Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Additional IP for cPanel

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcit
      last edited by

      Can someone help me with this one:

      I am looking to put a new server behind pfsense 2.0.1 for hosting via cPanel. I already have the server installed and working using 1:1 NAT, however, this is unsupported by cPanel and although it works for the most part, it gets complicated when I start to install SSL certificates [which I will need to do]. I have other [non cPanel] servers behind this same pfsense using a combination of forwarding and 1:1 with no problems.

      Can someone tell me if it is possible to assign a public IP to the cPanel server and have it route correctly, without having to sacrifice the NAT that I use for everything else. I know that NAT can be disabled for this scenario, but that will cause problems for my other services. This cPanel is the only server that I want to be directly exposed to the greater internet.

      If it is possible to do this, can someone give me a run down of how I actually configure it? It is a production system so I am trying to ensure I understand what I am doing before making any drastic changes to the pfsense box.

      Matthew

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        Is the webserver hosted on its own dedicated machine? If so, you may be better off setting up a local firewall on the box, and connecting it outside of pfsense.

        Internet gateway > Switch > Pfsense
                                            > Webserver

        Found an interesting thread:
        http://forums.cpanel.net/f145/support-1-1-nat-installation-thus-vmware-vcloud-deployments-197011.html

        From that thread, they suggest modifying some templates/scripts:
        http://forums.cpanel.net/f5/using-cpanel-nat-urgent-39978.html#post671342
        http://forums.cpanel.net/f5/cpanel-behind-nat-dns-zone-template-233952.html#post998332

        1 Reply Last reply Reply Quote 0
        • M
          mcit
          last edited by

          Thanks for your reply. I have read those forum posts. I am currently using the alterations required for cPanel behind NAT. However, I am dreading when I need to install additional SSL certificates with this method.

          Unfortunately, in my current setup, the gateway is pfsense. So in order to implement the changes as you suggest, I would need to install another gateway router in the path. I had considered this, but I had hoped there was another way.

          Is it the case that I simply cannot combine a second routed subnet alongside NAT in pfsense? I am starting to think this could be the case.

          Matthew

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            I wish I could help with 1:1 NAT'ing, I only understand the concept of it and can't provide a lot of solid help there.

            However PFsense has a "jail" you can create a virtual machine so to speak. Maybe it's possible running the jail you can achieve a pure gateway setup.

            1 Reply Last reply Reply Quote 0
            • M
              mcit
              last edited by

              I have managed to make this work. For anyone else out there needing this the solution is below.

              1. Create a new interface in pfsense with a static IP _2. Assign a UNIQUE IP from your assigned subnet to your server behind the pfsense box. It is important to get the subnet mask correct for the subnet assigned and the default gateway is the IP from step 1
              3. Create a rule in pfsense  allowing all traffic on your new interface [you can refine this later after testing]
              4. Create a WAN rule allowing all traffic with the destination set as the IP you have assigned to the new server [you can refine this later after testing]

              You should now be able to route traffic both in and out of the new server via the pfsense box. With the allow all rules you should also be able to still communicate with the rest of the network attached to pfsense. In my setup, I have a /28 block of IPs, I have sucessfully used the above method for 1 server, whilst all other servers are using either port forwarding or 1:1 NAT, so you can combine this with port forwarding and 1:1 within the same subnet. Just ensure you do not have any port forwarding on 1:1 setup for the IP assigned to the new server.

              Matthew_

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                With the way I understand your setup is that you're not using 1:1 for the webserver, merely that since the webserver and virtual interface share a subnet they're talking to each other. This makes it appear as though your pfsense is a fancy switch.

                If it's still not in production, could you try blocking port 80 or what-ever service your server is listening on, and see if it actually stops the traffic? Otherwise you essentially have a huge hole in your firewall.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.