[ previous ] [ next ] [ threads ]
 From:  Fred Grayson <fred underscore grayson at yahoo dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NATing to an external IP address
 Date:  Sat, 26 May 2012 11:13:56 -0400
On 5/25/2012 9:03 PM, Adam Stasiak wrote:
> Is it possible to use NAT (or some combination of NAT and other trickery)
> to redirect an address on your WAN interface to another external IP address
> (not on the WAN interface, but at some other site).
> e.g. Site A has Public IP address
> Site B has Public IP
> I would like to redirect any requests that come in to on port 80 to
> go to (also on port 80).
> The goal is to be able to redirect HTTPS requests to a block of IP
> addresses to a single IP address (but on different ports) to avoid needing
> a different public IP address for each SSL encrypted site.
> I already know about wildcard certs and certs with multiple host names on
> them and also SNI, all of these are problematic for one reason or another.
> If there were someway to redirect requests as mentioned above, I could
> colocate a monowall box somewhere where I can get the IPs I need and
> redirect them to the primary webserver, which unfortunately has a pretty
> limited number IPs available.

This capability could be quite useful and has been asked about on the 
m0n0wall forum:


But AFAIK it is not possible to achieve this with m0n0wall.

Prior to starting with m0n0wall, I was using GNATBox, a payware FreeBSD 
based firewall product. It had this capability in the quite old version 
I had been using, v 3.4.2, and I made use of it to proxy certain 
connections - the incoming request was forwarded back out the WAN port 
but appeared to originate with my WAN IP address. It's quite possible it 
still works on that product and they do offer a limited freeware version.

Another possibility is pfsense, another freeware FreeBSD firewall forked 
from m0n0wall some time ago. They have a mail list and forum you could 
make inquiries on. GNATBox, aka GBWare also has a forum.

I do dislike pointing folks away from m0n0wall, but if your requirement 
is a "must have", then I am afraid the solution lies elsewhere. If it 
turns out I am wrong, I'd love to know how it can be done with m0n0wall.

Let us know what you discover and good luck.