Ill be happy to pay someone for advice/work on this :)

@johnpoz yeah, i actually created my own post thinking i didnt want to hijack his.

Please see here (I explain what im running):

https://forum.netgate.com/topic/169703/pfsense-and-traefik-on-truenas-scale

@netblues said in Using Haproxy to Redirects Calls to FreePBX:

@nollipfsense Making srtp to work properly isn't always straight forward.
But its certainly worth investigating.

Are you hosting anything? Any open ports to the Internet? Why do you need a dmz in a home office scenario?

Well, my setup has two firewalls: pfSense as edge and Mikrotik as LAN guard. I had tried using FreePBX that way and that was too much limitation. Then, I saw Jimp's video (Netgate hangout) on DMZ: https://www.youtube.com/watch?v=QFk5jX-oeSo
That convinced me that was the way to go and had started using FreePBX with the same Lenovo but with a Mac Mini running pfSense. I used Twillio for a short while but had problems with inbound calls. Then I had to abandon the project for a year. No, I am not host anything internally so not ports open. I have been using Namecheap for domain hosting for six years now, and I stay with them only because I have a kick ass Cpanel suite.

Voip.ms responded today saying there should not be a problem using HAproxy and sent links to their document wiki. Of course, support would say that to get me to commit to using their service ; so, I am taking it with a grain of salt. Most of the time one isn't dealing with a real knowledgeable support person; so who knows, I certainly trying. inbound calls is usually the troublesome part. I am checking this Jimp's firewall best practice for VOIP video (Nategate hangout) as final refresher preparation: https://www.youtube.com/watch?v=C0JgrzxXIBY

Got more information from the log file.

Feb 4 14:38:25 fw1 haproxy[14494]: 192.168.0.1:37014 [04/Feb/2022:14:38:22.412] HTTPS_443~ Production_ipvANY/si-erp14 0/0/0/216/2799 200 3455367 - - SD-- 4/4/0/0/0 0/0 "GET https://domain.com/web/assets/334-e80f7c3/web.assets_backend.min.js HTTP/2.0"

The "SD" in the connection state says the

S : the TCP session was unexpectedly aborted by the server, or the server explicitly refused it. D : the session was in the DATA phase.

In the backed setting I tried to set "retries" to 3 but it didn't retry on failure.

Any other thoughts.

@snide_remarks said in HAproxy can't make any ACL rules work.:

I see examples of ACL rules online and try to follow them to make something happen, but nothing works.

Are you using a test pfSense VM on your network? I found it doesn't work that way since you would be binding the device your on and not the real WAN.

@snide_remarks said in HAproxy can't make any ACL rules work.:

Many dropdown options for a novice to wrap his head around to be sure

I agree...I have been working on mine since last week to make sure I have the concept corrected before moving to production. I'll be opening a post.

@viragomann Okay, thanks a lot for your repply !

@jonathanlee

Fellow Netgate community,

if anyone ever wants to talk about content accelerators or web accelerators just let me know.

Reply here-->

Put ssl verify none in per server passtrough under advanced in the backend. That way a self-signed cert will be accepted.
The frontend can still be encrypted with a valid (Letsencrypt) cert.

@jonathanlee

Playing with this setting also seemed to improve the refresh hits for windows updates.

4302a82a-f0b8-4c37-8b9a-6456a4d325e2-image.png

Squid's updates that are cached are considered a different pc over the standard windows url that provides updates

@jonathanlee

have you ever worked with bind or reverse shells sometimes they say the port is already in use.

Similar to this how can I set up squid to do a port load balance for http traffic.

All https works.

@ageekhere Ya, I have the iPad manually set to use the proxy. Same as the iPhone. Looking at them both side by side right now, they are the same settings. I don't have my squidguard set up to auto set a proxy as I don't want it to apply to everything, just specific devices that I opt in to. I really only use it on those 2 devices, sometimes my PC but I've found I don't really have a need on the PC as the only ads I see are in my browser and adblock plus + privacy badger do the job fine enough. They're both using the same IP (192.168.1.1) and port (3128), the defaults of squidguard. I guess I could try adding an explicit youtube allow whitelist and see if that changes anything....

Edit: I don't know why I didn't think to try whitelisting youtube in the first place. I did that and it solved the problem. Not sure why I get different behavior with just that one site on two different devices but whatever, problem solved.

Well I posted into redmine..
https://redmine.pfsense.org/issues/9700
Over 2 years ago..
Didn't expect it in the next dev build but yeah..Over 2 years..

@krsengr

Answering my own question to possibly save others some sanity. The system doesn't use a separate port (3129) for the SSL traffic. I saw "SSL Proxy Port" and "Default: 3129" and assumed that's what I should configure on the client...silly me.

I removed the seperate entry for https on my browser and used 3128 for both and everything started working.