Multiple services forwarded to DMZ servers
-
Still struggling with the migration from ipcop to pfsense. I am rethinking the right approach rather than just replicating ipcop's functionality.
I have a registered domain with no-ip.com (i.e. mydomain.net)
My no-ip account has the following hosts associated:
mydomain.net 98.114.XXX.YYY
ftp.mydomain.net 98.114.XXX.YYY
messenger.mydomain.net 98.114.XXX.YYY
www.mydomain.net 98.114.XXX.YYYI am looking to implement the following:
reroute traffic to the right DMZ server on the basis of the port number(s):
80, 443 -> 192.168.3.3 (hostname: web.mydomain.net)
8025,143,993 -> 192.168.3.5 (hostname: mail.mydomain.net)
5060, 10000:20000 -> 192.168.3.6 (hostname: phone.mydomain.net)
5022 -> 192.168.3.3 (hostname: web.mydomain.net)Question.
For clients (SIP phone, Jabber messenger, thunderbird mail etc) to be able to connect to these services from both inside and outside the LAN, should I augment to the list of hosts on no-ip for each service and then implement a corresponding Split DNS for the same hosts on pfSense? Or is there another approach?
Thanks
Renato -
reroute traffic to the right DMZ server on the basis of the port number(s):
80, 443 -> 192.168.3.3 (hostname: web.mydomain.net)
8025,143,993 -> 192.168.3.5 (hostname: mail.mydomain.net)
5060, 10000:20000 -> 192.168.3.6 (hostname: phone.mydomain.net)
5022 -> 192.168.3.3 (hostname: web.mydomain.net)Piece of cake. But you didn't list any destination port translations. As outlined below, that can cause problems.
For clients (SIP phone, Jabber messenger, thunderbird mail etc) to be able to connect to these services from both inside and outside the LAN, should I augment to the list of hosts on no-ip for each service and then implement a corresponding Split DNS for the same hosts on pfSense? Or is there another approach?
If they are all configured to connect to an FQDN, I'd just put DNS host overrides to the inside local IP addresses and use split dns. Doesn't look like you need to do anything on the hostnames. Where you run into trouble is when you translate ports, too. Say, if you translated connections to web.mydomain.net:8080 to 192.168.3.3:80. They would need to add the socket when connecting from the outside and not add it on the inside.
If you want the URLs/Bookmarks to be the same inside and out, you can't do that. Or you at least have to translate the ports between LAN and DMZ too.
-
If you want the URLs/Bookmarks to be the same inside and out
An option is to open a second port or create a forward/redirect on the local server to have the same external port number.
This would allow the same bookmark to work for both the external and internal addresses.
-
Derelict
Thanks for the quick reply. Let me make sure I understand.
Let's say I create a new hostname on no-ip, say sip.mydomain.net.
I then create a split DNS entry in pfSense (i.e. DNS Resolver) for sip.mydomain.net pointing to 192.168.3.6.
Next I create:
- a new Firewall Alias IP for sip.mydomain.net (pointing to 192.168.3.6), say Elastix_Server.
- a new Firewall Alias Ports for ports 5060, 10000-20000, say Elastix_Ports
- Lastly, I create a NAT Port Forward rule:
i) Interface: WAN
ii) Protocol: UDP
iii) Source Address: *
iv) Source Port: *
v) Destination Address: WAN address
vi) Destination Ports: Elastix_Ports
vii) NAT IP: Elastix_Server
viii) NAT Ports: Elastix_Ports
Questions:
- Will this work?
- Will I be able to configure the SIP client to point to "Domain" sip.mydomain.net and make sure that the softphone will be able to connect both inside and outside the LAN? Note: The SIp Phones and Softphones will be connecting to 192.168.1.X.
Thanks for the clarification
Renato -
As long as your destination ports and NAT ports are the same, you shouldn't have any trouble.
Note: The SIp Phones and Softphones will be connecting to 192.168.1.X.
Are you saying that when they are local, they will be on the 192.168.1.X subnet?
That's fine. As long as when they look up sip.mydomain.net they get 192.168.3.6 and there are firewall rules passing their traffic to that address you should be set.
-
OK, not sure if what I am seeing is a feature or a problem.
I have registered a host sip.mydomain.net 98.114.XXX.YYY on no-ip. I can ping it without any problems from my ipcop setup.
I switched over to pfsense. I then went to DNS Resolver and checked the following:
- Enabled DNS Resolver
- Enabled DNSSEC Support
- Enabled Forwarding Mode
- Enabled Register DHCP lease in the DNS Resolver
- Enabled Register DHCP static mapping in the DNS Resolver
I then created a new entry under Host Overrides:
Host: sip
Domain: mydomain.net
IP: 192.168.3.6I then went to Diagnostics -> DNS lookup and entered sip.mydomain.net in the field. The DNS lookup returned 98.114.XXX.YYY!
I repeated the command some 6-7 times. only once it returned 192.168.3.6, the other times it returned the outside IP.
What is causing this?
Thanks again for the help
Renato