Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mastermindpro

Pages: [1] 2 3 4 5 ... 9
Cache/Proxy / Re: HAProxy not being transparent. ???
« on: August 15, 2017, 04:19:38 pm »
Ooohhhhh...Well, at least it was an honest mistake.  Thanks for pointing me to the correct playing field.  Just makes me question my day 1 logic class reflexivity principle. 

HAProxy != HAProxy


I do believe, though, that you could still legitimately call DSR products "proxies", they're just L2 proxies.  I mistakenly assumed that checking the Transparent ClientIP box in pfSense's HAProxy implementation turned it into the L2 magician I'm looking for.

Cache/Proxy / Re: HAProxy not being transparent. ???
« on: August 15, 2017, 03:06:44 pm »
This is an example site that shows how DSR works, in HAProxy even.

I've seen other such documents about other load balancers that work in a DSR (direct server return) mode.  This one is from Barracuda:

Neither seem to require the client to be out-of-subnet or list that as a shortcoming.  Seems like it would be a gigantic omission to leave that out.  Here's a blog post from F5 decrying many disadvantages of DSR, and it doesn't list the in-subnet client as a problem, either:

I'm not trying to argue, but I am trying to understand if all of the above people are simply omitting this truth...or something else?  I do understand that the reply from server to client could be confusing.  Is that due to the source MAC being "different" or due to the source IP being "different"?  I would assume that most OS' reply "from" the IP address of the proxy, since that's what address they accepted the session on.

Cache/Proxy / Re: HAProxy not being transparent. ???
« on: August 15, 2017, 10:14:48 am »
...If the server saw the client's true IP address and it's in the same subnet, the server would not send the return traffic back to the firewall/haproxy.

That's the *entire* point of Transparent ClientIP in HAProxy.  The only way the server would send the return traffic back to the proxy is if it didn't know the client IP, or more correctly, believed the client IP was the IP of the proxy.  That's what I need to avoid, though, hence my attempted use of Transparent ClientIP.

Oh well...on to other potential solutions.

Cache/Proxy / Re: HAProxy + manual outbound NAT reflection problem
« on: August 14, 2017, 04:56:51 pm »
The fix for this was to move the HAProxied hosts to their own subnet and interface on the firewall, independent of the "LAN".  Then, hosts on the LAN can still benefit from the failover HAProxy provides.

Cache/Proxy / HAProxy not being transparent. ???
« on: August 14, 2017, 04:54:16 pm »
I setup a HAProxy enviroment for a couple of webservers using transparent ClientIP mode, and it works great.  I'm trying to setup a second environment, also as just a TCP proxy, but not to a web server.  I've configured the backend with Transparent ClientIP enabled.  The proxy passes traffic through as I'd expect, but not with the client IP.  The receiving server sees the "source" as being the IP of the proxy.

Now, this second environment is a bit different than the first in that the pfSense box is one-armed (only one network interface).  Hence, the client traffic is coming into HAProxy and being proxied to the servers on the same network interface.  I'm assuming this is the reason for the Transparent ClientIP function not working, but does anyone know a work-around?

Cache/Proxy / HAProxy + manual outbound NAT reflection problem
« on: July 29, 2017, 04:38:40 pm »
I have setup HAProxy to load balance to a couple systems in my LAN from an aliased public IP on my pfSense firewall.  I have HAProxy configured as purely a TCP pass-through, with "Transparent Client-IP" enabled.  Access to the service works just fine when outside my firewall, but I need hosts on the LAN of my firewall to access the service as well.  The web application being served up is ridiculously restricted by license to both a URL and an IP address, so I can't use any kind of split-DNS to solve this problem.  (the name would still match, but the IP's wouldn't)

I've been running in manual outbound NAT mode for a while, so I configured a new rule at the top of the stack for traffic exiting the LAN interface, sourced from the LAN subnet, and destined for the IP's of the servers in the HAProxy backend.  From what I understand, that *should* work...but it doesn't.  Looking at the HAProxy logs shows that the requests coming from LAN systems still have their private IP addresses as the source address.  As far as I can tell, HAProxy should see the LAN IP address of the firewall in the requests...but this isn't the case.  It's like HAProxy is doing something in advance of any of the outbound NAT rules...before traffic can get to them.

Does anyone have any work-around for this oddball problem?  I know NAT reflection on HAProxied hosts won't work automatically, but I'm hoping there's a way to coerce functionality.

