Is pfSense right for my needs (n00b)?



  • Hi there, I'm a bit of a routing / dns n00b, so I was hoping I could get some feedback on whether or not pfSense is the right product for my needs…

    Namely, I have a domain name via dyndns, lets call it mydomain.com and I would like all traffic addressed to specific subdomains to be forwarded to different servers within my NAT... i.e. in-bound traffic to webhost1.mydomain.com would route to 192.168.0.2 and traffic to webhost2.mydomain.com would route to 192.168.0.3, etc.

    I am currently doing something similar to this using pound which works pretty well. However it only works for http/https traffic. So if I want to fire up a 2nd git server, then I can't make it externally accessible (without putting it on a non-standard port) because I can only choose one machine to forward port 22 traffic to.

    I believe a setup like this would require both a DNS server and routing abilities, but I may be mis-using the term "routing."

    The last, somewhat annoying requirement is that this NOT be the default gateway or use DHCP. I.e. incoming traffic would pass through pfSense, but outbound traffic would not, it should still only be going through my router (my gf would kill me if the internet gets "broken" because I'm rebooting or re-configuring my servers.

    My initial thoughts are that pfSense would help me accomplish this. My plan is to remove all the custom port forwarding from my router settings, and instead drop the ip of the pfSense box into my router's DMZ. I would then place the ip address of pfSense as the primary dns server on my router (with google's as fallbacks in-case the box is down). I would then set-up dns-forwarding overrides for the specific subdomain urls I care about.

    After that, I believe I should be able to unblock ports on a server-by-server basis (as opposed to the standard port-forwarding options on my router).

    Does this all sound feasible / reasonable? Would a setup like this work with a single NIC, where all the other servers are plugged directly into the router, or would a 2nd NIC be required?


  • LAYER 8 Global Moderator

    Do you own more than 1 public IP?  If not then no - pfsense does not out of the have a reverse proxy, you would have to set that up.  This is the only way to have it forward anything like webhost1.mydomain.tld to 192.168.0.x while webhost2.mydomain.tld goes to 192.168.0.3

    So unless webhost1 went to different public IP then webhost2 that both were on pfsense wan interface then pfsense does not solve the problem for you.

    I think your failing on some basic concepts if you think pfsense can do magic ;)



  • hmm, I didn't think I was asking for magic, but rather name-based routing…

    It was my understanding that with dns overrides, pfsense could accept packets from the outside and re-direct them to the appropriate servers within the NAT. Am I mistaken about that?
    It is also my understanding that I can unblock ports on a server-by-server basis.

    Keep in mind that I don't need to do any port magic here, so I don't think i need a reverse proxy (which, i believe, is exactly what pound is). I basically just want a tcp request addressed to githost1.mydomain.com to be routed to the appropriate server within my network (no matter what the port) while the request to githost2.mydomain.com would go to a different server.

    EDIT: Upon some further research, it appears that I might actually be asking for magic after all :(
    Based on what I've read now, it seems that, outside of the http protocol, there is just no way to know what domain a packet was addressed to, which is why all reverse-proxies are protocol-specific.

    I have seen some indication that this might be doable with a load balancer or possibly something like fproxy (http://www.ogris.de/fproxy/) but I haven't been able to find any actual examples of this working for non-http traffic so for now I will assume its not possible  :'(



  • it's appears to be possible for https - searched the forum and found:

    http://forum.pfsense.org/index.php/topic,53701.msg287417.html#msg287417


  • LAYER 8 Global Moderator

    "pfsense could accept packets from the outside and re-direct them to the appropriate servers within the NAT. Am I mistaken about that?"

    No that is a simple port forward – but what it can not do out of the box since there is no native built in reverse proxy is do that based upon a NAME that does not resolve to a specific different IP.

    As I thought I clearly stated if webhost1.domain.tld resolve to IP1 and webhost2.domain.tld resolves to IP2 then your fine.

    But what it can not do out of the box is direct webhost1 and webhost to that both resolve to IP1 to different IPs inside.

    That is only possible with a reverse proxy which it does not have out of the box - now you can install one..  But this is not a native function of pfsense nor any "router"


  • Netgate Administrator

    ^Exactly. You need to install a reverse proxy that can read host headers. I believe several in the package list can do that though I've never tried myself.

    Steve



  • You're talking about HTTP/S rewrite/redirection… DNS is only a small piece of that equation.

    Listen to the others.... They are pointing you in the correct direction. Now it's your turn to dig and learn. :)



  • @ghackett:

    Namely, I have a domain name via dyndns, lets call it mydomain.com and I would like all traffic addressed to specific subdomains to be forwarded to different servers within my NAT… i.e. in-bound traffic to webhost1.mydomain.com would route to 192.168.0.2 and traffic to webhost2.mydomain.com would route to 192.168.0.3, etc.

    As I recall, the paid version of dyndns allows you to do redirection as well.

    What you can then do is to add a redirect Webhop for the individual sub-domains with individual ports.

    eg.
    webhost1.mydomain.com will redirect to <your wan="" ip="">:22
    webhost2.mydomain.com will redirect to <your wan="" ip="">:23

    And you'll use pfSense to port forward <your wan="" ip="">:22 to the internal server that hosts webhost1.mydomain.com
    And port forward <your wan="" ip="">:23 to the internal server that hosts webhost2.mydomain.com</your></your></your></your>


Log in to reply