Re: [pfSense] HAproxy question

2015-12-13 Thread C. R. Oldham 
Thanks Chris and Ivo for your responses.

I was unaware that our topology for the network was a little unusual and in
fact there is another service outside the firewall listening on the IP I
wanted to use.  This (unsurprisingly) was making anything trying to use
that IP very unreliable.


--cro


On Sat, Dec 12, 2015 at 5:38 AM, Ivo Tonev  wrote:

> Run "netstat -anl | grep LISTEN | grep 443" ( for tcp ) to verify on whitch
> port/ip haproxy and openvpn are running. Openvpn don't listen on VIP.
> Em 12/12/2015 10:31, "C. R. Oldham"  escreveu:
>
> > Actually I think I characterized this problem the wrong way.
> >
> > It appears that neither haproxy nor nginx (when used as a proxy) are
> > reliable on our pfSense firewall.  They will work for a while, then they
> > stop passing traffic for a while, then they work awhile.  Restarting them
> > doesn't make them responsive immediately.  I am at a loss to explain
> this.
> > I've confirmed there are no other processes listening on port 443 on any
> IP
> > (virtual or physical).  If anyone has ideas I'd love to hear them.
> >
> > --cro
> >
> >
> > On Fri, Dec 11, 2015 at 8:14 AM, C. R. Oldham  wrote:
> >
> > > Greetings,
> > >
> > > We've recently replaced both our routers with pfSense.  I am using tinc
> > > for site-to-site VPN and OpenVPN for clients to connect.
> > >
> > > Since some of our support engineers often end up onsite with
> customers, I
> > > want to enable OpenVPN over TCP port 443--we've noticed that many of
> our
> > > customers block outbound UDP, but using the https port works fine.
> > >
> > > However, we also have haproxy on our firewall proxying for some web
> > > applications on port 443. but on a different virtual IP from OpenVPN.
> > If I
> > > enable OpenVPN on the TCP port, haproxy stops working, even though they
> > are
> > > listening on different IPs.
> > >
> > > I have appropriate firewall rules for both virtual IPs in place.
> > >
> > > Can anyone shed some insight on how I can fix this?
> > >
> > > Thanks.
> > >
> > > --cro
> > >
> > >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HAproxy question

2015-12-13 Thread C. R. Oldham 
On Sat, Dec 12, 2015 at 7:38 AM, Kostas Backas  wrote:

> Do you have Snort in your setup? I've seen IPS causing this behavior.
>
>
Good suggestion.  We don't have it installed however.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HAproxy question

2015-12-12 Thread Kostas Backas 
Do you have Snort in your setup? I've seen IPS causing this behavior.

Best regards

Kostas

Sent from my iPhone

> On 12 Δεκ 2015, at 00:13, C. R. Oldham  wrote:
> 
> Actually I think I characterized this problem the wrong way.
> 
> It appears that neither haproxy nor nginx (when used as a proxy) are
> reliable on our pfSense firewall.  They will work for a while, then they
> stop passing traffic for a while, then they work awhile.  Restarting them
> doesn't make them responsive immediately.  I am at a loss to explain this.
> I've confirmed there are no other processes listening on port 443 on any IP
> (virtual or physical).  If anyone has ideas I'd love to hear them.
> 
> --cro
> 
> 
>> On Fri, Dec 11, 2015 at 8:14 AM, C. R. Oldham  wrote:
>> 
>> Greetings,
>> 
>> We've recently replaced both our routers with pfSense.  I am using tinc
>> for site-to-site VPN and OpenVPN for clients to connect.
>> 
>> Since some of our support engineers often end up onsite with customers, I
>> want to enable OpenVPN over TCP port 443--we've noticed that many of our
>> customers block outbound UDP, but using the https port works fine.
>> 
>> However, we also have haproxy on our firewall proxying for some web
>> applications on port 443. but on a different virtual IP from OpenVPN.  If I
>> enable OpenVPN on the TCP port, haproxy stops working, even though they are
>> listening on different IPs.
>> 
>> I have appropriate firewall rules for both virtual IPs in place.
>> 
>> Can anyone shed some insight on how I can fix this?
>> 
>> Thanks.
>> 
>> --cro
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HAproxy question

