Netgate SG-1000 microFirewall

Author Topic: NAT issues to HAProxy (not running on PfSense)  (Read 158 times)

0 Members and 1 Guest are viewing this topic.

Offline dineshmistry

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
NAT issues to HAProxy (not running on PfSense)
« on: November 23, 2017, 08:59:13 am »
I am having problems when I use NAT to send port 25 traffic to a HAProxy server on my internal network. It works correctly from within the LAN and there are no firewall rules on the host itself.

If I NAT directly to one of the SMTP servers it works just fine, but I would like to send traffic to the HAProxy so it can load balance across and provide HA.

Configuration that works

Internet -> pFsense (NAT direct to SMTP)

Configuration that does not work

Internet -> pFsense (NAT to HAProxy internal server) -> 2x SMTP servers

Can anyone think why sending to the proxy would not work while going direct would?

Thanks in advance,
Dinesh

Offline PiBa

  • Hero Member
  • *****
  • Posts: 777
  • Karma: +128/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: NAT issues to HAProxy (not running on PfSense)
« Reply #1 on: November 23, 2017, 09:47:49 am »
Imo that 'should' work as it is..
You are testing from 'the internet' right? If testing the wan-ip from the lan-network you could be running into reflection issues..

Other than that, check with
Code: [Select]
tcpdump -ni <nic> "port 25" what connections are made like Syn [ S ] packets without Syn-Ack [ S. ] reply and check where packets stop flowing..

Offline wussupi83

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: NAT issues to HAProxy (not running on PfSense)
« Reply #2 on: November 24, 2017, 01:16:09 am »
How did you set-up your NAT?
« Last Edit: November 24, 2017, 01:23:10 am by wussupi83 »

Offline dineshmistry

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: NAT issues to HAProxy (not running on PfSense)
« Reply #3 on: November 25, 2017, 06:52:27 pm »
Attached is how I have my NAT configured

Offline dineshmistry

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: NAT issues to HAProxy (not running on PfSense)
« Reply #4 on: November 25, 2017, 06:57:27 pm »
I am actually testing from the outside world to the WAN IP on port 25

telnet <WAN IP> 25 from a system on the internet

Offline wussupi83

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: NAT issues to HAProxy (not running on PfSense)
« Reply #5 on: November 28, 2017, 02:01:32 am »
I am actually testing from the outside world to the WAN IP on port 25

telnet <WAN IP> 25 from a system on the internet


Can you telnet on another port from the outside world? Port 25 is often blocked OUTBOUND by ISP's in order to prevent spam emails being able to be sent out from virus/malware infected computers. It could be the "outside" internet connection you are testing from has port 25 OUTBOUND blocked by it's ISP.

You did say it worked in the previous configuration and the problem only occurred when you added the proxy.

1.) Any chance it was working using port 465 or 587 (instead of 25)  before?

2.) If it was definitely using port 25, I would run a packet capture on both the WAN and proxy server interface to see if the port 25 traffic is 1.) hitting your firewall and 2.) passing through your firewall. Please share the results.