Messages

Hi there,

still working on it and further helps are welcome

After checking around I thoungt that assigning IP as X.X.X.X/32 to peers will cause the issue.

I changed all confs but it seams nothing has reall changed so I was possibly wrong.

Thanks for helping

thanks Patrick for your prompt reply.

I think I have the settings correct as far as I can connect to the server and ping it with no problem. By all mean, I list below briefly my configuration but unfortunately I don't know where the proper config files are stored

Server side
Instance setting

Code Select Expand


Name: wg1
public and private key self generated
Port: 51820
tunnel address: 192.168.2.1/24
Peers: list of peer I allow to connect to this instance


Peer setting (one for all)

Code Select Expand


name: wg1_peer1
public key: as generated by the client
allowerIPs: 192.168.2.100/32 (the other peers have different IPs but same subnet)
endpoint address: blank
Endpoint port: blank
Instance: wg1


Local config file (wg1_peer1):

Code Select Expand


[Interface]
PrivateKey = XXXXXXXX
Address = 192.168.2.100/32


[Peer]
PublicKey = YYYYYYYY
AllowedIPs = 192.168.2.0/24
Endpoint = example.domain:51820


my doubt now about this issue is a forwarding problem. I have also an openvpn server set up and I can surf the openvpn net but obviously on different IPs. Is there anything I might need to specify to wireguard instance?

Regarding firewall rule, there is only one under the wg1 instance which allow everything from everyere

Cheers

Dear all,
I got stuck somewhere with Wireguard and can't get my head around.

I've installed wireguard and set up an instance which I can reach and connect to. I can ping the WG server with no problem

At the moment I can't connect to the other machines connected to the same WG instance. If I try to ping the IPs all packets are lost. every PC can instead ping the server and revers.

I followed the official OPNSense tutorial but still no clue about why this is happening

Does anyone have sone leads to follow?

thanks

Dear all,

I would say I followed this tutorial but I'm still not able to connect to the local FTP server.

I only need to set up access to a local FTP from the LAN to start and then from the WAN once everything works

These my steps not far from this tutorial
-create an alias FTP proxy server: 127.49.49.1
- FTP PROXY -  loopback ftp proxy server, 127.49.49.1:8822 to FTP local Server IP:21
- LAN address NAT to ftp proxy server (TCP, LAN Address, dport 21 redirect to 127.49.49.1:8822)

If I check the log on the ftp server there is no logged connection from 127.49.49.1 and also no packets passed through the ftp iptables rules

Ftp proxy is up and running (green light in the dashboard and alocated web page) but seams not forwarding the info. Has anybody faced similar issue?

Thanks in advance

Dear all,
I have OPNSENSE connected via Ehternet cable to the Modem.

At the moment OPNSense manage the PPPOE connection

My questions are:
1) do I have to assign a network to the interface used between the modem and the FW?
2) which interface should be set as WAN the network to the modem or the actual PPPOE interface?

At the moment I've set the modem - fw network as WAN with related firewall rules but litterally all incoming connections are coming using the PPPOE interface.

Thanks for your advice

This is the solution.

4. However, in your scenario you didn't configure your apache real server correctly since you left the port blank and didn't tell haproxy if the real server expects SSL or not.

Hi @TheHellSite,

it took me the long way to figure out my issue was the map file.
At the moment I haven't understood what is the cause but so far I created several conditions and rules working fine. The map file will be the next step but for the moment, after so many efforts, I need to get away from Haproxy a little.

Thanks for your tutorial

Thanks again for your time.

As I said I'm new to revers proxy and I'm trying to learn. Your tutorial is for a plex server and I'm working on a webserver so at some point I need to take some decision/assumptions based on my understanding and it can be wrong but in the learning curve.

Going over your remarks:

1. Your apache is listening on port 80 (no ssl) and 443 (probably with ssl).

correct, 443 with SSL

2. My tutorial assumes that the user wants all connections to be upgraded from port 80 to 443, what you also configured by using the HTTP_frontend on port 80 with the HTTPtoHTTPS_rule.

this is also apache does for my application, redirect any call on port 80 to port 443 and use encrypted communication therefore so far your set up fit the requirements

3. The HTTPS_frontend has SSL offloading enabled, so it decrypts any connection and then forwards it to the real server based on the real server connection configuration.

Reading your tutorial #9 about SSL connection with the back end I thought ur set ups should work because u use an SSL connection to the plex server.
The webserver listen on port 443 with SSL
This is the tricky part for me and also from your notes I can't follow if and how I should change my reported setup.
Could you please be more specific?

