Discussion:
[pfSense] Using pfSense to route inbound traffic via Domain Name instead of IP
Joseph Hardeman
2012-07-26 02:24:11 UTC
Permalink
Hi Everyone,

I have done some searching and I think this is possible, but I thought I would ask to make sure. It's an interesting question that was asked of me.

I wanted to know if pfSense can route inbound traffic based off of Domain Name instead of IP. For instance, let's say I have 4 web sites, all of which have SSL enable. Normally I would have to use 1 public IP to 1 internal IP to use SSL (I know Apache you can use SNI for Virtual Domains and it does work) but let's throw an IIS server into the mix. So let's say I have 2 web sites on an Apache server and 2 on an IIS server and I would normally have something like this setup:

Public IP - Domain Name - Internal IP
1.1.1.2 - www.domain1.com<http://www.domain1.com> -> 192.168.1.2
1.1.1.3 - www.domain2.com<http://www.domain2.com> -> 192.168.1.3
1.1.1.4 - www.domain3.com<http://www.domain3.com> -> 192.168.1.4
1.1.1.5 - www.domain4.com<http://www.domain4.com> -> 192.168.1.5

This definitely allows me to pass all ports right, but what if I wanted to do something like this:

Public IP - Domain Name - Internal IP
1.1.1.2 - www.domain1.com<http://www.domain1.com> -> 192.168.1.2
1.1.1.2 - www.domain2.com<http://www.domain2.com> -> 192.168.1.3
1.1.1.2 - www.domain3.com<http://www.domain3.com> -> 192.168.1.4
1.1.1.2 - www.domain4.com<http://www.domain4.com> -> 192.168.1.5

Can pfSense route via the Hostname on inbound traffic? I know you can setup Aliases and such, just never played with it.

Any thoughts or suggestions on how to do this and conserve Public IP's to direct the traffic to the proper internal IP/Ports would be greatly appreciated.

Joe
Moshe Katz
2012-07-26 03:01:47 UTC
Permalink
On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman
Hi Everyone,****
** **
I have done some searching and I think this is possible, but I thought I
would ask to make sure. It’s an interesting question that was asked of me.
****
** **
I wanted to know if pfSense can route inbound traffic based off of Domain
Name instead of IP. For instance, let’s say I have 4 web sites, all of
which have SSL enable. Normally I would have to use 1 public IP to 1
internal IP to use SSL (I know Apache you can use SNI for Virtual Domains
and it does work) but let’s throw an IIS server into the mix. So let’s say
I have 2 web sites on an Apache server and 2 on an IIS server and I would
normally have something like this setup:****
** **
Public IP - Domain Name - Internal IP****
1.1.1.2 - www.domain1.com -> 192.168.1.2****
1.1.1.3 - www.domain2.com -> 192.168.1.3****
1.1.1.4 - www.domain3.com -> 192.168.1.4****
1.1.1.5 - www.domain4.com -> 192.168.1.5****
** **
This definitely allows me to pass all ports right, but what if I wanted to
do something like this:****
** **
Public IP - Domain Name - Internal IP****
1.1.1.2 - www.domain1.com -> 192.168.1.2****
1.1.1.2 - www.domain2.com -> 192.168.1.3****
1.1.1.2 - www.domain3.com -> 192.168.1.4****
1.1.1.2 - www.domain4.com -> 192.168.1.5****
** **
Can pfSense route via the Hostname on inbound traffic? I know you can
setup Aliases and such, just never played with it.****
** **
Any thoughts or suggestions on how to do this and conserve Public IP’s to
direct the traffic to the proper internal IP/Ports would be greatly
appreciated.****
** **
Joe****
** **
There isn't really any built-in way to do this. What you really want is a
reverse-proxy server (which could or could not be running on the pfSense
box). However, your Reverse Proxy would either have to support SNI or have
a single certificate with all of the domains on it. Your reverse-proxy
would then route by domain name.

