Re: [pfSense] HAproxy question
Thanks Chris and Ivo for your responses. I was unaware that our topology for the network was a little unusual and in fact there is another service outside the firewall listening on the IP I wanted to use. This (unsurprisingly) was making anything trying to use that IP very unreliable. --cro On Sat, Dec 12, 2015 at 5:38 AM, Ivo Tonevwrote: > Run "netstat -anl | grep LISTEN | grep 443" ( for tcp ) to verify on whitch > port/ip haproxy and openvpn are running. Openvpn don't listen on VIP. > Em 12/12/2015 10:31, "C. R. Oldham" escreveu: > > > Actually I think I characterized this problem the wrong way. > > > > It appears that neither haproxy nor nginx (when used as a proxy) are > > reliable on our pfSense firewall. They will work for a while, then they > > stop passing traffic for a while, then they work awhile. Restarting them > > doesn't make them responsive immediately. I am at a loss to explain > this. > > I've confirmed there are no other processes listening on port 443 on any > IP > > (virtual or physical). If anyone has ideas I'd love to hear them. > > > > --cro > > > > > > On Fri, Dec 11, 2015 at 8:14 AM, C. R. Oldham wrote: > > > > > Greetings, > > > > > > We've recently replaced both our routers with pfSense. I am using tinc > > > for site-to-site VPN and OpenVPN for clients to connect. > > > > > > Since some of our support engineers often end up onsite with > customers, I > > > want to enable OpenVPN over TCP port 443--we've noticed that many of > our > > > customers block outbound UDP, but using the https port works fine. > > > > > > However, we also have haproxy on our firewall proxying for some web > > > applications on port 443. but on a different virtual IP from OpenVPN. > > If I > > > enable OpenVPN on the TCP port, haproxy stops working, even though they > > are > > > listening on different IPs. > > > > > > I have appropriate firewall rules for both virtual IPs in place. > > > > > > Can anyone shed some insight on how I can fix this? > > > > > > Thanks. > > > > > > --cro > > > > > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HAproxy question
On Sat, Dec 12, 2015 at 7:38 AM, Kostas Backaswrote: > Do you have Snort in your setup? I've seen IPS causing this behavior. > > Good suggestion. We don't have it installed however. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HAproxy question
Do you have Snort in your setup? I've seen IPS causing this behavior. Best regards Kostas Sent from my iPhone > On 12 Δεκ 2015, at 00:13, C. R. Oldhamwrote: > > Actually I think I characterized this problem the wrong way. > > It appears that neither haproxy nor nginx (when used as a proxy) are > reliable on our pfSense firewall. They will work for a while, then they > stop passing traffic for a while, then they work awhile. Restarting them > doesn't make them responsive immediately. I am at a loss to explain this. > I've confirmed there are no other processes listening on port 443 on any IP > (virtual or physical). If anyone has ideas I'd love to hear them. > > --cro > > >> On Fri, Dec 11, 2015 at 8:14 AM, C. R. Oldham wrote: >> >> Greetings, >> >> We've recently replaced both our routers with pfSense. I am using tinc >> for site-to-site VPN and OpenVPN for clients to connect. >> >> Since some of our support engineers often end up onsite with customers, I >> want to enable OpenVPN over TCP port 443--we've noticed that many of our >> customers block outbound UDP, but using the https port works fine. >> >> However, we also have haproxy on our firewall proxying for some web >> applications on port 443. but on a different virtual IP from OpenVPN. If I >> enable OpenVPN on the TCP port, haproxy stops working, even though they are >> listening on different IPs. >> >> I have appropriate firewall rules for both virtual IPs in place. >> >> Can anyone shed some insight on how I can fix this? >> >> Thanks. >> >> --cro > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HAproxy question
Run "netstat -anl | grep LISTEN | grep 443" ( for tcp ) to verify on whitch port/ip haproxy and openvpn are running. Openvpn don't listen on VIP. Em 12/12/2015 10:31, "C. R. Oldham"escreveu: > Actually I think I characterized this problem the wrong way. > > It appears that neither haproxy nor nginx (when used as a proxy) are > reliable on our pfSense firewall. They will work for a while, then they > stop passing traffic for a while, then they work awhile. Restarting them > doesn't make them responsive immediately. I am at a loss to explain this. > I've confirmed there are no other processes listening on port 443 on any IP > (virtual or physical). If anyone has ideas I'd love to hear them. > > --cro > > > On Fri, Dec 11, 2015 at 8:14 AM, C. R. Oldham wrote: > > > Greetings, > > > > We've recently replaced both our routers with pfSense. I am using tinc > > for site-to-site VPN and OpenVPN for clients to connect. > > > > Since some of our support engineers often end up onsite with customers, I > > want to enable OpenVPN over TCP port 443--we've noticed that many of our > > customers block outbound UDP, but using the https port works fine. > > > > However, we also have haproxy on our firewall proxying for some web > > applications on port 443. but on a different virtual IP from OpenVPN. > If I > > enable OpenVPN on the TCP port, haproxy stops working, even though they > are > > listening on different IPs. > > > > I have appropriate firewall rules for both virtual IPs in place. > > > > Can anyone shed some insight on how I can fix this? > > > > Thanks. > > > > --cro > > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HAproxy question
On Fri, Dec 11, 2015 at 9:14 AM, C. R. Oldhamwrote: > Greetings, > > We've recently replaced both our routers with pfSense. I am using tinc for > site-to-site VPN and OpenVPN for clients to connect. > > Since some of our support engineers often end up onsite with customers, I > want to enable OpenVPN over TCP port 443--we've noticed that many of our > customers block outbound UDP, but using the https port works fine. > > However, we also have haproxy on our firewall proxying for some web > applications on port 443. but on a different virtual IP from OpenVPN. If I > enable OpenVPN on the TCP port, haproxy stops working, even though they are > listening on different IPs. > One or the other must be bound to *:443 (guessing haproxy since OpenVPN will only bind to a single IP). You can check that with 'sockstat -4' if you want to pursue that further. It's probably easiest to just run your OpenVPN on some other port on localhost, say port 4443. Then add a port forward on WAN to send 443 on the OpenVPN VIP to 127.0.0.1:4443. Then you can also add port forwards for ports 80, 53, and however many others you want to make available for additional options. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] HAproxy question
Greetings, We've recently replaced both our routers with pfSense. I am using tinc for site-to-site VPN and OpenVPN for clients to connect. Since some of our support engineers often end up onsite with customers, I want to enable OpenVPN over TCP port 443--we've noticed that many of our customers block outbound UDP, but using the https port works fine. However, we also have haproxy on our firewall proxying for some web applications on port 443. but on a different virtual IP from OpenVPN. If I enable OpenVPN on the TCP port, haproxy stops working, even though they are listening on different IPs. I have appropriate firewall rules for both virtual IPs in place. Can anyone shed some insight on how I can fix this? Thanks. --cro ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold