0

I'm having some problems that I think I should not be ordinarily facing. But after being beating senseless by this, I'm calling out uncle.

I have previously posted something along these lines here: (Clickety)

Now, I'm looking for any answer to my problem

We have a network as follows:

               __________ DMZ (10.0.0.0/24)  
              |  
WAN -----  PFsense ---------- LAN (192.168.1.0/22)  
              |  
              |_________ Wireless (172.169.50/24)

WAN has one IP and since we're a Red Cross society, we have no money because in fact we are a charity case we cannot afford to get more IPs (they cost a pretty penny here in Jordan)

So access to all services on the inside of the firewall is a must.

Here's the funny part. I'm a developer that had to assume the mantle of admin.

I've tried the previous acls in the link above and even with more acls, all I can ever get is a route to the webserver on the DMZ; even though I'm trying to access the DVR which is on the LAN subnet and the DNS resolves it correctly.

Of course, it gets more complicated as there are other services that need the involvement of ssl (specifically, exchange\owa).

So, I've come to you my friends, shuffling on my knees, face battered and soul withering, reaching out with my hands, asking for an answer that I hope will not destroy the network(s) or my soul.

Basically, I'm trying to get reverse proxy to work on my network, preferably with minimal change, so that we can use our services from web-side the firewall. If it can be done with squid (the one on PFsense) then fantastic.

Many thanks for any and all answers.

Community
  • 1
Mustafa Ismail Mustafa
  • 107
  • 1
  • 3
  • 13

2 Answers2

1
  1. Put anything that needs public access on the "DMZ" segment. That is standard security.
  2. In PFsense, use the "Firewall: NAT: Port Forward" to assign public WAN-IP:port to the resource on the DMZ

There are 65534 ports to choose from although some are more standard that others e.g. port 80 for HTTP.

delimiter69
  • 439
  • 3
  • 4
  • I've already done that with some of the services, with port 80 being forwarded to the webserver itself, but I keep on getting bombarded with questions because people keep on forgetting the port numbers. That's why I wanted to implement a reverse proxy, this way they'd simply use subdomains and that gets routed accordingly. Just to be clear: Instead of http://www.myweb.com:8000, we would use: http://surveillance.myweb.com – Mustafa Ismail Mustafa Jun 21 '10 at 09:14
0

I can't answer regarding Squid, but this is easily done using Apache and mod_proxy. I'm not familiar with pfsense so I don't know if you can integrate Apache with it, but if you can:

Just set up a site using virtual hosts for each internal site you're hosting. Then within the pfsense firewall redirect requests for your WAN IP on port 80 to whatever IP you've set to listen for the virtual host. For example, here's a santized config we're using (quotes instead of tag brackets). 


NameVirtualHost 192.168.3.17:80
NameVirtualHost 192.168.3.17:443
Listen 80
Listen 443

#####Exchange Configuration#####
"VirtualHost 192.168.3.17:80"
        ServerName mail.domain.com:80
        ProxyPass https://mail.domain.com/
        ProxyPassReverse https://mail.domain.com/
        SSLRequireSSL
"/VirtualHost"

##### Wiki Configuration #####
"VirtualHost 192.168.3.17:80"
        ServerName wiki.domain.com:80
        ProxyPass / http://wiki.domain.com/
        ProxyPassReverse / http://wiki.domain.com/
"/VirtualHost"

Then just add in appropriate entries for the host records so that name resolution works for your reverse proxy entries.

Jeff Miles
  • 2,020
  • 2
  • 19
  • 26
  • for my point of View its not a problem, just setup dns correctly, add a nginx instance and reverse proxy each host viola – djdomi Sep 21 '19 at 18:59