Messages

1

General Discussion / Re: Internet to network only works if Windows DC server is running, how to fix?

« on: November 03, 2024, 04:02:59 am »

Thank you gentlemen, for these responses.  Sorry for the delay.  I may be able to connect the machines soon and try these things out.  In the meantime, I am studying what you wrote and learning to see what I should do.  I'll respond again shortly.

2

General Discussion / Re: Internet to network only works if Windows DC server is running, how to fix?

« on: October 10, 2024, 07:53:48 am »

Ah yes, thank you for the response.  Yes you just reminded me of something.  I don't have the DHCP role on the windows DC, I actually am using opnsense for that and prior to that, I was using the DHCP on my regular wifi router.  Perhaps this is an issue also?  I was intending on moving it to the Windows DC.

I don't necessarily want to do anything weird, I just remember that before I used opnsense and just had that router, if the DC went down, the rest of the machines still had internet access.  I am trying to come up with a way to have that working with opnsense as well, if possible. 

3

General Discussion / Internet to network only works if Windows DC server is running, how to fix?

« on: October 09, 2024, 08:48:40 am »

I have a bit of an unusual problem I've never been able to figure out.  I apologize in advance as I can't post any screenshots since my machines are in storage at the moment.  But this is a problem I was never able to fix, and I'll describe it as best as I can.
Before I had opnsense, I had just a regular wifi router.  I have a bunch of windows machines running on a Windows AD network.  When I got the opnsense machine, I placed it in front of everything.  The problem I have is that the internet to all the machines only works if the Windows domain controller server is connected.  I'd like the internet to work even if the DC is not connected, if that is even possible.  I'd like to do this without needing to move that role to opnsense since like I said it's a whole windows network.

Is there a way to do this?  As far as I remember, in opnsense, I had to put the internal lan name of the domain controller in the section of opnsense for general, system somewhere.  And everything works fine, I was wondering if there is a way for the internet to get passed through even when the DC is not actually connected.  or any other workaround where I can still have the windows DC handling those roles without transferring to opnsense that accomplishes the same thing.

Sorry if the info is not specific enough, this is the best I can remember.

4

23.1 Legacy Series / Why did enabling Upnp break my haproxy setup?

« on: June 26, 2023, 09:18:55 pm »

I had haproxy configured to forward ports 80, 443 to multiple servers based on the hostname.  it was working great.  then, I enabled Upnp, and it completely ruined the haproxy setup.  None of the sites were working in that it would just give cert errors and such.  The listen address are 0.0.0.0:80 etc. 

Once disabling Upnp, it all works again as expected.  I'm just curious what is the explanation.  Thank you.

5

Tutorials and FAQs / Re: Tutorial 2023/05: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: June 26, 2023, 09:09:13 pm »

I'd call it fair. According to the header, the thread has been read 171056 times as of now. 37 pages of assistance.
Thank you.

Totally fair, and above and beyond.  Helped me solve a long standing goal of mine.  I was thinking of starting a similar thread, but maybe not a good idea if i do not even know the basics.

6

Tutorials and FAQs / Re: Tutorial 2023/05: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: June 24, 2023, 10:23:45 pm »

TheHellSite has provided a great, extremely handy tutorial here, so thank you for that.  Very much appreciated.

He does get annoyed when people don't know what they are talking about.  But at the same time, if someone knows all these things they wouldn't be here for help.  So I don't get that.  But it does suck up your time, so either way I get it.

7

Tutorials and FAQs / Re: Tutorial 2023/05: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: June 10, 2023, 03:25:46 am »

I found the issue for my post above.  I had Upnp plugin installed and enabled.  For whatever reason that messed with my setup.  i disabled it and it works again.

8

23.1 Legacy Series / Re: HAproxy port 80+443 to multiple backends not working

« on: June 10, 2023, 03:12:41 am »

Whoa, i believe I found the culprit.  I had installed and enabled Upnp plugin.  I disabled it and now everything works.  I do not understand.

9

23.1 Legacy Series / Re: HAproxy port 80+443 to multiple backends not working

« on: June 09, 2023, 09:56:42 pm »

so you have it set up where anything coming in on 443 gets NAT to 5581, and you have haproxy listen to 5581 ?

but then the internal services are expecting 443....do you change it back to 443 somewhere?  I don't quite understand. 

What I am currently trying is a virtual ip in loopback mode.  I will use this ip for haproxy to listen to on 443 and 80.  I hope this solves my issue.  I don't even understand what the problem is really.  I checked netstat and the only binding there is haproxy for 443 and 80.

10

23.1 Legacy Series / Re: HAproxy port 80+443 to multiple backends not working

« on: June 09, 2023, 06:05:03 pm »

Ah thanks for the response.  So you think it's the listen address as 0.0.0.0 ?  That would make sense as I am having a hard time finding any other reason.  Do you think if I use a Virtual IP interface and listen to that, would that work? 

