Jump to content


Photo

Public to Private IP redirect based on hostname (DST NAT rule?)

public private ip hostname redirect destination nat

Best Answer Gavin Chappell, 12 May 2020 - 03:15 AM

If I'm understanding your request correctly, this is not possible. The CloudGen Firewall is primarily a L3/L4 product built for making filtering decisions based on IP addresses and ports. While it does have some L7 functionality, this is more limited and mainly only allows an extra layer of allow/block decision based on detected L7 data once it has already made an L3/L4 decision to pass traffic.

 

It sounds like what you would need is a "reverse proxy" behind your firewall; you would then do a normal 1:1 DNAT rule to send all HTTP/HTTPS traffic to your reverse proxy, and then for the reverse proxy to do what it was designed for and use the higher level data (HTTP Host: headers, HTTPS TLS SNI, whatever it may be) in order to route traffic to the correct backend. This is achievable with open source products like Traefik, Nginx, HAProxy and the like, or if you want an off the shelf appliance with support then I believe the Barracuda Load Balancer ADC operates like this as well.

Go to the full post


This topic has been archived. This means that you cannot reply to this topic.
2 replies to this topic

#1 John K. Mes

John K. Mes
  • Members
  • 30 posts

Posted 11 May 2020 - 07:08 PM

Howdy!

I was just told by tech support what I want to do is handled by the Cuda Link Balancer.... but that's not a product any more.

 

And surely people have been doing this kind of thing for years, so it can't be too hard, I just can't find relevant info.

 

Here's the setup:

 

1 Public IP (SIP1)

2 Private IPs for 2 different hosts
 - webtest1.domain.net : PIP1

 - webtest2.domain.net : PIP2

 

Both hosts use the same wildcard cert for our domain.

 

Public DNS resolves to the single SIP1.

 

What I want is, based on name, to redirect to the appropriate internal web server, even though there is only the single public IP.

 

How can I do that with NGFw?

 

A Dst NAT rule works for one host, but that's it.  Our test firewall (firmware v8.0.3) seems to need a 1:1 for public & private IPs..... but I only have the 1 public IP.

 

Help or suggestions greatly appreciated!

~John



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 441 posts

Posted 12 May 2020 - 03:15 AM   Best Answer

If I'm understanding your request correctly, this is not possible. The CloudGen Firewall is primarily a L3/L4 product built for making filtering decisions based on IP addresses and ports. While it does have some L7 functionality, this is more limited and mainly only allows an extra layer of allow/block decision based on detected L7 data once it has already made an L3/L4 decision to pass traffic.

 

It sounds like what you would need is a "reverse proxy" behind your firewall; you would then do a normal 1:1 DNAT rule to send all HTTP/HTTPS traffic to your reverse proxy, and then for the reverse proxy to do what it was designed for and use the higher level data (HTTP Host: headers, HTTPS TLS SNI, whatever it may be) in order to route traffic to the correct backend. This is achievable with open source products like Traefik, Nginx, HAProxy and the like, or if you want an off the shelf appliance with support then I believe the Barracuda Load Balancer ADC operates like this as well.



#3 Micha Knorpp

Micha Knorpp
  • Members
  • 195 posts

Posted 27 May 2020 - 04:03 AM

Maybe the CGF build-in squid proxy engine in Reverse Proxy mode?

I donĀ“t know if it is able to handle more than one Private IP, but worth a try.

It works for separating OWA and ExchangeActive Sync URL Paths (aloowing one, blocking the other), but of cause, its pointing to the same server IP in that case.


regards,
-micha-