I know that there are people who have gotten Pound (
http://www.apsis.ch/pound/) to run on a pfSense box, but there is currently
no package for it and therefore no GUI.

Two parenthetical notes about SNI:

- IIS 8 (release next month or so, RC currently available) does support
SNI.
- Windows XP does not support SNI. (Firefox on XP does, as well as
Chrome > 6 do).

Moshe

--
Moshe Katz
-- ***@ymkatz.net
-- +1(301)867-3732
Seth Mos
2012-07-26 06:53:53 UTC
Permalink
Post by Moshe Katz
On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman
There isn't really any built-in way to do this. What you really want is
a reverse-proxy server (which could or could not be running on the
pfSense box). However, your Reverse Proxy would either have to support
SNI or have a single certificate with all of the domains on it. Your
reverse-proxy would then route by domain name.
Indeed, you need a full on proxy server like HAproxy or Varnish
depending on your tastes to do this.

Not sure which one does the man in the middle for SSL, the proxy will
need to terminate the SSL connection and can speak http or https to the
backend.
Post by Moshe Katz
* IIS 8 (release next month or so, RC currently available) does
support SNI.
* Windows XP does not support SNI. (Firefox on XP does, as well as
Chrome > 6 do).
As Moshe makes clear here there is no other feature you can use except
SNI for SSL name based virtual hosting. Otherwise you need one IP per
SSL certificate, proxy or not.

Regards,

Seth
Adam Stasiak
2012-07-26 13:47:53 UTC
Permalink
Not sure if this is helpful to you at all, but I've looked at a possible
workaround for SSL and a lack of public IPs.

Host a virtualized pfsense box with a service provider (I'm using ARP
networks).
Get a /29 (or more as needed).
Set up a tunnel between the virtualized box and your local pfsense
route traffic from the addresses on the /29 to different local IPs on your
internal network (or NAT to different ports on one local IP.

Full disclosure, I haven't yet gotten this working, have asked a couple
times on forums and this list, and people have seemed to think it's
feasible, but have gotten bored before being able to help me through the
nitty gritty. And I'm not knowledgeable enough about the intricacies of
routing to figure out what the problem is myself. I'm thinking about just
getting a support subscription and seeing if that will get if functioning.
Assuming I'm not chasing a pipe dream, this could be something that would
work for you, and I'd be happy to let you know/write up a how-to for the
wiki/etc. if I am ever successful.

There's obviously an extra cost for this, but it's not too bad, and our
only option for an ISP (short of getting a T1) won't give out more than a
/29 (and I've already used up all the available IPs, so have none left over
for extra SSL sites).
Post by Moshe Katz
Post by Moshe Katz
On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman
There isn't really any built-in way to do this. What you really want is
Post by Moshe Katz
a reverse-proxy server (which could or could not be running on the
pfSense box). However, your Reverse Proxy would either have to support
SNI or have a single certificate with all of the domains on it. Your
reverse-proxy would then route by domain name.
Indeed, you need a full on proxy server like HAproxy or Varnish depending
on your tastes to do this.
Not sure which one does the man in the middle for SSL, the proxy will need
to terminate the SSL connection and can speak http or https to the backend.
Post by Moshe Katz
* IIS 8 (release next month or so, RC currently available) does
support SNI.
* Windows XP does not support SNI. (Firefox on XP does, as well as
Chrome > 6 do).
As Moshe makes clear here there is no other feature you can use except SNI
for SSL name based virtual hosting. Otherwise you need one IP per SSL
certificate, proxy or not.
Regards,
Seth
______________________________**_________________
List mailing list
http://lists.pfsense.org/**mailman/listinfo/list<http://lists.pfsense.org/mailman/listinfo/list>
Joseph Hardeman
2012-07-26 20:46:31 UTC
Permalink
Hey Adam,

I see what your trying to do, basically use IP space on another provider and tunnel through to your local machines. So this is feasible and should be able to be done, how though I would have to play with it myself and see.

I could tell them to simply go the multi-wan approach or get a larger block of IP's. Or do what Seth and Moshe recommended and setup a proxy. Something to discuss with them about.

Thanks for the advice.

Joe


From: list-***@lists.pfsense.org [mailto:list-***@lists.pfsense.org] On Behalf Of Adam Stasiak
Sent: Thursday, July 26, 2012 9:48 AM
To: pfSense support and discussion
Subject: Re: [pfSense] Using pfSense to route inbound traffic via Domain Name instead of IP

Not sure if this is helpful to you at all, but I've looked at a possible workaround for SSL and a lack of public IPs.

Host a virtualized pfsense box with a service provider (I'm using ARP networks).
Get a /29 (or more as needed).
Set up a tunnel between the virtualized box and your local pfsense
route traffic from the addresses on the /29 to different local IPs on your internal network (or NAT to different ports on one local IP.

Full disclosure, I haven't yet gotten this working, have asked a couple times on forums and this list, and people have seemed to think it's feasible, but have gotten bored before being able to help me through the nitty gritty. And I'm not knowledgeable enough about the intricacies of routing to figure out what the problem is myself. I'm thinking about just getting a support subscription and seeing if that will get if functioning. Assuming I'm not chasing a pipe dream, this could be something that would work for you, and I'd be happy to let you know/write up a how-to for the wiki/etc. if I am ever successful.

There's obviously an extra cost for this, but it's not too bad, and our only option for an ISP (short of getting a T1) won't give out more than a /29 (and I've already used up all the available IPs, so have none left over for extra SSL sites).
On Thu, Jul 26, 2012 at 2:53 AM, Seth Mos <***@dds.nl<mailto:***@dds.nl>> wrote:
Op 26-7-2012 5:01, Moshe Katz schreef:
On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman
<***@cirracore.com<mailto:***@cirracore.com> <mailto:***@cirracore.com<mailto:***@cirracore.com>>> wrote:

There isn't really any built-in way to do this. What you really want is
a reverse-proxy server (which could or could not be running on the
pfSense box). However, your Reverse Proxy would either have to support
SNI or have a single certificate with all of the domains on it. Your
reverse-proxy would then route by domain name.

Indeed, you need a full on proxy server like HAproxy or Varnish depending on your tastes to do this.

Not sure which one does the man in the middle for SSL, the proxy will need to terminate the SSL connection and can speak http or https to the backend.
Two parenthetical notes about SNI:
* IIS 8 (release next month or so, RC currently available) does
support SNI.
* Windows XP does not support SNI. (Firefox on XP does, as well as
Chrome > 6 do).

As Moshe makes clear here there is no other feature you can use except SNI for SSL name based virtual hosting. Otherwise you need one IP per SSL certificate, proxy or not.