11

23.1 Legacy Series / [SOLVED] HAproxy port 80+443 to multiple backends not working

« on: June 08, 2023, 11:23:20 pm »

Hello, I used a modified version of TheHellSite's guide to create a HAproxy setup where ports 80,443 are fowarded to multiple internal servers.  This was working last month, and not working any longer.  I am having a hard time finding where the issue is. 

The goal was:
Get 80+443 forwarded to multiple backends.  Before this, I used NAT port forward to send to just one server.  But now I need more.  The environment I am in has only a single public IP.

This worked initially, but not anymore.  Please see my haproxy export below.

Things I have tested:
If I disable haproxy, and enable the NAT port forward (individually per backend), it works instantly and flawlessly.
If I enable haproxy, external access stops working for any server.  Internally, the sites/servers are accessible since I use an Unbound override.

Even though haproxy is not working all the way, when I check the counters, there are bytes coming in and out.  However, there is something weird as it takes a long time for any stats/counters to appear.  It used to be faster.  Also I looked in the haproxy logs, and there are no logs since the beginning of May, and I don't understand that either.

If I test if ports 80 and 443 are open from external.  I think this is hitting haproxy properly, because I see a byte in the counters when I test the port.  In the opnsense documentation there is a warning about haproxy silent error if the ports are in use.  I don't think that is happening for me, because then haproxy would not receive any data, right?

I also have a WAN rule allowing the ports to the destinations.

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         0.0.0.0 local0
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: SNI_frontend ()
frontend SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp

    # logging options
    option log-separate-errors
    option tcplog
    # ACL: TCP_SSL_condition
    acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
    # ACL: TCP_server1_condition
    acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
    # ACL: TCP_server2_condition
    acl acl_644c5719768e71.87060950 req.ssl_sni -m sub -i domain2.com

    # ACTION: TCP_RequestInspectDelay_rule
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: TCP_RequestContentAccept_rule
    tcp-request content accept if acl_644c56b6785678.47181279
    # ACTION: TCP_SERVER1_rule
    use_backend TCP_SERVER1_backend if acl_644c5700ee7657.09485748
    # ACTION: TCP_SERVER2_rule
    use_backend TCP_SERVER2_backend if acl_644c5719768e71.87060950

# Frontend: HTTP_frontend ()
frontend HTTP_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp

    # logging options
    option tcplog
    # ACL: http_server1_condition
    acl acl_6457247ca14984.71641345 hdr_sub(host) -i domain1.com
    # ACL: http_server2_condition
    acl acl_64572496aeac32.73416688 hdr_sub(host) -i domain2.com

    # ACTION: http_server1_rule
    use_backend TCP_SERVER1_backend if acl_6457247ca14984.71641345
    # ACTION: http_server2_rule
    use_backend TCP_SERVER2_backend if acl_64572496aeac32.73416688

# Backend: TCP_SERVER1_backend ()
backend TCP_SERVER1_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server server1_server 192.168.1.234

# Backend: TCP_SERVER2_backend ()
backend TCP_SERVER2_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server server2_server 192.168.1.217

# Backend (DISABLED): TCP_SERVER3_backend ()



# statistics are DISABLED




12

Tutorials and FAQs / Re: Tutorial 2023/05: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: June 08, 2023, 03:02:11 am »

Let me know if you choose not to investigate since my configuration was a modification of the tutorial here....

The setup you helped with was working well for a while.  Now, it doesn't seem to be working.  As in, the sites are not accessible externally (i use my cell phone).  but they work fine internally, with both ip addresses and hostnames.  I also tried going back to port forwarding instead of using haproxy (for ports 80,443).  As soon as i turn on port forwarding, the sites start working externally. 


So this tells me something has changed or stopped working in my haproxy config.  but what?  I will post my config below:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         0.0.0.0 local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: SNI_frontend ()
frontend SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp

    # logging options
    option tcplog
    # ACL: TCP_SSL_condition
    acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
    # ACL: TCP_server1_condition
    acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1
    # ACL: TCP_server2_condition
    acl acl_644c5719768e71.87060950 req.ssl_sni -m sub -i domain2

    # ACTION: TCP_RequestInspectDelay_rule
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: TCP_RequestContentAccept_rule
    tcp-request content accept if acl_644c56b6785678.47181279
    # ACTION: TCP_SERVER1_rule
    use_backend TCP_SERVER1_backend if acl_644c5700ee7657.09485748
    # ACTION: TCP_SERVER2_rule
    use_backend TCP_SERVER2_backend if acl_644c5719768e71.87060950

# Frontend: HTTP_frontend ()
frontend HTTP_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp

    # logging options
    option tcplog
    # ACL: http_server1_condition
    acl acl_6457247ca14984.71641345 hdr_sub(host) -i domain1
    # ACL: http_server2_condition
    acl acl_64572496aeac32.73416688 hdr_sub(host) -i domain2

