pfSense NAT multiple identical ports from single WAN connection conundrum

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Hi all, I ain't gonna lie this has been bugging me for a good bit and I need to resolve it soon (hopefully NOT by procuring another circuit).

Here's the 10,000 ft view:

I have a network behind a pfSense VM/GW that has 3 interfaces on it, WAN, LAN, and OPT (DMZ secondary lan subnet). Now I of course have a bunch of services (many of them ssl), what I have done in the past is force servers nginx/apache/tomcat configs to 'listen' on a non-standard port (81/444 for example) to be able to NAT/map multiple similar services out pfSense. Issue I would highly desire to resolve is how in the hell or is it even possible to map multiple say port 443 ssl services through pfSense w/out conflicting w/ other already NAT'ted similar services listening on the same port 443.

Possible/NOT possible??? I thought by adding a new OPT1 dmz subnet/vlan I would be well on my way but it looks to me like no matter how many interfaces you have if it requires natting then they overlap/conflict or are handled by the same NAT/rules methodology w/in pfSense inherently, even if they are on different subnets/private network address space.

Am I missing something, please tell me I am being super silly and do NOT need another ISP provider to do this. I understand if I had a small pool of static IP's assigned to me from Comcast on possibly a business service class acct that the story would be different...maybe it's just time to bite the bullet. :-(

TIA, whitey
 

aero

Active Member
Apr 27, 2016
346
86
28
54
Another possibility is to map a unique external port to the normal port internally.

1.1.1.1 :4431 to 192.168.1.1 :443
1.1.1.1 :4432 to 192.168.1.2 :443
1.1.1.1 :4433 to 192.168.1.3 :443

Of course that creates a bit of a hassle connecting externally since users would need to know the nonstandard port number. At that point it's probably less desirable than changing the internal listening port.
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
Isn't this a pretty standard reverse proxy problem? Assuming there is something in the URL to key on (unique hostname, tag, whatever...) then is pretty easily solved with Nginx, Apache running as a reverse gateway or HAProxy.

Since you are running PFSense you should probably take a look at HAProxy. It's well integrated into the PFSense webconfigurator.

Sent from my SM-G925V using Tapatalk
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,394
511
113
First off, I'm assuming you only have the one WAN IP?

It's possible to host several SSL websites/vhosts behind a single IP/port using SNI, but from the sounds of it you're hosting multiple different services that you all want sitting behind a single IPv4 WAN address on the same port...? Might be doable with a reverse proxy setup but I haven't tried it myself...
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Another possibility is to map a unique external port to the normal port internally.

1.1.1.1 :4431 to 192.168.1.1 :443
1.1.1.1 :4432 to 192.168.1.2 :443
1.1.1.1 :4433 to 192.168.1.3 :443

Of course that creates a bit of a hassle connecting externally since users would need to know the nonstandard port number. At that point it's probably less desirable than changing the internal listening port.
Yeah that sounds UGLY/uglier than the internal change off std port to say 81/444 but thanks for the thoughts/time.
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Isn't this a pretty standard reverse proxy problem? Assuming there is something in the URL to key on (unique hostname, tag, whatever...) then is pretty easily solved with Nginx, Apache running as a reverse gateway or HAProxy.

Since you are running PFSense you should probably take a look at HAProxy. It's well integrated into the PFSense webconfigurator.

Sent from my SM-G925V using Tapatalk
Thx bud, will take a look in my free time today. Been ages since I was using Apache for a reverse proxy. On Nginx now so I'll have to investigate these avenues.
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
First off, I'm assuming you only have the one WAN IP?

It's possible to host several SSL websites/vhosts behind a single IP/port using SNI, but from the sounds of it you're hosting multiple different services that you all want sitting behind a single IPv4 WAN address on the same port...? Might be doable with a reverse proxy setup but I haven't tried it myself...
Yep one/single WAN IP off Comcast's BLAST pkg (105Mbps down/10Mbps up). I have flirted with the idea of going to a business acct to get say 4-5 static IP's to solve this issue, may be the easiest/lazy solution LOL.
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
Haven't dealt with this issue since last I was in-need SSL was valid IP justification with ARIN :) for more static IPs.