4. However, in your scenario you didn't configure your apache real server correctly since you left the port blank and didn't tell haproxy if the real server expects SSL or not.

I set up the webserver as u did for the SSL_backend. both listening to port 80,443 and both will use SSL on port 443. If the webserver backend should be different, can you please guide me how to adjust?

bottom line, I read the tutorial several time. This is the CLOSEST tutorial to my needs (u set up a ples server and I a webserver) I have found but not exactly what I need. In this difference come the potential confusion. If I knew what to do I didn't need a tutorial. I found online also other blogs and always arrived to a dead end with error 503. I mention it on previous post under this tthread already

@mauro
HAProxy config export and a basic network diagram. That is what you will have to provide now, not just error codes.

Roger, @TheHellSite

NETWORK Topography (simplified)

LAN (IP address) <--> | FW, lo_IP (127.x.x.x) | <--> DMZ (server_ip)

IP_Address is my FW LAN Address as per OPNsense meaning
lo_IP is the equivalent of your 127.4.4.3 but customized
server_IP is the static ip of the webserver in the DMZ network

To keep the webapp available from the outside world I have the SNI Frontend based on the LAN address, port 80,443. I'm doing this way because I already tried following your tutorial using the WAN address on the SNI frontend with same result plus server unreachable. I created a Firewall rule for LAN to acceppt incoming requests on port 80,443

HAProxy set up file:

Code Select Expand


#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 warning
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_Frontend (listening on LAN address port 80/443)
frontend 0_SNI_Frontend
    bind lan_ip:80 name lan_ip:80
    bind lan_ip:443 name lan_ip:443
    mode tcp
    default_backend SSL_Backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on lo_ip:80)
frontend 1_HTTP_frontend
    bind lo_ip:80 name lo_ip:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option dontlognull
    option log-separate-errors
    option httplog
    # ACL: NoSSL_condition
    acl acl_6462b25dd3fc08.98092716 ssl_fc

    # ACTION: HTTP2HTTPS_r
    http-request redirect scheme https code 301 if !acl_6462b25dd3fc08.98092716

# Frontend: 2_HTTPS_frontend (Listening on lo_ip:443)
frontend 2_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind lo_ip:443 name lo_ip:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6463bbbf543239.59805119.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    option dontlognull
    option log-separate-errors
    option httplog

    # ACTION: PUBLIC_SUBDOMAINS_r
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/645151c9cb3ae5.07476878.txt)]

# Backend: s1_backend (s1 server backend)
backend s1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server s1_server server_ip

# Backend: SSL_Backend (SNI backend)
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server lo_ip send-proxy-v2 check-send-proxy



# statistics are DISABLED


Thanks a lot

[503 Service Unavailable]

Hi there.

After last post Iand sugestion to follow the tutorial prior to ask advice, I did and I still end up with the same error when I try to browse the webapp

503 Service Unavailable
No server is available to handle this request.

So I assume:
redirect 80->443 is working fine because I start the connection on port 80
certificate is set well despite it is the staging one giving error

I'd say the issue lays between the firewall and the backend.

The backend (webserver) accept both on port 80 and 443 with a running cert for SSL connection. can this be an issue?

Considering I tried few tutorial included this one I think the issue stays withing the firewall.

The webserver is up and running and has no restrictions to the Apache ports

Any sugestion?

thanks a lot in advance

Dear all,

I use Dynu for DDNS service and when the IP changes first I receve these error messages:

WARNING:  found neither IPv4 nor IPv6 address
WARNING:  XXXXX.net: unable to determine IP address with strategy use=cmd
Use of uninitialized value $ip in string at /usr/local/sbin/ddclient line 3658.
Use of uninitialized value $_[0] in sprintf at /usr/local/sbin/ddclient line 2179.

Checking the DDNS log I've noticed that after a while the client start to use the API and evenctually update the IP but after several tries.

Let me know if I'm possibly doing something wrong or if I can support with extra info

Cheers

Honestly please just follow my tutorial. I will not provide support for something else here.
If you want to do it your way then just ask in the appropriate forum.
But I will say if you keep on testing your way you will need much more time.

If it is not working with my way you can simply disable the WAN firewall rule and re-enable the NAT portforward.
This way you can also test this.

