Comprehension question: NAT plus Squid3



  • Good Day to all of you,

    I would like to use Squid3 to Redirect 3 urls to internal resources.  All of them are Port 443 urls.

    What do I need to do to get that to work with NAT rules? May I have multiple of these NAT rules?

    To describe what I would like to do:

    1. https://webaccess.tld.com
      Internal: 172.16.xx.2
      Port: 443

    2. https://whatever.tld.com
      Internal 172.16.xx.10
      Port: 443

    So… is there something I have think about or is it just dead simple? May I add multiple NAT rules for the same port?

    Thank you in advance and please excuse if I may asked stupid things here.

    Cheers,
    Alexander



  • Hi there,

    okay - I think that I did not actually pointed out where my issue is coming from.

    Currently I am just point to one webserver externally published.

    -> https://subdomain1.domain.com
    -> NAT - External:443 to Internal 172.16.xx.2:443
    -> Corresponding Firewall Rule for Port 443

    Now I would like to extend this to a few more machines. Some of those have to listen on Port 443 too. Adding multiple NAT Rules for Port 443 does not work - so my initial question is related to the NAT Settings, to get this below mentioned scenario to work:

    -> https://subdomain1.domain.com
    -> NAT - External:443 to Internal 172.16.xx.2:443

    plus

    -> https://subdomain2.domain.com
    -> NAT - External:443 to Internal 172.16.xx.22:443

    plus

    -> https://subdomain3.domain.com
    -> NAT - External:443 to Internal 172.16.xx.33:443

    Squid 3 Setup has been made according to the "howto" provided here.

    Thank you in advance for your hints. Any help is very much appreciated.

    Kind regards,
    Alexander



  • hi paulfred,

    basically im just interested into pfSense and testing out a few things myself. unfortunately it seems that answers here are more on the rare side…

    what i can tell you is, that you can only forward port 443 in the wan side once. because: how should pfSense know which server to use? besides, i would recommend that you put them into a dmz zone, guess you do that anyways.

    so three choices: either you have more than one (static) wan ip's from your internet provider.
    or you forward another port (e.g. 10443) to your second (, third) server to internal port 443.
    or there is only one internal server who can choose via subdomain which site to use.

    if anyone has another idea, it's welcome.


  • Rebel Alliance Global Moderator

    You can not forward the same port on the same IP to different machines based upon url - pfsense just sees IP and port.. So as mentioned you have more than 1 public IP, or you use different ports or you use a reverse proxy to your IP that understands what to do based upon url.



  • Hi John,

    please accept my apologies in advance.

    @johnpoz:

    So as mentioned you have more than 1 public IP, or you use different ports or you use a reverse proxy to your IP that understands what to do based upon url.

    To me it seems as if my Post subject has not been either read or understood. The subject of my post was already “NAT plus Squid3” so I am fully aware, that pfSense can’t serve me any miracles. I already tried to setup Squid 3-dev to do the magic here – but I am either to numb or simple don’t get the complete picture where I am missing minor details to get this up and running.

    I need guidance how to setup the reverse proxy to get this flyin. Or just an answer, that I should go home, or get commercial support – or whatever. But this is frustrating
    as pfSense is the only product since many years to serve my requirements. If tried a lot of others – just 30 mins ago again a Zywall USG50 without success.

    All I can do is to describe what I need, and what I have done to achieve that. I’ve been reading posts here in this forum, I’ve been trying to do the same setup to get my desired setup running
    and I am simply failing.

    @paulfred:

    Squid 3 Setup has been made according to the "howto" provided here.

    Kind regards,
    Alexander



  • @paulfred:

    Hi John,

    please accept my apologies in advance.

    @johnpoz:

    So as mentioned you have more than 1 public IP, or you use different ports or you use a reverse proxy to your IP that understands what to do based upon url.

    To me it seems as if my Post subject has not been either read or understood. The subject of my post was already “NAT plus Squid3” so I am fully aware, that pfSense can’t serve me any miracles. I already tried to setup Squid 3-dev to do the magic here – but I am either to numb or simple don’t get the complete picture where I am missing minor details to get this up and running.

    I need guidance how to setup the reverse proxy to get this flyin. Or just an answer, that I should go home, or get commercial support – or whatever. But this is frustrating… as pfSense is the only product since many years to serve my requirements. If tried a lot of others – just 30 mins ago again a Zywall USG50 without success.

    All I can do is to describe what I need, and what I have done to achieve that. I’ve been reading posts here in this forum, I’ve been trying to do the same setup to get my desired setup running… and I am simply failing.

    @paulfred:

    Squid 3 Setup has been made according to the "howto" provided here.

    Kind regards,
    Alexander

    Please reference the how to. Screenshots of your setup of squid3 and maybe log from squid showing us what is actually happening.


  • Rebel Alliance Global Moderator

    "Squid 3 Setup has been made according to the "howto" provided here."

    What howto are you using?  And what are you squid settings.  Can we see them?  Your mention of nat rules threw me and I over looked the squid reverse proxy setup that you mention - my bad ;)



  • Can we keep progressing on a resolution to this topic?

    "What are your squid settings?"

    If the system (pfSense/Squid/etc) is not performing the task(s) desired, why bother looking at settings? I do not need to know what I did wrong (although there is value in understanding that), I need to know what to do right.


  • Rebel Alliance Global Moderator

    And who are you?  The OP was named paulfred.. As to looking at the settngs - well if its not performing the task the OP wanted is prob because he set it up wrong, or it doesn't even do what he thinks it can do.  Some clear understanding of what he did, or thinks he did wold be helpful in trying to figure out if it would work or not even.

    He mentions he followed a guide, but never even links to the what guide..