I am trying to redirect traffic coming to an address on my WAN subnet as
one site to an address on the WAN subnet of another pfSense box at a
different site.
I have a limited number of IPs available at the primary site, but need
several more to host HTTPS sites, the goal is to be able to redirect HTTPS
requests to a block of IP addresses (on the WAN subnet of one pfSense box)
to a single IP address at the main site (but on different ports) to avoid
needing a different public IP address for each SSL encrypted site.
I already know about wildcard certs and certs with multiple host names on
them and also SNI, all of these are problematic for one reason or another.
Someone indicated on this list that that was possible with pfSense. And I
have gotten it to work sporadically.
I've created a rule to forward TCP connections on port 8001 of the wan
address to port 80 at IP 0.0.0.25 (the target IP).
I have tried turning nat reflection on and off for that rule, nothing seems
to go through.
I have created firewall rules on the WAN interface(0.0.1.70) allowing all
tcp traffic with 0.0.0.25 as the source or destination.
I also created a rule allowing traffic with 8001 as the destination.
I have control over the firewalls at both sites (both are pfSense 2.0.1)
and both do have advanced outbound NAT on for whatever that is worth.
Any clues why this is not working for me?
below is the packet capture at site 1 (0.0.1.70)
the packets seem to be received fine from the source (0.0.2.21) and then
sent to site 2 (0.0.0.25).
But I never see anything in the packet capture at site 2. (or in the
firewall block logs either)
10:30:03.004834 00:01:5c:22:9f:81 > 00:30:18:a9:bb:eb, ethertype IPv4
(0x0800), length 74: (tos 0x0, ttl 47, id 20405, offset 0, flags [DF],
proto TCP (6), length 60)
0.0.2.21.34582 > 0.0.1.70.8002: Flags [S], cksum 0x2358 (correct), seq
652246939, win 5552, options [mss 1388,sackOK,TS val 4534318 ecr
0,nop,wscale 3], length 0
10:30:03.005028 00:30:18:a9:bb:eb > 00:01:5c:22:9f:81, ethertype IPv4
(0x0800), length 74: (tos 0x0, ttl 46, id 20405, offset 0, flags [none],
proto TCP (6), length 60)
0.0.2.21.34582 > 0.0.0.25.80: Flags [S], cksum 0xbbba (correct), seq
652246939, win 5552, options [mss 1388,sackOK,TS val 4534318 ecr
0,nop,wscale 3], length 0
10:30:05.987018 00:01:5c:22:9f:81 > 00:30:18:a9:bb:eb, ethertype IPv4
(0x0800), length 74: (tos 0x0, ttl 47, id 20406, offset 0, flags [DF],
proto TCP (6), length 60)
0.0.2.21.34582 > 0.0.1.70.8002: Flags [S], cksum 0x2056 (correct), seq
652246939, win 5552, options [mss 1388,sackOK,TS val 4535088 ecr
0,nop,wscale 3], length 0
10:30:05.987084 00:30:18:a9:bb:eb > 00:01:5c:22:9f:81, ethertype IPv4
(0x0800), length 74: (tos 0x0, ttl 46, id 20406, offset 0, flags [none],
proto TCP (6), length 60)
0.0.2.21.34582 > 0.0.0.25.80: Flags [S], cksum 0xb8b8 (correct), seq
652246939, win 5552, options [mss 1388,sackOK,TS val 4535088 ecr
0,nop,wscale 3], length 0
I do very sporadically get some packets captured on the other end. It's
happened once among dozens of tries. I could understand if it just plain
didn't work, but the fact that it works sometimes is very confusing.
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
