Messages

Hello,
thanks for this great guide. I am trying to get a connection to a Jellyfin server working and at first glance the proxy works but for whatever reason it loads extremely slow or does not load at all (probably due to timeout). In the firewall logs I can see that the ports are not being blocked and Jellyfin is being accessed by the correct port coming from the interface gateway. Is this correct behaviour or should it come from the proxyserver IP?

Here is my full HAProxy config. I have checked it multiple times and I think it is set up correctly. The only difference is that I haven't checked the SSL mark for the real server Jellyfin since I have not set up a certificate on it yet but maybe I have just overlooked something.

The server is on it's own vlan maybe this causes issues too.

Code Select Expand

#
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_Backend
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
    bind 127.1.0.1:80 name 127.1.0.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    maxconn 10

    # logging options
    # ACL: NoSSL_condition
    acl acl_641d7e3e6bda64.61444458 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_641d7e3e6bda64.61444458

# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
    bind 127.1.0.1:443 name 127.1.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/641d813861abd5.14037775.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    option log-separate-errors
    option httplog
    option socket-stats

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/641d81c0801b87.43530099.txt)]

# Backend: SSL_Backend ()
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.1.0.1 send-proxy-v2 check-send-proxy

# Backend: Jellyfin_Backend ()
backend Jellyfin_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Jellyfin_Server 10.0.0.2:8096



# statistics are DISABLED



In the logs I see some errors when trying to access Jellyfin:

Code Select Expand

2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.814] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69396 -1 0 - - CC-- 2/1/0/0/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Resume?Limit=12&Recursive=true&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&EnableTotalRecordCount=false&MediaTypes=Book HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/1/1/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=2c29078a81f6a6f262bb18c85a177434 HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/2/2/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=7a2175bccb1f1a94152cbd2b2bae8f6d HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/3/3/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=c5b5a7b14778a8f0c4eb996823229f65 HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69380 -1 0 - - CC-- 2/1/4/4/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=0c41907140d802bb58430fed7e2cd79e HTTP/2.0"
2023-03-28T07:32:35 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:32:05.583] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/4/30007 200 245 - - ---- 2/1/5/5/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/System/Endpoint HTTP/2.0"
2023-03-28T07:32:29 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:29.401] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/5/60069 101 392 - - sD-- 2/1/6/6/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/socket?api_key=67299c39e6ab4eb084116da10f7866b9&deviceId=TW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDEyOyBYUS1BUzUyKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuNTQ4MS4xOTIgTW9iaWxlIFNhZmFyaS81MzcuMzYgT1BSLzc0LjEuMzkyMi43MTE5OXwxNjc5ODA2ODI4MzI2 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30000/8/30008 200 1154 - - ---- 2/1/7/7/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=3a6e3078ba2b0ad4408f206c9abe65a4 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.811] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/9/30020 200 256 - - ---- 2/1/8/8/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Resume?Limit=12&Recursive=true&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&EnableTotalRecordCount=false&MediaTypes=Audio HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.528] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/2/30005 200 1095 - - ---- 2/1/9/9/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.493] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/2/30013 200 1095 - - ---- 2/1/10/10/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:31:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:29.401] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/4/30007 200 1097 - - ---- 2/1/10/10/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/0/4/8566 101 392 - - CD-- 2/1/0/0/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/socket?api_key=67299c39e6ab4eb084116da10f7866b9&deviceId=TW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDEyOyBYUS1BUzUyKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuNTQ4MS4xOTIgTW9iaWxlIFNhZmFyaS81MzcuMzYgT1BSLzc0LjEuMzkyMi43MTE5OXwxNjc5ODA2ODI4MzI2 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8566 -1 0 - - CC-- 2/1/1/1/0 0/0 "POST https://jellyfin.MYDOMAIN.dedyn.io/Sessions/Capabilities/Full HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8566 -1 0 - - CC-- 2/1/2/2/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8558 -1 0 - - CC-- 2/1/3/3/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/DisplayPreferences/usersettings?userId=0d64d22975ba4cd6a57253d0e138c432&client=emby HTTP/2.0"
2023-03-28T07:30:35 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:05.079] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/3/30014 302 121 - - ---- 2/1/0/0/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/ HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:31.309] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/60030 -1 0 - - CC-- 1/1/0/0/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=7a2175bccb1f1a94152cbd2b2bae8f6d HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:30.979] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/60361 -1 0 - - CC-- 1/1/1/1/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:31.309] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/60021/-1/60030 -1 1220 - - CD-- 1/1/2/2/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=2c29078a81f6a6f262bb18c85a177434 HTTP/2.0"

The seems very similiar to my issue. One of my WAN loses connection and routes the traffic like it should to the different WAN but at times doesn't route the traffic through the other WAN again when it is back up. I also don't use sticky connections.

