Messages

Hello,

RC1 is not yet advised on my box. This according to the bug mentionned in the announcment. Will there be a fix (e.g. analogue to the update to 20.7., where first another update had to be done before the update to 20.7 was possible)?

Short answer is no - have to switch to bridged mode :) , thats the one with packet loss.

Hello,

I have a DOCSIS-Cablemodem, which was in bridged mode. Unfortunately, i had lots of packet losses in the last time. So i had to switch to router mode. The opnsense (where all traffic flows on it) is in dmz (i have mail- and webserver from the outside)

Since i changed the way, i get max 100mbps passing via opnsense. Before, it was up to 700 mbps without any problem. I think now, this is a problem of natting opnsense and the modem.

Easy, i disabled natting on the sense, nothing more worked. Of course, as the sense with nat got the ip from the isp-router, without natting all clients behind the sense come now up with their own ip instead of the natted from the wan-port of the sense.

I'm a little bit out of ideas. Does anybody have a "similar" installation? How did you solve this for you?

Thanks!

[Prerequiste: proxy protocol is not enabled in WebGUI for streams!]

so for the interested ones (if somebody could verify, pls) a working config (mucho bricollagio):

Prerequiste: proxy protocol is not enabled in WebGUI for streams!

1) create in streams.conf under /usr/local/opnsense/service/templates/OPNsense/Nginx the following entry:

Code Select Expand

include {{ server['@uuid'] }}_post/*.conf; right before the last } of the last %endfor - reload streams config in WebGUI

2) go to

Code Select Expand

/usr/local/etc/enginx/nginx.conf and copy the uuid of the stream(s) which have been newly created. They begin as include as last line per stream, e.g.

Code Select Expand

    server {
        listen  143;
        listen  [::]:143;

        access_log  /var/log/nginx/stream_1ef25291-7e82-4e66-a677-a4629270ff87.access.log main;
        error_log  /var/log/nginx/stream_1ef25291-7e82-4e66-a677-a4629270ff87.error.log info;


        proxy_ssl off;
        proxy_pass upstream3605708c54c0460ca656e8fbaeadabb9;
#        proxy_protocol off;
  include 1ef25291-7e82-4e66-a677-a4629270ff87_post/*.conf; ---> UUID here!





3) create manually a folder with the uuid copied from 2) under

Code Select Expand

/usr/local/etc/enginx/

4) within the newly created directory from 3)  create a file e.g. proxy_protcol.conf, only content ist

Code Select Expand

proxy_protocol on;

5) within the file streams.conf (the same as from 1)) search this line

Code Select Expand

proxy_protocol {% if server.proxy_protocol == '1' %}on{% else %}off{% endif %}; and comment it.

6) copy this one here right below the commented line from 5)

Code Select Expand

{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %}
           proxy_protocol on;
{% endif %}


apply configuration in WebGUI and reload service. You should be done.

Thx @Fright for you help!

Hi Fright,

Confused? Right, so i was...

Those were the lines i modified (listen-directive) and commented (proxy_protocoll) - but still i got the message. I also thought to have forgotten to uncheck proxy_protocol. Looking at the the code, it seems, the directive is written in each case, if its on in GUI, it will be set to on, if not, then it will be set to off.

It seems, that i have to prepare manually a nginx.conf, having those lines corrected or to set the proxy_protocol=on; each time, i modified it.

Thx.

OK, gave it a try, changed the template and reloaded, added the hook according the rtfm, having proxy_protocol = on; with in, then the following problem occured: The entry is double.

I then removed the proxy_protocol-entries within the streams.conf on the listen-lines. still the same. There must be somewhere else an entry for this. Do you have an idea? proxy_protocol will be written into the streams from other places than streams.conf from template-directory?

Or, is there a parameter to give to nginx to accept the last loaded parameter only?

Thx! Gonna read this!

Roger

does somewhere exist kind of rtfm for this?

Thx,
Ruggerio

not correct, what i wrote. i had an old server inside nginx, which did it wrong. changed it to right, now it works.

would be a cool change, having a checkbox in opnense or a selection under proxy protocol:

1) checkbox: use haproxy protocol
2) selection: instead of clicking the proxy protocol having the chose between standard or haproxy

In case of selecting haproxy, the enries in the services list (listen-part) shouldn't been placed, but still this one here: proxy_protocol on;

this would make perhaps much easier for mailservers. shall i file a CR on github? btw. this is tested with dovecot only. in my protocols i see now the external ips

Thx!
Ruggerio

thx, fright, i changed to this:

Code Select Expand


    server {
        listen  143;
        listen  [::]:143;

        proxy_ssl off;
        proxy_pass upstream3605708c54c0460ca656e8fbaeadabb9;
        proxy_protocol on;

    }


Now, at least it hast the same behaviour as sending directly to Port 143 with data streaming - means, that there is not yet a transformation about the external ip. x-forwarded-for cannot be used in that use-case, right? I read, that imap usually needs ID, which needs a manual implementation for a mail-section. But in fact, the connection now is accepted also on port 10143 for the upstream-server, which was not the case before.

    # servers
    server {
        listen  143 proxy_protocol;
        listen  [::]:143 proxy_protocol;

        access_log  /var/log/nginx/stream_d3e1b124-88e2-4744-9538-cceaf6f84ff1.access.log main;
        error_log  /var/log/nginx/stream_d3e1b124-88e2-4744-9538-cceaf6f84ff1.error.log info;


        proxy_ssl off;
        proxy_pass upstream3605708c54c0460ca656e8fbaeadabb9;
        proxy_protocol on;

    }


so, this should be correct?

Hi,

I tried with and without proxy protocol. in conf-files it's not inserted, if you don't click it in gui. without proxy-protocol, it works, i have the haproxy-config listening to 10143, which then dovecot returns:

Okt 26 10:28:08 stlucia dovecot[51]: imap-login: Error: haproxy: Client timed out (rip=192.168.3.1)
Okt 26 10:28:08 stlucia dovecot[51]: imap-login: Error: haproxy: Client timed out (rip=192.168.3.1)
Okt 26 10:28:08 stlucia dovecot[51]: imap-login: Error: haproxy: Client timed out (rip=192.168.3.1)
Okt 26 10:28:06 stlucia dovecot[51]: imap-login: Error: haproxy: Client timed out (rip=192.168.3.1)
Okt 26 10:28:06 stlucia dovecot[51]: imap-login: Error: haproxy: Client timed out (rip=192.168.3.1)

...still with the ip of the sense...

thx
ruggerio

i have this already running on haproxy without any problem. In dovecot, you have to enter there 2 special lines for haproxy. of course, this is primarly seen for loadbalancing reasons.

haproxy_trusted_networks = 192.168.0.0/24,192.168.1.0/24
haproxy_timeout = 10s



main goal was having http/s on nginx, as there is a free of charge waf included.

For the reason, not having haproxy and nginx for the same, i try to change to nginx.

Ruggerio

i got nginx at 80% as reverse proxy for dovecot running. 80% because i don't get the external ip of the client transferred to the mailserver.

if i enable proxy protocol, the connection will not be accepted. Does anybody have an idea? Eventually i was searching false, but google did not reply that much on imap on reverse proxy

all i would need is having the external ip in the logs of dovecot.

Thx,
Ruggerio

updated, logging is there.

Roger