Redrects to internal ip ip based on a domain name



  • Hello,

    I am about to ask something you are going to say can't be done how i want it but perhaps i will get lucky

    i would like to have
    1.example.com as a A record go to Static IP 123.123.123.123 which resolves to pfsense and it reads the domain name and redirects it to computer 192.168.0.1
    2.example.com as a A record go to Static IP 123.123.123.123 which resolves to pfsense and it reads the domain name and redirects it to computer 192.168.0.2
    ectra
    the reason is i want to use ports 80, 457, and RDP on about 10 servers external but only one needed at a time so if i can have it read the domain and auto follow a 1:1 nat based on the sub-domain name not on the ports it would solve a lot of issues
    yes i can do this easily with 10 static ips but if i can do this it will save us a lot of money
    is there a way to setup pfsense to read the domain name and do a redirect based on the rules of that domain?

    ps
    if there is another way to do this kind of setup beyond what i asked above please tell me that also



  • Reverse proxy will work at least http traffic. Will you please search with "Reverse proxy"


  • Rebel Alliance Global Moderator

    "reads the domain name and redirects it"

    Yeah you have to use a reverse proxy for that



  • Hello,
    first of all in this area of networking i have little experience so sorry before the fact.

    this is a sample of what i would like to be able to do

    i would like to have
    1.example.com as a A record go to Static IP 123.123.123.123 which resolves to pfsense and it reads the domain name and redirects it to computer 192.168.0.1
    2.example.com as a A record go to Static IP 123.123.123.123 which resolves to pfsense and it reads the domain name and redirects it to computer 192.168.0.2
    and so on

    <if possible="" need="" to="" allow="" several="" domain="" names="" not="" just="" one="">the reason is i want to use ports 80, 457, and RDP {RDP is the most used of these} on about 10 servers external but only one needed at a time so if i can have it read the domain and auto follow a 1:1 nat based on the sub-domain name not on the ports it would solve a lot of issues

    My understanding is this can be done via a Reverse DNS i have installed Squid3 and litesquid and litesquid is showing a history of sites as it should however setting up the reverse dns is failing

    is there a guide on what i am trying to do as squid settings seem to only apply to http(s) and exchange related items

    Similar but never solved
    http://forum.pfsense.org/index.php/topic,49254.msg260952.html#msg260952</if>



  • @KineticPro:

    the reason is i want to use ports 80, 457, and RDP {RDP is the most used of these}

    Reverse proxies will do the job based on hostnames for http protocol.

    With tcp connections, you can try different ports to nat.

    33891 -> 192.168.1.1:3389
    33892 -> 192.168.1.2:3389
    .
    .
    .



  • these servers due to how and who uses them can not have there reg changed for the rdp port due to how many people use it and who uses them and how many machines each person is using.

    port alteration was the first thing we thought and tried for this for the servers but shot down after a week of testing it really needs to be a direct translation or i will have to buy an additional 20 static IPs just for this port issue
    now if i can have the NAT done for me so that the clients never know the port change problem solved <explained below="">is there another reverse poxy i can try that does support everything?

    ideal and known IMPOSSIBLE
    external user creates RDP send signal > DNS has a port change in it > Pf Sense gets alternate external port and translates it to default internal > RDP session created
    <the dns="" will="" not="" do="" the="" port="" switch="" no="" matter="" how="" simple="" it="" would="" make="" for="" us=""></the></explained>



  • however squid ONLY works on HTTP(s) and the RDP is a must and sadly port alteration is not an option for these machines

    now if i can have the NAT done for me so that the clients never know the port change problem solved <explained below="">is there another reverse poxy i can try that does support everything?

    ideal and known IMPOSSIBLE
    external user creates RDP send signal > DNS has a port change in it > Pf Sense gets alternate external port and translates it to default internal > RDP session created
    <the dns="" will="" not="" do="" the="" port="" switch="" no="" matter="" how="" simple="" it="" would="" make="" for="" us=""></the></explained>



  • Alternatively you can use a VPN to facilitate access to the internal network and not expose RDP to the Internet; the latter will most probably result in countless (hopefully unsuccessful, if your passwords are sufficiently strong) break-in attempts…


  • Rebel Alliance Global Moderator

    " RDP is a must and sadly port alteration is not an option for these machines "

    Who ever said anything about port alteration on the machines?  From the client you state what port you want, clearly that is what marcelloc showed in his example

    33891 -> 192.168.1.1:3389
    33892 -> 192.168.1.2:3389

    The machines at .1 and .2 still listen on 3389, the default rdp port.  Just the client coming from the public net uses a different port so that pfsense knows what private IP to forward to using the 3389 port.