2015-12-12 Thread Ivo Tonev 
Run "netstat -anl | grep LISTEN | grep 443" ( for tcp ) to verify on whitch
port/ip haproxy and openvpn are running. Openvpn don't listen on VIP.
Em 12/12/2015 10:31, "C. R. Oldham"  escreveu:

> Actually I think I characterized this problem the wrong way.
>
> It appears that neither haproxy nor nginx (when used as a proxy) are
> reliable on our pfSense firewall.  They will work for a while, then they
> stop passing traffic for a while, then they work awhile.  Restarting them
> doesn't make them responsive immediately.  I am at a loss to explain this.
> I've confirmed there are no other processes listening on port 443 on any IP
> (virtual or physical).  If anyone has ideas I'd love to hear them.
>
> --cro
>
>
> On Fri, Dec 11, 2015 at 8:14 AM, C. R. Oldham  wrote:
>
> > Greetings,
> >
> > We've recently replaced both our routers with pfSense.  I am using tinc
> > for site-to-site VPN and OpenVPN for clients to connect.
> >
> > Since some of our support engineers often end up onsite with customers, I
> > want to enable OpenVPN over TCP port 443--we've noticed that many of our
> > customers block outbound UDP, but using the https port works fine.
> >
> > However, we also have haproxy on our firewall proxying for some web
> > applications on port 443. but on a different virtual IP from OpenVPN.
> If I
> > enable OpenVPN on the TCP port, haproxy stops working, even though they
> are
> > listening on different IPs.
> >
> > I have appropriate firewall rules for both virtual IPs in place.
> >
> > Can anyone shed some insight on how I can fix this?
> >
> > Thanks.
> >
> > --cro
> >
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HAproxy question

2015-12-12 Thread Chris Buechler 
On Fri, Dec 11, 2015 at 9:14 AM, C. R. Oldham  wrote:
> Greetings,
>
> We've recently replaced both our routers with pfSense.  I am using tinc for
> site-to-site VPN and OpenVPN for clients to connect.
>
> Since some of our support engineers often end up onsite with customers, I
> want to enable OpenVPN over TCP port 443--we've noticed that many of our
> customers block outbound UDP, but using the https port works fine.
>
> However, we also have haproxy on our firewall proxying for some web
> applications on port 443. but on a different virtual IP from OpenVPN.  If I
> enable OpenVPN on the TCP port, haproxy stops working, even though they are
> listening on different IPs.
>

One or the other must be bound to *:443 (guessing haproxy since
OpenVPN will only bind to a single IP). You can check that with
'sockstat -4' if you want to pursue that further.

It's probably easiest to just run your OpenVPN on some other port on
localhost, say port 4443. Then add a port forward on WAN to send 443
on the OpenVPN VIP to 127.0.0.1:4443. Then you can also add port
forwards for ports 80, 53, and however many others you want to make
available for additional options.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] HAproxy question

2015-12-11 Thread C. R. Oldham 
Greetings,

We've recently replaced both our routers with pfSense.  I am using tinc for
site-to-site VPN and OpenVPN for clients to connect.

Since some of our support engineers often end up onsite with customers, I
want to enable OpenVPN over TCP port 443--we've noticed that many of our
customers block outbound UDP, but using the https port works fine.

However, we also have haproxy on our firewall proxying for some web
applications on port 443. but on a different virtual IP from OpenVPN.  If I
enable OpenVPN on the TCP port, haproxy stops working, even though they are
listening on different IPs.

I have appropriate firewall rules for both virtual IPs in place.

Can anyone shed some insight on how I can fix this?

Thanks.

--cro
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold