I am trying to access my open webui server on my internal network using just a typed URL. I updated my DNS resolver in PF Sense with a host override of openwebui.local. This works well for pinging and ssh. I can even access the web console by typing openwebui.local:3000. My goal is to get rid of typing the port after the domain. I thought setting a NAT rule with NAT reflection would work; however, it doesn’t. I do not want external traffic connecting so I have it set to just work with my secure vlan where I am connecting to the server from. I know I can edit the /etc/hosts on local machines and do the windows equivalent but wanted to see if there was a method to do this in PF Sense. Is there a method to direct internal port 80 traffic to port 3000 with either DNS or NAT? I know NAT is primarily designed for traffic hitting the WAN but figured there must be a way to accomplish this. Thanks
Do you have pure NAT enabled ?
System > Advanced, Firewall & NAT tab
enable NAT reflection: checked
enable auto outbound: checked
I would think you would want a reverse proxy like HAProxy to do what you are describing.
I tried his example, I have a jellyfin server on 10.0.0.73 on port 8096
when I type on my browser http://10.0.0.73:8096 it shows the jellyfin page
created a port forward rule
but when I type on my browser http://10.0.0.73 it does not go to jellyfin
NAT reflection is selected with purer NAT. I also tried the other options. I do not see a checkbox for enable auto outbound though.
I found those settings, thanks. It still didn’t work.
I think using a reverse proxy such as HAProxy would be the easiest solution here. If you are wanting to try it with just NAT, maybe try switching these two around (see red boxes).
That way when you go to http://10.0.0.73, your browser is destined for that address at port 80 (http runs on 80) and would be NAT’d to 10.0.0.73:8096. Right now it appears that your NAT won’t happen as http is destined to hit port 80 and your “destination” is on 8096. Sounds backwards but may do the trick.
it did not. I made two rules, one for LAN, one for WAN.
enable the LAN, tried it, will not show the jellyfin page.
disabled the LAN rule, enabled the WAN rule, tried again, same.
If that’s the case, I believe implementing a reverse proxy is going to be the best solution to avoid needing to add the :8096 each time. It’ll also be nicer because you can setup a domain and use hostnames (or subdomains) to point to it. Something like jelly.domain.tld rather than IP:port.
everything is in my LAN, 10.0.0.0/24 I don’t want to access jellyfin from the outside.
I read in another post someone wanted to access proxmox without adding the 8006 port.
it would be http://pve4/ without adding the port, http://pve4:8006/
A reverse proxy can also be hosted internally, even on the same server as the application you want it to serve.
If you don’t want to use a domain name and TLS certificates, and everything is running in a single subnet, I would leave pfSense out of the equation entirely.
In this case, the easiest way to achieve what you want would be to install Apache directly on the Jellyfin host and adapt the config from here: Apache | Jellyfin.
I haven’t tested it, but the following should work if you don’t want to use HTTPS:
<VirtualHost *:80>
ServerName DOMAIN_NAME
ProxyPreserveHost On
ProxyPass "/socket" "ws://SERVER_IP_ADDRESS:8096/socket"
ProxyPassReverse "/socket" "ws://SERVER_IP_ADDRESS:8096/socket"
ProxyPass "/" "http://SERVER_IP_ADDRESS:8096/"
ProxyPassReverse "/" "http://SERVER_IP_ADDRESS:8096/"
ErrorLog /var/log/apache2/DOMAIN_NAME-error.log
CustomLog /var/log/apache2/DOMAIN_NAME-access.log combined
</VirtualHost>
Just make sure to replace DOMAIN_NAME with the IP address of your Jellyfin server and SERVER_IP_ADDRESS with 127.0.0.1 or localhost.
Thank you, I’ll give it a try.