@kiokoman

Automaticaly generated, dont edit manually. Generated on: 2022-06-03 22:53

global
maxconn 1000
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend frontend80
bind xx.xx.xx.xx:80 name xx.xx.xx.xx:80
mode http
log global
option http-keep-alive
timeout client 30000
acl expressite var(txn.txnhost) -m beg -i www.expresxxxx.com
acl expresmail var(txn.txnhost) -m beg -i mail.expresxxxx.com
acl ramsite var(txn.txnhost) -m beg -i www.ramxxxx.ro
acl nappasite var(txn.txnhost) -m beg -i www.nappaxxxx.ro
acl emisite var(txn.txnhost) -m beg -i www.emimaragro.ro
acl expresrosite var(txn.txnhost) -m beg -i www.expresxxxx.ro
acl rammail var(txn.txnhost) -m beg -i mail.ramxxxx.ro
acl nappamail var(txn.txnhost) -m beg -i mail.nappaxxxx.ro
http-request set-var(txn.txnhost) hdr(host)
use_backend backend-http8080_ipvANY if expressite
use_backend backend-http80_ipvANY if expresmail
use_backend backend-http8080_ipvANY if ramsite
use_backend backend-http8080_ipvANY if nappasite
use_backend backend-http8080_ipvANY if emisite
use_backend backend-http8080_ipvANY if expresrosite
use_backend backend-http80_ipvANY if rammail
use_backend backend-http80_ipvANY if nappamail

backend backend-http8080_ipvANY
mode http
id 100
log global
option log-health-checks
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server website 192.168.1.4:8080 id 101 check inter 1000 weight 250

backend backend-http80_ipvANY
mode http
id 102
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server webmail 192.168.1.3:80 id 103 check inter 1000

I can register the client to the PBX. The problem is that I have no audio at all.

Something with the RTP traffic.

When I connect the PBX and client to openvpn I have no problems. Everything works.

The problem arise when I try to use pfSense public IP. I think is something with the UDP Nat

@c-amie said in [Bug?] pfSense empirically causing legacy WordPress sites to fail:

We have no control over what internal code to someone's WordPress site is doing.

Valid point.. One way to fix it would be to put the servers actually on a public IP via routed network behind pfsense.

Hi,

to complete the topic: the patch worked for me and solved the issue.

Thank you

@mistermince Have you opened the ports on the firewall rules as well or just created the port forwarding rules?

Can you post screen shots of you rules and port forwards?

FIXED:
I don't know why and how to check more deeply this issue:

Following the documentation, to standarize every config.
With Redirect target IP 127.0.0.1 as shown on the picture below.
All the DNS answers came from the LAN address (each vlan)
alt text

Fixed with: Redirect target IP LAN_XX address

@jarhead Ok, all good then. Thanks again for your help. 👍

@dsmith10 Has anyone ever found the solution to this? I'm running into the same issue. Tailscale can't port translate automatically because we have a CARP IP for our LAN's gateway.

@viragomann Great tip, that's how it works for me. Thanks you very much for the effort!!!

It appears that "alias-on-given-port" is checked and the invert match of the same alias is ignored so it interprets the alias is used twice and throws the error.

I ended up with a set up using pfBlocker that does work while using invert match on an alias, but it works within the constraint above.

ListA - US
ListB - blocked geo
Technically, outside of these two would be the rest of "all".

Setup:

ListA on port 80 -> machineA port 80 ListA on port 443 -> machineA port 443 !ListB on port 80 -> machineB port 80 !ListB on port 443 -> machineB port 443

@johnpoz The documentation might need to include a note that pfSense does not interpret the invert match of an alias to be a unique from the alias.

The invert match on ListB above is ALL, like you suggested, but without ListB.

Thanks again!

@antiquity2489 I can't but UPnP never was a strength of *Sense. So you better make a port forward yourself.

It has been broken for many years now, so another couple of years doesn't sound too terrible in that perspective. Still, it sucks :(

@stephenw10 @viragomann
through VPN it worked fine. Spent 40 mins and issue solved.

Just to update. Thanks you guys for help anyway

So this is embarrasing...

I have a Mail server that I recently changed the password on my mail account for, this Mail service runs on my home-server.

I got a scheduled powershell script that goes through the logs of this mail service and automatically blocks incoming connections from IP addresses that try to brute force-login or use my mail server as a forwarder. (fail2ban script I made in powershell)

Apparently, since I changed the password to my account, my Gateway-iP (192.168.10.1) was blocked by this script, probably because I had not changed it on my phone.

so it was not NAT reflection that was broken, it was my windows firewall...

will change the powershell script now, to not block my gateway IP :)

also going back to the Ubiquiti Router, as I was able to get IPsec to work there, while I find it very advanced for pfsense

@chstechsolutions said in Outbound Nat only 1/2 working:

I can run curl api.ipify.org and I get IP address 2 but when I send an email from the server all the headers say it is coming from IP Address 2.

Isn't this what you want and what the outbound NAT rule is meant to do?

@wolf3000
They are probably using proxy arp
That was discouraged a long time ago, for security reasons.

Why would you want that feature ?

If using DHCP the PLC should also accept the def-gw info handed out.
If using Static IP, it's just one more entry to key in.

The whole point of using a firewall is to be "In Control", and not rely on some (could even be a hostile) device, forwarding your packets based on unanswered arp requests.

/Bingo