Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - codeshelldev

Pages1
#1
High availability / HAProxy SNI (Lua)
August 25, 2025, 06:25:32 PM
Hello everyone,

So I am trying to setup SNI routing in my OPNsense with haproxy and got everything almost setup but there is still a key issue in my Configuration:
Since I am NOT SSL Offloading and instead passing traffic straight to the Webserver, I cannot make use of any http header (Layer 4) my frontend is set to TCP. No it seems, that SNIs are not consistently received (or I am using the wrong way to access them)...'

Some times I DO get an SNI and sometimes it is just empty I am running a custom Lua Script but for the sake of this Thread only this snippet is important:

Code Select
-- resolve backend for a given host
function resolve_backend(txn)
    local host = txn.sf:req_ssl_sni()
    local host_tcp = txn.f:ssl_fc_sni()

    core.Info("Got SNI of "..host)
    core.Info("Got SNI of "..host_tcp)
end

core.register_action("resolve_backend", {"tcp-req"}, resolve_backend)
HAProxy Config
Code Select
frontend https_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend server1

    # logging options

    # ACTION: resolve_backend_lua
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request content lua.resolve_backend
    # ACTION: sni_hostname_lua
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[var(txn.backend)] 

I noticed there were multiple functions to get the SNI but both seem to result in the same seemingly random output.

Has anyone an idea to why this is happening or if this is just a fundamental flaw in TCP Passthrough...?

Thanks in advance!
#2
General Discussion / Cannot ping Upstream (other devices can)
July 02, 2025, 06:22:12 PM
I have an Issue where my OPNsense host cannot ping any Upstream Server (Router / Gateway, 1.1.1.1, ...).
OPNsense is able to ping other devices in the LAN, devices attached to the firewall are able to ping any hosts even Upstream.
When pinging from the OPNsense console I get the following error: host is down (which is obviously false: 1.1.1.1 and 8.8.8.8 should be up), surprisingly this only happens when pinging IPv4 and not IPv6. My Upstream Router is a Fritzbox which port forwards to OPNsense, for context
Fritzbox is on 192.168.1.1 and OPNsense is on 192.168.1.37.
Due to this issue I am unable to update etc. to the newest version. OPNsense IS able to ping hostnames like google.com, cloudflare.com (even curl'ing). When unplugging the connection to the router from the firewall and instead plugging it into my laptop I AM able to ping my Router (etc.).
The Gateway is listed in the ARP Table snd there is a default route...

So it seems to be an Issue with IPv4, but I am not in a position to do a factory reset.
This is all I got after a few days of trial and error, I am hoping that someone knows a fix for this...
Does anyone have an idea what the root problem might be and how to fix it?
Really appreciate it, thanks in advance!
Pages1