pfSense NAT multiple identical ports from single WAN connection conundrum

Discussion in 'Networking' started by whitey, Sep 28, 2016.

  1. whitey

    whitey Moderator

    Joined:
    Jun 30, 2014
    Messages:
    2,762
    Likes Received:
    857
    Hi all, I ain't gonna lie this has been bugging me for a good bit and I need to resolve it soon (hopefully NOT by procuring another circuit).

    Here's the 10,000 ft view:

    I have a network behind a pfSense VM/GW that has 3 interfaces on it, WAN, LAN, and OPT (DMZ secondary lan subnet). Now I of course have a bunch of services (many of them ssl), what I have done in the past is force servers nginx/apache/tomcat configs to 'listen' on a non-standard port (81/444 for example) to be able to NAT/map multiple similar services out pfSense. Issue I would highly desire to resolve is how in the hell or is it even possible to map multiple say port 443 ssl services through pfSense w/out conflicting w/ other already NAT'ted similar services listening on the same port 443.

    Possible/NOT possible??? I thought by adding a new OPT1 dmz subnet/vlan I would be well on my way but it looks to me like no matter how many interfaces you have if it requires natting then they overlap/conflict or are handled by the same NAT/rules methodology w/in pfSense inherently, even if they are on different subnets/private network address space.

    Am I missing something, please tell me I am being super silly and do NOT need another ISP provider to do this. I understand if I had a small pool of static IP's assigned to me from Comcast on possibly a business service class acct that the story would be different...maybe it's just time to bite the bullet. :-(

    TIA, whitey
     
    #1
  2. aero

    aero Active Member

    Joined:
    Apr 27, 2016
    Messages:
    309
    Likes Received:
    51
    Another possibility is to map a unique external port to the normal port internally.

    1.1.1.1 :4431 to 192.168.1.1 :443
    1.1.1.1 :4432 to 192.168.1.2 :443
    1.1.1.1 :4433 to 192.168.1.3 :443

    Of course that creates a bit of a hassle connecting externally since users would need to know the nonstandard port number. At that point it's probably less desirable than changing the internal listening port.
     
    #2
  3. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,771
    Likes Received:
    1,114
    Isn't this a pretty standard reverse proxy problem? Assuming there is something in the URL to key on (unique hostname, tag, whatever...) then is pretty easily solved with Nginx, Apache running as a reverse gateway or HAProxy.

    Since you are running PFSense you should probably take a look at HAProxy. It's well integrated into the PFSense webconfigurator.

    Sent from my SM-G925V using Tapatalk
     
    #3
  4. EffrafaxOfWug

    EffrafaxOfWug Radioactive Member

    Joined:
    Feb 12, 2015
    Messages:
    1,068
    Likes Received:
    353
    First off, I'm assuming you only have the one WAN IP?

    It's possible to host several SSL websites/vhosts behind a single IP/port using SNI, but from the sounds of it you're hosting multiple different services that you all want sitting behind a single IPv4 WAN address on the same port...? Might be doable with a reverse proxy setup but I haven't tried it myself...
     
    #4
  5. whitey

    whitey Moderator

    Joined:
    Jun 30, 2014
    Messages:
    2,762
    Likes Received:
    857
    Yeah that sounds UGLY/uglier than the internal change off std port to say 81/444 but thanks for the thoughts/time.
     
    #5
  6. whitey

    whitey Moderator

    Joined:
    Jun 30, 2014
    Messages:
    2,762
    Likes Received:
    857
    Thx bud, will take a look in my free time today. Been ages since I was using Apache for a reverse proxy. On Nginx now so I'll have to investigate these avenues.
     
    #6
  7. whitey

    whitey Moderator

    Joined:
    Jun 30, 2014
    Messages:
    2,762
    Likes Received:
    857
    Yep one/single WAN IP off Comcast's BLAST pkg (105Mbps down/10Mbps up). I have flirted with the idea of going to a business acct to get say 4-5 static IP's to solve this issue, may be the easiest/lazy solution LOL.
     
    #7
  8. T_Minus

    T_Minus Moderator

    Joined:
    Feb 15, 2015
    Messages:
    6,782
    Likes Received:
    1,457
    Haven't dealt with this issue since last I was in-need SSL was valid IP justification with ARIN :) for more static IPs.

