The pfSense Store

Author Topic: Forwarding to Subdomains  (Read 3223 times)

0 Members and 1 Guest are viewing this topic.

Offline Steve Mustafa

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
Forwarding to Subdomains
« on: March 11, 2010, 08:17:09 am »
I tried split DNS to do this, but since we've acquired a new domain name, I also registered a subdomain.  Where I used to port forward as follows: xxx.xxx.xxx.xxx:aaaa -> 192.168.3.10 (local subnet) I was hoping to do the following: surveillance.mydomain.com, however, I wasn't too sure on how to do that.  Another reason I ask is because I will have several other subdomains that need to be forwarded correctly on the internal side of the firewall.

Split DNS didn't work for me and simple port forwarding won't work and I'm pretty certain NAT reflection is not the way to go.

Suggestions?

TIA

Wow, no answers yet? I'm surprised. Is it that much of a stumper or am I missing something that should be pretty obvious?
« Last Edit: March 15, 2010, 02:19:10 am by Steve Mustafa »

Offline Briantist

  • Full Member
  • ***
  • Posts: 222
  • Karma: +0/-0
  • p-p-p-purple!
    • LinkedIn
    • View Profile
    • briantist.com
Re: Forwarding to Subdomains
« Reply #1 on: March 16, 2010, 12:59:03 pm »
It's kind of confusing, as to what you're trying to do here. It sounds like you want different subdomains to be port forwarded to different internal IP addresses, or maybe just to different ports. The thing is, subdomains, like any domain, is just resolved to an IP address. NAT knows nothing about domains, so you need to be able to do NAT based on IP and port alone. This means that each sub-domain has to resolve to a different IP address, or you have to require that each sub-domain be accessed with a different port (which is not transparent to the user).

It might best be handled by having every sub-domain use the same IP, and assuming this is HTTP traffic, let the web server sort it out using host headers.

Split DNS and NAT reflection refer to methods of accessing domains that are accessible from outside with NAT, from behind the NAT, so this further confuses me. Some clarification on what you want to do would be helpful.

Offline Cry Havok

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2792
  • Karma: +0/-0
  • Backup: n. What you should have done yesterday.
    • View Profile
Re: Forwarding to Subdomains
« Reply #2 on: March 16, 2010, 02:12:46 pm »
I assume you're talking about web sites?  Search the forums for posts on HA Proxy, which is what's usually suggested when people ask that question.
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.

Offline Steve Mustafa

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
Re: Forwarding to Subdomains
« Reply #3 on: March 17, 2010, 11:09:33 am »
Briantist:

Essentialy, I want the following to happen.

Fireup a web browser and navigate to camera.jnrcs.org (or any other subdomain I choose), now, that would resolve to ip address (this works, dns resolution shows it) and then that request gets translated (upon reaching the firewall) to the local IP address of the server that handles whatever it is I'm trying. So cameras go to the DVR server, mail to the mail server, web to the web server and so on. This in accordance with rules that I specify on the firewall (I assume).

Hence my trial with the split dns.

Now, I currently have a working setup where I'm using port-forwarding that I want to change to the above described by using sub-domains instead.  Currently, on the local side of the network, each subdomain has its own IP address, but not so externally (they all resolve to the same IP address)

Makes sense?

Thanks for the help

Offline Cry Havok

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2792
  • Karma: +0/-0
  • Backup: n. What you should have done yesterday.
    • View Profile
Re: Forwarding to Subdomains
« Reply #4 on: March 17, 2010, 12:29:01 pm »
Where you can forward a different port that's easy - just forward 25/TCP to the mail server, 80/TCP to the web server etc.  Note that for services other than HTTP there is no way to know what hostname the client used to connect to your server with and there is no way to do what you're after with a single WAN IP for anything other than HTTP.

Where you want to use a single port for multiple web servers, pfSense natively can't do that.  That type of activity has to be managed by an application layer proxy, such as HA Proxy.  Start with this thread.
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.

Offline Steve Mustafa

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
Re: Forwarding to Subdomains
« Reply #5 on: March 17, 2010, 02:48:45 pm »
Thanks, I'll check it out.

One question though, is my thinking the right way?  I kinda see it as follows:




                                        ---------> DVR Server (http://camera.jnrcs.org) [subdomain request]
                                        |
Request   ---------> PFSense |--------> Web Server (http://www.jnrcs.org) [domain request]
                                        |
                                        ---------> VOIP PBX    (https://pbx.jnrcs.org) [SSL subdomain request]

Or is that not even possible with pfsense?

Offline Cry Havok

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2792
  • Karma: +0/-0
  • Backup: n. What you should have done yesterday.
    • View Profile
Re: Forwarding to Subdomains
« Reply #6 on: March 17, 2010, 03:07:51 pm »
I'll say it again - Application Layer Proxy.

You can't do what you're after with just a firewall.  You can forward 443/TCP (HTTPS) to the SSL subdomain, but for 80/TCP (HTTP) you must use something like HA Proxy.  Go read that other thread ;)
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.

Offline Steve Mustafa

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
Re: Forwarding to Subdomains
« Reply #7 on: March 18, 2010, 03:10:41 pm »
Will do, thanks :)