Another idea... I think you can manage internal and external DNS too so that when secure.whitey.com is requested from 'internet' it goes to WAN IP but your internal network knows to route secure.whitey.com to the specific local host on port X. so you can have numerous services on different hosts using the same WAN IP that once they hit your internal network are routed properly. Not 100% sure of the name or how to do this but I recall reading on it a couple months ago --- hope it helps ;) I'm no network genius that's for sure.!
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
Thx bud, will take a look in my free time today. Been ages since I was using Apache for a reverse proxy. On Nginx now so I'll have to investigate these avenues.
Nginx is even better/easier as reverse proxy than Apache.

I run about 10 Web services behind a single dynamic ip this way. Nginx has some complications running on the PFsense node itself because PFsense webconfigurator is on Nginx now and and it wants to keep rewriting the .conf file, so I set up a VM just to host the Nginx proxy and port forwarded :80 and :443 from my public dynamic ip to this VM. Works great.

Sent from my SM-G925V using Tapatalk
 
  • Like
Reactions: whitey and T_Minus

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
I should clarify - this works well for IPv4. If you need it to work with Dynamic IPv6 it's still a PITA because there is no 'port forwarding' as you know it in IPv4 and PFsense has a missing feature in specifying firewall rules, so if the IPv6 prefix chsnges you have to go in and make a small change by hand.

Sent from my SM-G925V using Tapatalk
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Nginx is even better/easier as reverse proxy than Apache.

I run about 10 Web services behind a single dynamic ip this way. Nginx has some complications running on the PFsense node itself because PFsense webconfigurator is on Nginx now and and it wants to keep rewriting the .conf file, so I set up a VM just to host the Nginx proxy and port forwarded :80 and :443 from my public dynamic ip to this VM. Works great.

Sent from my SM-G925V using Tapatalk
Thanks would be good to see what this config looks like if you have it handy and it's not too much of a PITA. Assuming you have multiple vhost configs that nginx handles for each web svc? If that's the case I would need to consolidate some of my 'broke-out' dedicated VM web svcs to that one nginx host.

Hmmm, decisions decisions...
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Haven't dealt with this issue since last I was in-need SSL was valid IP justification with ARIN :) for more static IPs.

Another idea... I think you can manage internal and external DNS too so that when secure.whitey.com is requested from 'internet' it goes to WAN IP but your internal network knows to route secure.whitey.com to the specific local host on port X. so you can have numerous services on different hosts using the same WAN IP that once they hit your internal network are routed properly. Not 100% sure of the name or how to do this but I recall reading on it a couple months ago --- hope it helps ;) I'm no network genius that's for sure.!
Thanks for the idea @T_Minus, I do do this currently for some internal LAN to WAN DNS trickery w/ a DNS forward zone. May be some legs to this.
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Well the comcast business line is a JOKE...15/3 entry level business pkg starting at $109 per month, 150/20 plan for $250 a month...small handful of 3-5 IP's...no thanks

Soo depressing, I may just zfs send/recv this VM from my home lab to my buddies co-lo where I have a static IP and pfSense device (mini slice of everything AKA mini-datacenter w/in his stack)...irritating that something as seemingly simple as this I am fumbling arnd on.

Hangs head in shame and goes and sits in corner w/ dunce cap on :-(
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
I'm traveling this week but I'll post something this weekend. The actual config files are pretty small and simple (thank you Nginx).

Sent from my SM-G925V using Tapatalk
 
  • Like
Reactions: Patrick

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
@whitey at some point you end up just moving stuff to a data center.

I was at a startup in Palo Alto earlier this week. They had over 1kW of gear in a small rack in the hallway between the programmer's shared offices.
 
  • Like
Reactions: PigLover

markarr

Active Member
Oct 31, 2013
421
122
43
I have done it two ways, the first one was using squid proxy on pfsense, the second was using the web application firewall on sophos. They were about the same to setup just have to deal with certs at the fw as well as the app servers. You use host names to direct traffic ie web.xxx.xxx goes to server a and mail.xxx.xxx goes to server b. It works well as I have one IP address and have mail, view, crm, backup all using it and then going to the correct server based on what was typed into the browser, all of them use port 443.