Official pfSense Hardware / Re: SG-4860 network interface optimization
« on: March 28, 2017, 12:04:45 pm »
Good info.  Looks like on this system, the igb0 and igb1 interfaces only have 2 queues each, while the remaining 4 interfaces have 4 queues each.  I read something about that on some non-pfSense site that was doing network benchmarking with some BSD variant installed on this system.  Time to re-assign some interfaces!   ;)

Official pfSense Hardware / Re: SG-4860 network interface optimization
« on: March 28, 2017, 09:39:09 am »
Ah, bummer.  I restored a backup onto the 4860 from an older homebuilt system the moment I got it, so I don't know what the original settings were.  I'm mostly concerned about the interrupt usage, as it is approaching the limit of a single core under moderate network load.  If the interupts aren't locked to a single core, then I have less to worry about.  Any chance someone could show a screenshot of the factory settings?

Official pfSense Hardware / SG-4860 network interface optimization
« on: March 24, 2017, 11:47:57 am »
I've done some searching on the forum as well as elsewhere, but I haven't been able to find any docs on what the recommended network interface settings are for this platform.  Specifically, I'm considering enabling device polling, as I'm seeing up to 20% interrupt usage under load.  The other settings are relevant as well.  Is there a primer or doc somewhere that lays this out?

Firewalling / Re: Floating rule not applying to selected interfaces
« on: February 28, 2017, 01:42:44 pm »
OK, if the states themselves are compared independently of the interface on which the states reside, that's nice.  It's unclear why it would be that way, though.  What if the two interface-bound rules have different session limits?  Which one wins?

Further, this doesn't explain why the floating rule only seemed to bind to one of the selected interfaces, rather than both.  There simply wasn't any traffic allowed on the second WAN interface assigned to the floating rule.

Firewalling / Floating rule not applying to selected interfaces
« on: February 26, 2017, 08:43:25 pm »
I have a 2 WAN setup that has port forwards on both interfaces to one host on my LAN.  I've previously had rules on each WAN interface to allow traffic into the port forwards, but I wanted to start limiting states per host collectively.  I figured the best way to do that would be to have a floating rule that is assigned to both WAN interfaces that has the appropriate settings, so that's what I implemented.

The floating rule only let traffic in to the first of the two WAN interfaces, however.  Traffic was outright blocked from hitting the port forward on the second WAN.  I had to disable or delete the floating rule and re-create independent rules on each WAN interface for traffic to work correctly.

Why did the floating rule only allow traffic on one of the WAN interfaces instead of the two that were selected?  Seems like a bug to me.  Running pfSense 2.3.3-Release.

Firewalling / Source connection rate logging
« on: February 24, 2017, 02:02:48 pm »
I've searched this forum and elsewhere for an answer to this, but found none.  I have a Pass firewall rule that allows traffic into a port forward.  On the firewall rule, I've defined "Max. src. conn. Rate" and "Max. src. conn. Rates" to be what I want.  The rule appears to work as I expect in testing.  My challenge is that I don't seem to be able to know when the connection rate is exceeded.

The firewall logs show nothing, as I'm only logging explicit blocks/rejects.  My first thought was that this would only get logged if there was a second firewall rule, defined as a Block, that had logging enabled.  I've configured that, but nothing ever seems to hit that no logging.

A Pass rule with other limits, like connection rate limiting, really kind of has two possible outcomes.  It would be nice to be able to log or otherwise know when the limit is being triggered, without having to know when the traffic is passing the rule.  Is that possible?

That's kind of what I figured.  Thanks for the confirmation.

I searched, but found nothing regarding upgrading a 2.2 ADI-build to the 2.3 Alpha.  Anyone know if it's possible using the AMD64 Alpha upgrade image?

Routing and Multi WAN / Re: Apinger stops feeding rrdtool
« on: December 25, 2015, 10:29:31 am »
Well, the TASK is simple...  Ping this IP, from this interface, using this route, and output the return time and loss here.  That's simple enough I can do the majority, if not all, of it in a DOS script.  Hopefully 2.3 has de-complicated whatever apinger did in <2.3 such that the complexity of the process matches the (lack of) complexity of the task.   ;)

Thanks for the pointer to  I'll have to take a look at that.

Pages: [1] 2 3 4 5 ... 9