OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: Mastermind on January 08, 2018, 05:24:52 pm
-
Hello,
During the last few weeks I have set up a new corporate infrastructure with OPNSense as its core networking component.
The OPNSense instance is virtualized on a KVM supervisor.
Now there will be multiple webservers on the private LAN, each in charge of providing resources to run their own by domain defined appliances. To accomplish the appropriate routing, HAproxy is an option but requires an extra step in the configuration for SSL and each domain/appliance. Since I have multiple public IP addresses available I would like to route these (HTTP/HTTPS ports only) to the respective backend servers on the LAN.
Normally, I'd add these extra public WAN addresses as Virtual IP in the OPNSense web GUI. However, the current colocation partner restricts every IP addresses traffic to a single originating MAC address. And since the primary WAN interface can only have one MAC address, I can only bind this to one public IP as the colocation partner will only accept one MAC and IP combination.
So, to still make use of the public addresses available I thought of adding another virtual interface to the machine, with a seperate MAC address to use with a second public IP. So far so good. Unfortunately, both interfaces and IPs are in the same space and will need to use the same gateway address. This is where the curlpit lies, as I can apperantly not use the same gateway destination address for multiple interface nor bind one gateway to multiple interfaces.
So to sum up:
112.112.112.5 - Public IP1, WAN interface with specified MAC
112.112.112.6 - Public IP2, OPT interface with specified MAC
112.112.112.1 - Gateway designated for use by colocation partner for all traffic
How can I proceed with setting this up successfully?
Thoughts and advice much appreciated. Thanks in advance.
-
Mastermind,
If I understand correctly, you have multiple internal web servers each serving a number of sites that are addressed by their URL, and your provider does not allow multiple IP adresses on the same physical nic.
Although it is outside the scope of OPNsense, I would go for another solution.
Considering the fact that you are already virtualizing things anyway, it should not be a problem to add a small linux box to use as a reversed proxy.
Than, you can configure OPNsense to forward ports 80 and 443 to the reversed proxy, and let the proxy send the requested URL's to the proper server.
I am doing something similar where I use 1 public IP for 48 URL's, that are port forwarded to an Ubuntu server running apache, used as a reversed proxy. The Ubuntu box forwards this traffic to 9 different servers.
For me this works flawlessly.
kind regards,
Bert
-
Hey Bert,
Thank you for your response, much appreciated! You got the gist of it. Technically multiple IP's are served over the same physical NIC, but for virtualization purposes they accept only traffic from pre-defined MAC addresses, or the host MAC.
Your solution would work, and its definitely a good way to go about things. However is that not sort of the same approach as installing HAProxy on the OPNSense machine and using that for routing? Maybe Apache is easier, but I have HAProxy running without problems on another place aswell.
My main goal here was to try and avoid the extra configuration needed per domain. Since I have the luxury of mapping a public IP to each of the backend servers.
Kind regards,
Mastermind