    Another idea... I think you can manage internal and external DNS too so that when secure.whitey.com is requested from 'internet' it goes to WAN IP but your internal network knows to route secure.whitey.com to the specific local host on port X. so you can have numerous services on different hosts using the same WAN IP that once they hit your internal network are routed properly. Not 100% sure of the name or how to do this but I recall reading on it a couple months ago --- hope it helps ;) I'm no network genius that's for sure.!
     
    #8
  9. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,771
    Likes Received:
    1,114
    Nginx is even better/easier as reverse proxy than Apache.

    I run about 10 Web services behind a single dynamic ip this way. Nginx has some complications running on the PFsense node itself because PFsense webconfigurator is on Nginx now and and it wants to keep rewriting the .conf file, so I set up a VM just to host the Nginx proxy and port forwarded :80 and :443 from my public dynamic ip to this VM. Works great.

    Sent from my SM-G925V using Tapatalk
     
    #9
    whitey and T_Minus like this.
  10. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,771
    Likes Received:
    1,114
    I should clarify - this works well for IPv4. If you need it to work with Dynamic IPv6 it's still a PITA because there is no 'port forwarding' as you know it in IPv4 and PFsense has a missing feature in specifying firewall rules, so if the IPv6 prefix chsnges you have to go in and make a small change by hand.

    Sent from my SM-G925V using Tapatalk
     
    #10
  11. whitey

    whitey Moderator

    Joined:
    Jun 30, 2014
    Messages:
    2,762
    Likes Received:
    857
    Thanks would be good to see what this config looks like if you have it handy and it's not too much of a PITA. Assuming you have multiple vhost configs that nginx handles for each web svc? If that's the case I would need to consolidate some of my 'broke-out' dedicated VM web svcs to that one nginx host.

    Hmmm, decisions decisions...
     
    #11
  12. whitey

    whitey Moderator

    Joined:
    Jun 30, 2014
    Messages:
    2,762
    Likes Received:
    857
    Thanks for the idea @T_Minus, I do do this currently for some internal LAN to WAN DNS trickery w/ a DNS forward zone. May be some legs to this.
     
    #12
  13. whitey

    whitey Moderator

    Joined:
    Jun 30, 2014
    Messages:
    2,762
    Likes Received:
    857
    Well the comcast business line is a JOKE...15/3 entry level business pkg starting at $109 per month, 150/20 plan for $250 a month...small handful of 3-5 IP's...no thanks

    Soo depressing, I may just zfs send/recv this VM from my home lab to my buddies co-lo where I have a static IP and pfSense device (mini slice of everything AKA mini-datacenter w/in his stack)...irritating that something as seemingly simple as this I am fumbling arnd on.

    Hangs head in shame and goes and sits in corner w/ dunce cap on :-(
     
    #13
  14. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,771
    Likes Received:
    1,114
    I'm traveling this week but I'll post something this weekend. The actual config files are pretty small and simple (thank you Nginx).

    Sent from my SM-G925V using Tapatalk
     
    #14
    Patrick likes this.
  15. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,543
    Likes Received:
    4,467
    @whitey at some point you end up just moving stuff to a data center.

    I was at a startup in Palo Alto earlier this week. They had over 1kW of gear in a small rack in the hallway between the programmer's shared offices.
     
    #15
    PigLover likes this.
  16. markarr

    markarr Active Member

    Joined:
    Oct 31, 2013
    Messages:
    391
    Likes Received:
    101
    I have done it two ways, the first one was using squid proxy on pfsense, the second was using the web application firewall on sophos. They were about the same to setup just have to deal with certs at the fw as well as the app servers. You use host names to direct traffic ie web.xxx.xxx goes to server a and mail.xxx.xxx goes to server b. It works well as I have one IP address and have mail, view, crm, backup all using it and then going to the correct server based on what was typed into the browser, all of them use port 443.
     
    #16
Similar Threads: pfSense multiple
Forum Title Date
Networking pfSense - Multiple Adapters with Multiple Subnets with Multiple Gateways Dec 7, 2016
Networking Intel D-1518 build for PFSense 10Gb SFP+ router Nov 8, 2019
Networking pFsense pros Oct 20, 2019
Networking Supermicro SYS-5018A-LTN4 for last Pfsense ? Oct 7, 2019
Networking VLAN Setup pfSense to Quanta T3048 LB8 to Proxmox Sep 29, 2019

Share This Page