  • @johnpoz:

    " RDP is a must and sadly port alteration is not an option for these machines "

    Who ever said anything about port alteration on the machines?  From the client you state what port you want, clearly that is what marcelloc showed in his example

    33891 -> 192.168.1.1:3389
    33892 -> 192.168.1.2:3389

    The machines at .1 and .2 still listen on 3389, the default rdp port.  Just the client coming from the public net uses a different port so that pfsense knows what private IP to forward to using the 3389 port.

    the issue with this is externally this would be the url

    1.example.com:33891 instead of 1.example.com
    2.example.com:33892 instead of 2.example.com

    yes internal ports will be default but external it will not be

    if you can come up with any way to get the ports to work in a forward in the dns i would love to know but if done as a forward rdp will not work and A records will not allow port limitations

    let me explain one of reasons we need it clean is i have several people that will be using these machines who are less then beginners in computers who will need to be able to access there machines externally and due to where they will be accessing from they are not allowed to have any file <including a="" rewritten="" rdp="" file="" with="" the="" port="" info="">and if i have those numbers they will write the info down making the no file rule a joke but one the company will not allow me to get past on external data

    while most of my uses post this issue will be for tech reasons where the nat port redirection will work at present i need to come up with something clean that i know they can do no matter what computer they access from which is why VPN and vlc were not a choice as these are not found on most computers by default.

    and sorry for being a pain on this i am not trying to but have been given several limiting factors that are making this project a nightmare</including>


  • Rebel Alliance Global Moderator

    Sorry what your asking, just doesn't work that way.

    Get more than 1 external IP that way you can have your different urls point to different different boxes inside.

    But your example is wrong - there would be no reason for it to be

    1.example.com:33891
    2.example.com:33892

    it would be
    example.com:33891
    example.com:33892

    You are only pointing to one public IP, no reason for different fqdn to point to the same thing.

    I don't care if your users are retarded monkeys on crack!!  If they can not remember example.com:123 vs example.com:456 then get different monkeys.  Or put example.com:123 on a piece of paper.



  • options are:

    1. open a https port to windows server
    2. use an ssl vpn like adito on an internal server
    3. there are html5 vnc & rdc proxies about but they need to go on an internal server

    but pfsense at this time cannot do this apart from squid etc for http/s and nat or vpn to your rdp's or vnc's



  • ok sadly this is what i was expecting and what i told them when i was given this list of instructions on what can and can not be done on this project. at lest now i can send this into them to show the problem currently has no solution. 
    I thank you all for your time here and will present them with there choices on what they want and see what the company want to do.

    once again thank you

    ps if anyone wants to make a package that will read any incoming Domain regardless of ports <even if="" it="" checks="" the="" url="" via="" another="" port="">i would be interested in beta testing it but i do understand it does NOT exist at this time.</even>


  • Rebel Alliance Global Moderator

    " show the problem currently has no solution."

    Not actually true - there is a solution, use ports on the end of the url:123 etc..  Or another solution would be to get more public IPs so you could assign different fqdn and therefore different IPs that you need to get to behind your nat router.

    Your issue is your trying to use 1 public ip with multiple boxes behind it all listening on the same port.



  • @KineticPro:

    ps if anyone wants to make a package that will read any incoming Domain regardless of ports <even if="" it="" checks="" the="" url="" via="" another="" port="">i would be interested in beta testing it but i do understand it does NOT exist at this time.</even>

    This isnt possible for anything besides HTTP because most services (like RDP) will just resolve the name and connect to the IP and forget about the name. HTTP does the same thing but what makes it different is INSIDE the request it sends the FQDN it was trying to connect to in the first place inside the headers. That is how a web server or reverse proxy can figure out what to send to where. In pure RDP, that header with the FQDN in it simply does not exist.



  • slightly off topic (as it's not pfsense) but rather a reverse proxy (like i mentioned above), take a look at guacamole.
    it's a clientless html5 vnc & rdp proxy and runs a treat even behind squid.
    http://guac-dev.org/



  • Sounds great but really fast look viewed, that there is only linux support, am i wrong?


  • Rebel Alliance Global Moderator

    Yeah you have to run it on a linux OS, but what you access with rdp or vnc could be any OS that supports those.. Windows would be RDP.  Rut it on a VM if don't have any linux boxes around.



  • there is also thinvnc & thinrdp for windows which are free but an only be used on each client whereas the server (cost) can do the proxy.



  • I have Linux and Windows based machines at home, but i'm somewhat curious how to set this up.
    Is it, that all connections to 5900 and 3389-3390 is portforwarded to linux machine and after that quacamole direct's it right point based on domain?



  • guac is a proxy (much like squid)
    you simply point your browser at guac and you are confronted with a logon page. depending on how you have configured the mappings, depends on what you are confronted with.
    to point your browser at gauc from external, you will need to create a A record or use your public ip and open up either 80 or 443 and point it to the guac server.
    alternatively, you can use squid and map to guac.


Locked