Redirect port 443 different internal IP

aarango · June 1, 2017, 5:29am

Hi,

I have a public IP (123.45.67.89), now I had setup a rule in Firewall → NAT:

chain=dstnat action=dst-nat to-addresses=192.168.1.101 to-ports=443 protocol=tcp in-interface=MY_INTERFACE dst-port=443 log=no

When any from external IP go to my public IP to port 443, router will redirect to 192.168.1.101 where I have a SSL website, its okay and wroks fine. Now I would like to know if its possible a second rule.
If someone go to myssl.domain.com go 192.168.1.101
And if someone go to myssl2.domain.com go 192.168.1.102

Is it possible filter for domain in that rule?

Thanks.

magchiel · June 1, 2017, 7:30am

No. The normal pattern for this use case is to setup a reverse proxy with Nginx or similar between the firewall and the various web servers.

aarango · June 1, 2017, 11:17am

Thanks, I thought that the “content” option could do it that, if not I will setup with nginx. Thanks!

magchiel · June 1, 2017, 9:47pm

Not reliably since the content will be encrypted so you need an TLS endpoint to inspect it. While the initial handshake will be unencrypted and you could try and device some packet marking based on initial communication, you’ll probably run into trouble with more advanced transfer techniques. Depending traffic loads a proxy could run on very low cost hardware so IMO just wouldn’t justify the hassle of trying to make it work.

Sob · June 2, 2017, 12:05am

Content option will see hostname thanks to SNI (it’s sent unencrypted), but when it happens, it’s too late to redirect connection.

aarango · June 2, 2017, 7:18am

Thanks both