you're after with a single WAN IP for anything other than HTTP.

    Where you want to use a single port for multiple web servers, pfSense natively can't do that.  That type of activity has to be managed by an application layer proxy, such as HA Proxy.  Start with this thread.

  • Thanks, I'll check it out.

    One question though, is my thinking the right way?  I kinda see it as follows:

    –-------> DVR Server ( [subdomain request]
    Request  –-------> PFSense |--------> Web Server ( [domain request]
                                            –-------> VOIP PBX    ( [SSL subdomain request]

    Or is that not even possible with pfsense?

  • I'll say it again - Application Layer Proxy.

    You can't do what you're after with just a firewall.  You can forward 443/TCP (HTTPS) to the SSL subdomain, but for 80/TCP (HTTP) you must use something like HA Proxy.  Go read that other thread ;)

  • Will do, thanks :)

Log in to reply