This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Two external IPs to same internal web server

I currently have one external IP setup pointing to an internal web server.  Everything works fine, but I need two different SSL certificates installed on the server for two domains.
I now have two external IP's (one is assigned as an interface and the other using the "Additional Addresses" feature.  The web server has two NICs with internal IPs assigned to each.
The original website is now listening on internal IP1 port 80.  The new website is listing on internal IP2 port 7080.  How do I set this up in Astaro (v7), so when a user enters www.address1.com (DNS to external IP1) it goes to the original website and when they enter www.address2.com (DNS to external IP2) it goes to the new website.  I can make it work if they use 7080 as the port when accessing the new website, but I'd prefer they not have to use port numbers.  Is this possible?  Thanks!

This thread was automatically locked due to age.

Parents

0 ClausP over 17 years ago

Astaro KN -> http://portal.knowledgebase.net/article.asp?article=239708&p=5956 ...and scroll down to "Scenario 4 - Additional public address and new service port"
Cancel
Vote Up 0 Vote Down

Cancel
0 white94cobra over 17 years ago in reply to ClausP

I did see that KB article but interpreted it to mean that users would need to specify a port when going to the second website. I'd like to redirect port 80 from IP1 to port *** on internal server1 and port 80 from IP2 to port yyy on internal server1. Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 ClausP over 17 years ago in reply to white94cobra

The KB explains everything you have to do.....
Cancel
Vote Up 0 Vote Down

Cancel
0 white94cobra over 17 years ago in reply to ClausP

OK... I tried it as indicated in the KB and it isn't working. For one thing, I now have two PF rules for HTTPS with different destinations (my original HTTPS to internal web server IP1 and now the new one for HTTPS to internal web server IP2) - how is the firewall supposed to know which internal destiation to use unless I specify a source?

I just need it so if the https request originates from external IP1 then it goes to internal IP1 port 80 and if it originates from external IP2 then it goes to internal IP2 port 8081. Essentially this:

External IP1 HTTPS --> Internal IP1 port 443

External IP2 HTTPS --> Internal IP2 port 8081

Here's what I setup based on the KB article:

New Additional Address
Name: healthfuture.org IP
On interface: External (WAN)
Address: 207.xx.***.59
Netmask: /29 (255.255.255.255)
Comment: healthfuture.org IP

New Service Definition
Name: HTTPS_8081
Type of Definition: TCP
Destination port: 8081
Source port: 1:65535
Comment: HTTPS for healthfuture.org

New NAT rule
Name: HTTPS _8081 to healthfuture.org
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTPS_8081
Traffic Destination: healthfuture.org IP (address)
NAT Mode: DNAT (destination)
Destination: Host - Webserver 192.***.***.95
Destination Service: HTTPS

New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTPS
Destination: Webserver 192.***.***.95
Action: Allow
Time Event: Always
Log traffic: off
Comment:
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 17 years ago in reply to white94cobra

External IP1 HTTPS --> Internal IP1 port 443
External IP2 HTTPS --> Internal IP2 port 8081

Try changing your NAT rule:

New NAT rule
Name: HTTPS _8081 to healthfuture.org
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTPS
Traffic Destination: healthfuture.org IP (address)
NAT Mode: DNAT (destination)
Destination: Host - Webserver 192.***.***.95
Destination Service: HTTPS_8081

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 white94cobra over 17 years ago in reply to BarryG

Thanks for the reply... that didn't seem to work either.

Update: I stopped and restarted the DNAT rule and it now seems to be working. THANK YOU!

Update2: Actually, it appears that I clicked the Auto PF rule in the DNAT setup. Unless that is checked, it doesn't work.
Cancel
Vote Up 0 Vote Down

Cancel
0 ClausP over 17 years ago in reply to white94cobra
Update2: Actually, it appears that I clicked the Auto PF rule in the DNAT setup. Unless that is checked, it doesn't work.

The reason for this is that DNAT happens before the packetfiltering and your rule belongs to the service HTTPS and not to HTTPS_8081.
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTPS
Destination: Webserver 192.***.***.95
Action: Allow
Time Event: Always
Log traffic: off
Comment:
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ClausP over 17 years ago in reply to white94cobra
Update2: Actually, it appears that I clicked the Auto PF rule in the DNAT setup. Unless that is checked, it doesn't work.

The reason for this is that DNAT happens before the packetfiltering and your rule belongs to the service HTTPS and not to HTTPS_8081.
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTPS
Destination: Webserver 192.***.***.95
Action: Allow
Time Event: Always
Log traffic: off
Comment:
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data