I there, I followed the suggestion and at the end of the process i have this 2 issues which I can't figure out:
1) Certificate is not valid. I also run the ssllab test and I received the same answer (rating T) showing certificate not trusted
2) again error 503 Service unavailable

Checking the HAProxy log, it shows:

Informational   haproxy   public_IP:9911 [09/May/2023:17:25:07.299] 2_HTTPS_frontend/127.4.4.3:443: SSL handshake failure

which I think I solved removing the SSL tick on the  real server set up. I have the apache virtual server only listening on port 80

#1: is it possible it is because at the moment I'm using a staging cert?

#2: this is the issue I'm investigating now for few days without any luck. I'll go over your tutorial but hints are welcome

cheers

hi @TheHellSite,

before posting here I posted in the general forum and considering nobody answered I thhought it was because there is a more specific tutorial.

Anyway, thanks for your help and your tutorial which I found very interesting and I'll give it a go asap with all features

Cheers

[503 Service Unavailable]

503 Service Unavailable

Dear all,
at the moment I have my webserver onine with portforwarding and before move on with HAProxy I'm thinking to test it setting it up locally. To keep also setting simple and possibly easier I'm considering reverse proxy of port 80 only for test.example.com
In other terms (IP as reference):
LAN (192.168.1.0/24, LAN Address 192.168.1.1)--> |HAProxy| --> DMZ (webserver 192.168.2.0/24, server, 192.168.2.2)

The only achievement I reached so far when I try to browse test.example.com is

503 Service Unavailable
No server is available to handle this request

this is haproxy setup:

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    2
    hard-stop-after             60s
    no strict-limits
    maxconn                     100
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# Frontend: test_http (Test http)
frontend test_http
    bind 192.168.1.1:80 name 192.168.1.1:80
    mode http
    option http-keep-alive
    default_backend example_backend

    # logging options
    # ACL: kanboard_c
    acl acl_6452ce5a700492.11355253 hdr(host) -i test.example.com

    # ACTION: kanboard_r
    use_backend test_backend if acl_6452ce5a700492.11355253

# Backend: test_backend (example pool)
backend example_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server s1_server 192.168.2.1:80 proto h2

# statistics are DISABLED

Any hint?

Next step will be using SSL. the webapplication have individual SSL certificae which I think I can import in opnsense to set up HTTPS redirection. This will be next gig :)

I've flattened HAProxy few times and reset but I always end up with error 503 :(

I checked the firewall LAN -> DMZ and I don't see anything blocking the connection..

Thanks and please let me know if I can provide more information

cheers

Dear all,I'm new to the whole reverse proxy scene and this can be one possible reason of not getting things working.
At the same time I'm trying to follow tutorials and video getting anywhere.

I run OPNsense OPNsense 23.1.6-amd64 on an APU2C4 machine with PPPOEconnection over a modem

I've a webserver I need to be online and I'm using at the moment port forwarding PPPOE:80,443 -> DMZ:80,443. Let say I'm testing test.example.com (which is available from outside).  The apache config doesn't redirect port 80 ->443 because I'm trying to keep things simple

At the moment I'm trying to create a reverse proxy using as frontend IP LAN Address.
So far I only manage to receive

Code Select Expand

503 Service Unavailable
No server is available to handle this request

I tried  port 80 and 81 for the frontend, same result

I followed the documentation about HAProxy and below few lines from the log

Code Select Expand


[03/May/2023:17:10:43.527] test test/<NOSRV> -1/-1/-1/-1/0 400 0 - - PR-- 1/1/0/0/0 0/0 "<BADREQ>
[03/May/2023:17:11:13.163] test test/<NOSRV> -1/-1/-1/-1/0 503 217 - - SC-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
[03/May/2023:17:11:13.190] test test/<NOSRV> -1/-1/-1/-1/0 503 217 - - SC-- 1/1/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"


I'm trying to test reverse proxy locally before move from port forwarding to reverse proxy.

I'm more then happy to share more information but I can't see which are the most relevant.

Any advice?

Thanks

Dear all,

after messing up several days with Opnsense, I decide to start with a fresh installation.

I use an APU2C4 and installed OPN 23.1

The machine goes online

What I'm experiencing is that pc on both LAN and GUEST network do have problem to resolv websites.
I try:

Code Select Expand

ping 8.8.8.8 which is fine and if I try

Code Select Expand

ping ms.com it doesn't work

I checked Unbound DNS setups and I've seen that:

• service listen to all interfaces
• Access list shows the DHCPs of the 2 networks
• Deny access is disabled

I had the same issue before the fresh installation but I though it was due to some mistake somwhere else. If it persist on  a new installation then things are more serious

If needed I can pass more information and screenshots

Cheers