Apache 2.2 (virtual hosts) and pfSense 2 with NAT



  • Hi,

    I'm new to pfSense, but because it's very intuitive, it's not that hard to configure it right. But there is one thing I don't get and it drives me crazy.
    I've one Apache-Server serving multiple virtual hosts. Most of them are on other machines, with means I've several rewrite rules to others servers, most of them are tomcats. I'd like to put pfSense in front of this Apache-Server:

    internet          -> router            -> pfSense          -> Apache-Server  -> other Server
    33.xx.xx.xx:81 ->                      -> 192.168.0.5:81 -> 192.168.0.38:80 -> i.e. 192.168.0.40:80

    What I did so far is I created the following NAT rule (s. attachment)

    Which also created the corresponding firewall rule. But when I do a port scan (from the outside), the port 81 is closed (81 is just for testing). But when I change the NAT rule and use 192.168.0.40 (instead of 192.168.0.38) as NAT IP, everything works as expected:

    33.xx.xx.xx:81 -> router -> 192.168.0.5:81 -> 192.168.0.40:80

    And I do not know why. I checked 192.168.0.38 for an internal firewall (like ufw), but there's nothing. I can access 192.168.0.38 from other machines through port 80, it works. There is no restriction, but it doesn't work with pfSense in front. The problem is, that I need the Apache on 192.168.0.38 to delegate to deferent servers depending on the URL (virtual hosts). AFAIK this can't be done with pfSense, that's why I need the Apache as a delegator.

    I appreciate any ideas or thoughts what it might be.

    Thanks for your help,

    greetings
    Daniel
    ![Bildschirmfoto 2011-11-21 um 21.01.05.png](/public/imported_attachments/1/Bildschirmfoto 2011-11-21 um 21.01.05.png)
    ![Bildschirmfoto 2011-11-21 um 21.01.05.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2011-11-21 um 21.01.05.png_thumb)



  • There are packages like HA proxy and others that do what you want.
    But is .38 using your pfSense firewall as it default gateway?



  • @podilarius:

    There are packages like HA proxy and others that do what you want.
    But is .38 using your pfSense firewall as it default gateway?

    Hi podilarius,

    you were right. I added pfSense as the default gateway on .38 and it worked as expected  ;D

    I also installed the squid package and will try to configure it as a "delegator".

    Thank you so much for your help,
    Daniel



  • You may also want to look into the varnish package (requires 64-bit host).



  • When you cannot or do not want to change the default gateway, you can use outbound NAT to your server so that it sees everything as coming from your pfSense box, and thus will know to where to send replies.


Log in to reply