Possible to Use NAT Rules to Route Incoming Traffic on UDMSE?

OGplayer · February 3, 2024, 10:57pm

I watched a great tutorial on Lawrence Systems YT channel on routing incoming to services hosted on my server. The guide used NAT rules and aliases to route the traffic. This was all done on pfSense and now if there is an equivalent method with my for my Unifi Dream Machine SE?

xMAXIMUSx · February 4, 2024, 3:39am

I think you are talking about port forwarding from the NAT section? This is for UDM pro but I’m sure it is the same for the SE

OGplayer · February 6, 2024, 1:50pm

I’m aware of this but while it works, it forwards all traffic on p- 443 to a specific IP. I am wanting to route traffic for example.io to one IP and example.io/application to a different IP.

Paul · February 6, 2024, 4:57pm

Not possible on a udmse, if both fqdn are using the same port. If you have multiply wan ip you maybe able to do this, not sure as I do not have a unifi gateway

You need a ha proxy that is included in pfsense

bb77 · February 6, 2024, 5:12pm

Reverse Proxy is the keyword you are looking for. It doesn’t have to be HAProxy or HAProxy on pfSense. But you need to forward port 80/443 to a reverse proxy (e.g. NGINX, HAProxy, Apache etc) which will then redirect client requests to the appropriate backend servers.

I don’t use a Dream Machine myself, but afaik Ubiquity routers don’t offer reverse proxy functionality like pfSense does with its HA proxy implementation. So you’ll probably need to forward ports 80 and 443 to a device / server / VM behind your UDM, and then set up a reverse proxy on that device / server / VM.

paolo · February 6, 2024, 5:45pm

Neither the headers for IP (network layer) nor the ones for TCP and UDP (transport layer) contain any information about the hostname of the destination. This is always part of an application layer protocol, like HTTP. NAT (e.g. port forwarding) and most firewalls only work on the network and transport layers. Therefore, they cannot make forwarding decisions on any higher-layer protocol information like the hostname. As @bb77 pointed out, you need a reverse proxy for that. These work on the application layer (HTTP in this case), and can thus forward requests to different upstream servers based on the hostname, which is included in the Host header field of HTTP.