Re: FreeBSD with options transparent not working.
Hi PiBa-NL, I just check my config as your advice. And find the pf.conf is not correct. As I use rdr rdr on vlan64 proto tcp from any to any - 127.0.0.1 port The dst is changed. So I change to use ipfw and it seems get the things done. ipfw add fwd 127.0.0.1, tcp from any to any via vlan64 in and thank you for your advice! And there is another questions. If I use pf , can it also doing this like ipfw ? And how can I config it. Regards Jinge On 2013-7-12, at 上午2:47, PiBa-NL piba.nl@gmail.com wrote: Hi Jinge, What version of FreeBSD do you run? What firewall does it use pf/ipfw ? What does haproxy -vv show? (version/transparent options) Can you write a little about the network topology and what isn't working about it? For example like this: ClientMachine = 172.16.1.100/24 Haproxy LAN1 = 172.16.1.1/24 Haproxy LAN2 = 192.168.1.1/24 Server1 = 192.168.1.101/24 Now ClientMachine sends a tcp request to 192.168.1.101. This request is routed through the haproxy machine which functions as a 'router' but also the request is intercepted by machine firewall (make sure to NOT use a standard portforward rule as it will change the destination-IP..) and redirected to the haproxy process, which determines its not http, and then sends traffic further to Server1 using the option transparent. The question then is does Server1 ever recieve a SYN packet (check with tcpdump/wireshark)? Does HAProxy show all backends as 'available' in the stats page? Does the clientmachine use the proper IP(so NOT the haproxy-ip) for connecting to Server1 and is traffic routed through the haproxy machine? Is this what doesn't currently work.? Or is the trouble with the nginx machines machines not being able to be connected the original client ip? There are 3 different HAProxy options called or referred to as 'transparent' which makes it also a bit difficult to see which option your asking about.. A- option transparent (for sending connection to original destination) B- source 0.0.0.0 usesrc clientip (for sending client-IP to the backend servers) C- bind transparent (for binding to a nonlocal (CARP?) IP address) I'm sure C is not what your asking about, but i'm unclear if your current issue is with A or B. Could you try and make a smallest possible haproxy configuration that still contains the problem you currently experience? Greets PiBa-NL Op 11-7-2013 14:38, Baptiste schreef: So the problem might be in the way you compiled HAProxy or you have configured your OS. Unfortunately, I can't help on FreeBSD :'( Baptiste On Thu, Jul 11, 2013 at 11:55 AM, jinge altman87...@gmail.com wrote: Hi, Baptiste! But i just test with this and found no use. Regards Jinge On 2013-7-11, at 下午5:35, Baptiste bed...@gmail.com wrote: Hi Jinge, Could you update your source statement to: source 0.0.0.0 usesrc clientip And let us know if that fixed your issue. Baptiste On Thu, Jul 11, 2013 at 11:25 AM, jinge altman87...@gmail.com wrote: Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1
Re: FreeBSD with options transparent not working.
Hi, Baptiste! But i just test with this and found no use. Regards Jinge On 2013-7-11, at 下午5:35, Baptiste bed...@gmail.com wrote: Hi Jinge, Could you update your source statement to: source 0.0.0.0 usesrc clientip And let us know if that fixed your issue. Baptiste On Thu, Jul 11, 2013 at 11:25 AM, jinge altman87...@gmail.com wrote: Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent Regards Jinge
Re: FreeBSD with options transparent not working.
So the problem might be in the way you compiled HAProxy or you have configured your OS. Unfortunately, I can't help on FreeBSD :'( Baptiste On Thu, Jul 11, 2013 at 11:55 AM, jinge altman87...@gmail.com wrote: Hi, Baptiste! But i just test with this and found no use. Regards Jinge On 2013-7-11, at 下午5:35, Baptiste bed...@gmail.com wrote: Hi Jinge, Could you update your source statement to: source 0.0.0.0 usesrc clientip And let us know if that fixed your issue. Baptiste On Thu, Jul 11, 2013 at 11:25 AM, jinge altman87...@gmail.com wrote: Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent Regards Jinge
Re: FreeBSD with options transparent not working.
Hi Jinge, What version of FreeBSD do you run? What firewall does it use pf/ipfw ? What does haproxy -vv show? (version/transparent options) Can you write a little about the network topology and what isn't working about it? For example like this: ClientMachine = 172.16.1.100/24 Haproxy LAN1 = 172.16.1.1/24 Haproxy LAN2 = 192.168.1.1/24 Server1 = 192.168.1.101/24 Now ClientMachine sends a tcp request to 192.168.1.101. This request is routed through the haproxy machine which functions as a 'router' but also the request is intercepted by machine firewall (make sure to NOT use a standard portforward rule as it will change the destination-IP..) and redirected to the haproxy process, which determines its not http, and then sends traffic further to Server1 using the option transparent. The question then is does Server1 ever recieve a SYN packet (check with tcpdump/wireshark)? Does HAProxy show all backends as 'available' in the stats page? Does the clientmachine use the proper IP(so NOT the haproxy-ip) for connecting to Server1 and is traffic routed through the haproxy machine? Is this what doesn't currently work.? Or is the trouble with the nginx machines machines not being able to be connected the original client ip? There are 3 different HAProxy options called or referred to as 'transparent' which makes it also a bit difficult to see which option your asking about.. A- option transparent (for sending connection to original destination) B- source 0.0.0.0 usesrc clientip (for sending client-IP to the backend servers) C- bind transparent (for binding to a nonlocal (CARP?) IP address) I'm sure C is not what your asking about, but i'm unclear if your current issue is with A or B. Could you try and make a smallest possible haproxy configuration that still contains the problem you currently experience? Greets PiBa-NL Op 11-7-2013 14:38, Baptiste schreef: So the problem might be in the way you compiled HAProxy or you have configured your OS. Unfortunately, I can't help on FreeBSD :'( Baptiste On Thu, Jul 11, 2013 at 11:55 AM, jinge altman87...@gmail.com wrote: Hi, Baptiste! But i just test with this and found no use. Regards Jinge On 2013-7-11, at 下午5:35, Baptiste bed...@gmail.com wrote: Hi Jinge, Could you update your source statement to: source 0.0.0.0 usesrc clientip And let us know if that fixed your issue. Baptiste On Thu, Jul 11, 2013 at 11:25 AM, jinge altman87...@gmail.com wrote: Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent Regards Jinge