Regards,

Seth
Adam Stasiak
2012-07-26 20:59:14 UTC
Permalink
Unfortunately the proxy route really wouldn't be an option. SNI support
isn't universal enough for that to work for us, and we can't mix different
client's sites on one certificate for business reasons. If either of those
were an option there would be no problem as we could just have a single
public IP serve all the sites. Multi-wan is unappetizing because of the
added complexity, and having yet another point of failure. Plus we have a
warm-failover site, so a second provider would need to be at each site as
well, whereas the redirection I'm trying to set up could just be pointed to
a different site upon failure. And I really wish that a larger block was
possible, but we've bumped it up the chain and they just are not set up for
it apparently.
Hey Adam,****
** **
I see what your trying to do, basically use IP space on another provider
and tunnel through to your local machines. So this is feasible and should
be able to be done, how though I would have to play with it myself and see.
****
** **
I could tell them to simply go the multi-wan approach or get a larger
block of IP’s. Or do what Seth and Moshe recommended and setup a proxy.
Something to discuss with them about.****
** **
Thanks for the advice.****
** **
Joe****
** **
** **
*Sent:* Thursday, July 26, 2012 9:48 AM
*To:* pfSense support and discussion
*Subject:* Re: [pfSense] Using pfSense to route inbound traffic via
Domain Name instead of IP****
** **
Not sure if this is helpful to you at all, but I've looked at a possible
workaround for SSL and a lack of public IPs.
Host a virtualized pfsense box with a service provider (I'm using ARP networks).
Get a /29 (or more as needed).
Set up a tunnel between the virtualized box and your local pfsense
route traffic from the addresses on the /29 to different local IPs on your
internal network (or NAT to different ports on one local IP.
Full disclosure, I haven't yet gotten this working, have asked a couple
times on forums and this list, and people have seemed to think it's
feasible, but have gotten bored before being able to help me through the
nitty gritty. And I'm not knowledgeable enough about the intricacies of
routing to figure out what the problem is myself. I'm thinking about just
getting a support subscription and seeing if that will get if functioning.
Assuming I'm not chasing a pipe dream, this could be something that would
work for you, and I'd be happy to let you know/write up a how-to for the
wiki/etc. if I am ever successful.
There's obviously an extra cost for this, but it's not too bad, and our
only option for an ISP (short of getting a T1) won't give out more than a
/29 (and I've already used up all the available IPs, so have none left over
for extra SSL sites). ****
Op 26-7-2012 5:01, Moshe Katz schreef:****
On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman****
** **
There isn't really any built-in way to do this. What you really want is
a reverse-proxy server (which could or could not be running on the
pfSense box). However, your Reverse Proxy would either have to support
SNI or have a single certificate with all of the domains on it. Your
reverse-proxy would then route by domain name.****
** **
Indeed, you need a full on proxy server like HAproxy or Varnish depending
on your tastes to do this.
Not sure which one does the man in the middle for SSL, the proxy will need
to terminate the SSL connection and can speak http or https to the backend.
****
Two parenthetical notes about SNI:****
* IIS 8 (release next month or so, RC currently available) does
support SNI.
* Windows XP does not support SNI. (Firefox on XP does, as well as
Chrome > 6 do).****
As Moshe makes clear here there is no other feature you can use except SNI
for SSL name based virtual hosting. Otherwise you need one IP per SSL
certificate, proxy or not.
Regards,
Seth
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list****
** **
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list
Joseph Hardeman
2012-07-26 20:42:53 UTC
Permalink
Hey Seth and Moshe,

I know that Varnish will be able to do most and Haproxy can definitely handle the hostname to IP issue, but haproxy as far as I know won't do SSL you have to have stunnel setup in front of it and it still requires the IP's set.

I was hoping that it could be done and I may still keep playing when I get time.

Thanks for everything

Joe

-----Original Message-----
From: list-***@lists.pfsense.org [mailto:list-***@lists.pfsense.org] On Behalf Of Seth Mos
Sent: Thursday, July 26, 2012 2:54 AM
To: ***@lists.pfsense.org
Subject: Re: [pfSense] Using pfSense to route inbound traffic via Domain Name instead of IP
Post by Moshe Katz
On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman
There isn't really any built-in way to do this. What you really want
is a reverse-proxy server (which could or could not be running on the
pfSense box). However, your Reverse Proxy would either have to
support SNI or have a single certificate with all of the domains on
it. Your reverse-proxy would then route by domain name.
Indeed, you need a full on proxy server like HAproxy or Varnish depending on your tastes to do this.

Not sure which one does the man in the middle for SSL, the proxy will need to terminate the SSL connection and can speak http or https to the backend.
Post by Moshe Katz
* IIS 8 (release next month or so, RC currently available) does
support SNI.
* Windows XP does not support SNI. (Firefox on XP does, as well as
Chrome > 6 do).
As Moshe makes clear here there is no other feature you can use except SNI for SSL name based virtual hosting. Otherwise you need one IP per SSL certificate, proxy or not.

Regards,

Seth
Loading...