    # ACTION: http_server1_rule
    use_backend TCP_SERVER1_backend if acl_6457247ca14984.71641345
    # ACTION: http_server2_rule
    use_backend TCP_SERVER2_backend if acl_64572496aeac32.73416688

# Backend: TCP_SERVER1_backend ()
backend TCP_SERVER1_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server server1_server 192.168.1.234

# Backend: TCP_SERVER2_backend ()
backend TCP_SERVER2_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server server2_server 192.168.1.217

# Backend (DISABLED): TCP_SERVER3_backend ()



# statistics are DISABLED





13

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 09, 2023, 04:22:28 am »

I hope you don't take any offense from my writing, I don't mean to judge how you do your things.
I just think your current setup is... a bit clumsy.

Nonetheless I am glad that everything is working now how you wanted it to.

No problem at all, I take it as you are trying to give helpful advice.

I'm no networking expert.  If I were a network genius like you I wouldn't be here, would I?  So not sure what you want me to do.  This is the way I've able to wrap my mind around and it works, and I quite like it lol.  I'm sure there are better ways!  Thank you very much.  I've been looking forward to this configuration for a while.

14

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 08, 2023, 04:01:33 am »

I still stand by my opinion that port 80 is not necessary at all. But since you never posted/linked that super duper script that would require port 80 this will forever be a myth to me.

I did link it!
here it is:
https://v4-docs.chevereto.com/guides/docker/#create-https-proxy
That's the page with the installation instructions.  The port 80 is used for the place where i linked or the next command after.  I think it is used where I linked which sets up nginx.

the actual code is on the github:
https://github.com/chevereto/docker

but here's another use case that I like:
lets say i am using nginx for subdomains for domain1.com

but for another domain2.com, I'd like to use traefik as the reverse proxy.  So then, again, I'd need port 80 443 for both servers.  Some reverse proxy software work better with certain apps.

15

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 08, 2023, 12:21:28 am »

Yes, this shows me your haproxy export, but it doesn't tell me wether this is working for you like intended or not.

Also why do you have a "NoSSL_condition" and why did you link it to the serviceX_rules of the HTTP_frontend?
Remove it, this is totally unecessary and I never said that you need this.

Thank you.  I removed the NoSSL condition.

I believe everything is working as far as I can tell.  I will list how I tested.

I tested from a cell connection all the addresses, and everything is going to the right places and the sites load fine and work fine.  So, mostly this confirms that the SNI frontend is working perfectly I think.

Is Http frontend working?  I believe so, hard for me to confirm.  Nothing is really using the http traffic (don't get mad, yes I requested it, hear me out).  So I used it very briefly to set up that website that uses the install script on port 80 initially.  And during the setup, I saw in the Counters area of HAproxy that traffic went through the http frontend.  So that confirms that port 80 is working I think, and the site got successfully set up. 

So i think everything is working, and it is quite a nice setup.  I can add multiple reverse proxies with this setup, all on a single ip, and all the proxies can get ports 80 and 443 going there cleanly.

here is my updated config:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         0.0.0.0 local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: SNI_frontend ()
frontend SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp

    # logging options
    option tcplog
    # ACL: TCP_SSL_condition
    acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
    # ACL: TCP_server1_condition
    acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
    # ACL: TCP_server2_condition
    acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com

    # ACTION: TCP_RequestInspectDelay_rule
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: TCP_RequestContentAccept_rule
    tcp-request content accept if acl_644c56b6785678.47181279
    # ACTION: TCP_SERVICE1_rule
    use_backend TCP_SERVICE1_backend if acl_644c5700ee7657.09485748
    # ACTION: TCP_SERVICE2_rule
    use_backend TCP_SERVICE2_backend if acl_644c5719768e71.87060950

# Frontend: HTTP_frontend ()
frontend HTTP_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp

    # logging options
    option tcplog
    # ACL: http_server1_condition
    acl acl_6457247ca14984.71641345 hdr_sub(host) -i domain1.com
    # ACL: http_server2_condition
    acl acl_64572496aeac32.73416688 hdr_sub(host) -i domain2.com

    # ACTION: http_server1_rule
    use_backend TCP_SERVICE1_backend if acl_6457247ca14984.71641345
    # ACTION: http_server2_rule
    use_backend TCP_SERVICE2_backend if acl_64572496aeac32.73416688

# Backend: TCP_SERVICE1_backend ()
backend TCP_SERVICE1_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server TCP_SERVICE1_server 192.168.1.234

# Backend: TCP_SERVICE2_backend ()
backend TCP_SERVICE2_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server TCP_SERVICE2_server 192.168.1.231



# statistics are DISABLED