Can confirm this issue occurs from 2.7.1 onwards. The GUI works as expected in 2.7.0.

@minimos We created an alias for “WAN IPs” with the three public IPs in it. (And LAN) In essence I think you’re asking whether This Firewall will update to include the shared IP when it moves, and I don’t know the answer to that. Maybe, but I would not assume it does.

@jngo That is a very unusual way to get additional IP addresses based on DHCP. Typically you get a single (primary) DHCP address and all further IPs you get from the ISP are routed to the primary. So you only need to configure one DHCP interface and can easily use all the assigned IPs.

@clonian Check Diagnostics/Routes on secondary? Any chance the ISP router is locking on to the CARP IP? IOW if you remove the shared IP they should both be able to connect out on their own.

@prisonier Yes, VRRP is very very similar to CARP. It behaves the same regarding the virtual MAC. Glad that you got it sorted.

Hi, i have the same issue but putting :@SECLEVEL=0 to ssl-default-bind-ciphers just gives me an error: section 'frontend' : 'crt-list' : parsing [/var/etc/haproxy_test/imap_test-994.crt_list:1]: unknown ssl keyword :@SECLEVEL=0 is there anything i can do? regards

Not from the gui or in any way that officially supported. You can specify the log storage location in the syslog-ng package so use that to store it. You still need to forward logs to it from the normal syslogs though. And mounting a different disk for that requires some custom script.

@viragomann Just a update. They called me back. There recommendation is to have a PPPoE server that passes through the IPs.

@Tony-Soprano It is not very easy to Proxy SMTP and IMAP with Haproxy and will cause adnormal problems. But you would need to enable Proxy in Postfix main.cf. Personally I would not bother. I would use Haproxy for Webmail & ActiveSync on Port 443 then for SMTP 25. 587 and IMAP 993 I would put them under NAT instead. Depending how many Static IPs you have too. I would configure mx1 on Public IP 01 and mx2 on Public IP 02 then configure relay from mx2 to mx1. Make sure you have PTR Records added by your ISP too. Regards

@correajl thank you for the reply. I thought that you found a way to set different advbase values on both nodes. Anyway I found my issues, and it was not the same as yours - as I am not very familiar with netgear switches I missed that storm-control was enabled for multicast. The storm-control became the root cause for the issue.

Hello, can someone help? thanks

@manu77 I just tested with RDP and did not get dropped at your step 3...

@kiokoman said in HAProxy: 503 errors on 2 domains: @oguruma HAproxy 503 Service Unavailable No server is available to handle this request is passed when the http check fail for some reason even if the service is up and running like in this post https://serverfault.com/a/886319 you need to adjust that option in a way that it receve a valid response from the server or disable httpchk Thanks again for the help. I got it working by deleting both the frontends and the backends for the not-working domains and recreating them, making sure to disable health checks from the outset when creating the backends. One thing that is curious is that I re-installed ERPNext on separate, vanilla VM and pointed the backend to that new VM with healthcheck enabled, and it worked fine...

Hi, same problem here after upgrading from 2.6 to 2.7.2, Certificate manager don't fill 'In use' column for some of the certifcates used by HAProxy. Anyone has an explanation or solution? Thanks

@ironwood Ok, I found the solution, or rather, ChatGPT found the solution. Under System > Advanced > Admin Access, there is a setting called WebGUI Login Redirect. This is the description: When this is unchecked, access to the webConfigurator is always permitted even on port 80, regardless of the listening port configured. Check this box to disable this automatically added redirect rule. The redirect is enabled for port 80 by default and was conflicting with the http to https redirect I had set up in HAproxy a long time ago. I check the box to disable it, saved, enabled my redirect and voila, it works! I'm guessing this was either a new feature in 23.09.1 or it I had it checked before and it "unchecked" itself? Would be interested in finding if that setting exists in earlier versions if anyone hasn't upgraded.