Hello,
I am using Multiwan with a PPPoE Telekom and DHCP Unitymedia connection and recently I have noticed when the DCHP gateway goes down it doesn't always loadbalance or use specified gateway properly anymore. This happens after some time. Maybe every 24 or so I am not sure yet. I have set up to use HTTPS to use the Unitymedia line and when this issue happens it switches to the Telekom line like it should (By checking the IP online) but doesn't switch back and load balancing gateway group rules doesn't work too anymore. When I log into OPNSense I then see both gateways up and running.

I have to change anything in the Firewall to fix this like enabling shared forwarding or editing a rule. I have the disable force gateway option enabled and have set up the gateways groups in the rules to use with monitoring enabled. Which logs would help to get to the root of the problem?

Then I wonder why the PS4 is even working because I haven't set up a single port forward rule yet. I only have rules on the network the PS4 is and very few ports on the outgoing NAT side that are static.

Maybe you haven't played anything yet that requires port forwards?  That would be my only thought.  Not every game requires a port forward.  Usually peer to peer games do, but dedicated server games or single player titles do not.  It's mostly rare at  this point that I hit games that require it.  Warframe for example does require UPnP to function correctly since it's peer to peer.

I think this might be it. He only uses very few games such as COD Warzone and NBA2k20. I think he only uses like 4 games. He hasn't complained yet so I guess. Set it and forget it. Didn't bother doing UPnP since I haven't managed to make it work since then.

Then I wonder why the PS4 is even working because I haven't set up a single port forward rule yet. I only have rules on the network the PS4 is and very few ports on the outgoing NAT side that are static.

I am not even using UPnP and I have a PS4 working fine so far. I gave the PS4 a static IP and it's own network for easy management and allowed a bunch of port range and some outbound ports that are static. I also use a multi wan setup. Should I even bother using UPnP if I am able to make the console work without it? When I tried to make it work I didn't work.

Sounds like you've manually done what UPnP should do automatically.  It's up to you if you'd rather UPnP do it or you continue manually as you have.

Sent from my IN2025 using Tapatalk

I have set it up for a friend that shares the internet with me and he is only using a few games. Doesn't UPnP also do automatic port forwarding which can be pretty dangerous? I am just wondering which solution is more secure.

I am not even using UPnP and I have a PS4 working fine so far. I gave the PS4 a static IP and it's own network for easy management and allowed a bunch of port range and some outbound ports that are static. I also use a multi wan setup. Should I even bother using UPnP if I am able to make the console work without it? When I tried to make it work I didn't work.

Jason told me it should work now

This is great to hear. This also means load balancing with two Wireguard connections should be possible then too right? Would love to try this out at some point.

I'm very curious about the kernel implantation of Wireguard and I have already tried it out and was able to nearly max out my 1gbit connection on a AM4 200GE. I am really loving the performance of Wireguard so far, and even more the kernel version, however the only downside so far I have noticed playing around with Wireguard so far is that you can't use two Wireguard connections on two different Wan interfaces. Currently Wireguard will always use the default gateway no matter what you'll do. I am wondering if it would be possible to implement dual Wan support with the new kernel version?

I have since figured it out how to do it. Had to manually assign a gateway for Wireguard and then specifically assing a different gateway as a firewall rule.

I have a very strange behavior since I have upgraded to 20.1. When I create or delete a rule sometimes it creates 3 duplicates of the same rule or even worse when I delete a rule it deletes a bunch of them. Rules even get removed that are assigned on a different interface! I don't know how this happends. Sometimes it happends nearly every time I create a rule and sometimes it only happends rarely.

I have found the solution to exclude hosts using the VPN and while it does indeed work by simply adding a firewall rule to LAN and change the gateway this solution doesn't work with IPTV traffic that uses IGMP. I haven't found a way yet to get the TV working with the VPN running on the OPNSense machine.

Hello I managed to integrate Wireguard via Mullvad into my OPNSense mashine but I need way to bypass my IPTV traffic. From what I have read the allowed IPs in Endpoints might be the right option? I use 3 subnets. One for LAN, WLAN and one IPTV. I tried to insert my two subnets to exclude the IPTV net but this only results in that no device is using the VPN.

The problem hasn't been happening since a few days. I honestly don't know what is going on anymore. I did what you suggested and so far has been good.

Your ISP needs shooting. Doing a lease of 30 minutes on IPv6 is madness. A 30 minute lease will renew at half the interval so 15 minutes.

My ISP is Telekom Germany btw. Germany is really behind internet wise... I am also not sure if this 30 minute lease is correct but seems really crazy to me too. I guess nothing that I can really do about. Maybe gonna call them later about that.