OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Julien on October 29, 2017, 09:07:22 pm

Title: Port forwarding VIP
Post by: Julien on October 29, 2017, 09:07:22 pm

Dear All,
we have configured 3 virtual WAN IPS on the Firewall >> Virtual IP.

Now we want to forward PORT 443 to one of those Virtual IP.
I can't seem to find a way of doing this.
Can someone please advise how to do so ?
I've looked on the forum but can't seem to find post or a doc about this.
the currently configuration as next :
WAN1 is our default IP which is 1.1.1.1
Virtual IP are 1.1.1.2 / 1.1.1.3 /1.1.14
WAN 1 is default WAN for out production.
on the WAN1 ( 1.1.1.1)  we have port 443 forward to a internal server
now we have added 3 WAN IP dresses to the virtual IP.

on the NAT 1:1 we have created a rule
Interface WAN
Type BNAT
External Network 1.1.1.2/29
Source Any
Destination. Webserver 1 ( internal Server )


on the Firewall Rules WAN1
have created the rule below the original rule of port 443.

thank you

Title: Re: Port forwarding VIP
Post by: BertM on November 06, 2017, 02:51:48 pm

Julien,

I am not sure what you want to accomplish but, reading your story, I guess you have 4 IP addresses on your WAN interface, and you want to forward port 443 from some of these external addresses to different web servers.

If you want to forward port 443 from any of the WAN addresses to anywhere, the first thng to do (to avoid conflicts) is to change the port for OPNsense management to another port. (Go to System ==> Settings ==> Administration and enter a different port in the TCP port field.)

Next, you can enter a NAT port forward rule for every address from where you want to forward port 443.
So, for example:

WAN interface address 1.1.1.1 port 443 to Internal Webserver1 port 443
WAN interface address 1.1.1.2 port 443 to Internal Webserver2 port 443
WAN interface address 1.1.1.3 port 443 to Internal Webserver3 port 443
WAN interface address 1.1.1.4 port 443 to Internal Webserver4 port 443

On the other hand, if you have so many web servers, why not address them by URL to one single external IP address and use a reversed proxy to send things to the proper server? I do something like that for something like  25  websites on 8 servers.
Just a thought.

Kind regards,
Bert

Title: Re: Port forwarding VIP
Post by: Ciprian on November 08, 2017, 02:50:10 pm

Quote from: BertM on November 06, 2017, 02:51:48 pm

On the other hand, if you have so many web servers, why not address them by URL to one single external IP address and use a reversed proxy to send things to the proper server? I do something like that for something like  25  websites on 8 servers.

My thought also, and you already have a reverse proxy at hand, as a plugin in OPNsense:

os-haproxy   1.17   267KiB   Reliable, high performance TCP/HTTP load balancer

Hope it helps.
Cheers!

Title: Re: Port forwarding VIP
Post by: Julien on November 08, 2017, 10:25:53 pm

Thank you Guys,
With Fraenki help managed to get HAProxy configured and its operating now