Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy on pfSense anomaly

    Scheduled Pinned Locked Moved Cache/Proxy
    15 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LAVenetz @LAVenetz
      last edited by

      @lavenetz Having troubles with Mail-in-a-Box (MiaB) behind a pfSense v2.6 with HAProxy (see SNI like on top). Which ports do I have to forward the the MiaB-Box except 443 which is tracked by HAProxy (is red like on top)? I forwarded (on NAT) 80, 25, 53, 143, 587, 465, 993, 995, 4190, but no success! The MiaB is showing so much errors. When I transfer the Box back to another previous location where the router is in bridge mode => no errors at all, except Reverse DNS which is obsolete for me.

      NightlySharkN V 3 Replies Last reply Reply Quote 0
      • NightlySharkN
        NightlyShark @LAVenetz
        last edited by NightlyShark

        @lavenetz If the connections between the Apache instances and PfSense are physical, check all cables (even if you seem to have internet on the servers, gremlins be unpredictable like that). If not, check the hypervisor's networking. You never know when an update can cripple only part of your netstack, and play the waiting game, ie expecting you to know the update has happened and reboot manually.

        1 Reply Last reply Reply Quote 0
        • NightlySharkN
          NightlyShark @LAVenetz
          last edited by NightlyShark

          @lavenetz Also, that is another thread.

          @lavenetz said in HAProxy on pfSense anomaly:

          Having troubles with Mail-in-a-Box (MiaB) behind a pfSense v2.6 with HAProxy (see SNI like on top). Which ports do I have to forward the the MiaB-Box except 443 which is tracked by HAProxy (is red like on top)?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @LAVenetz
            last edited by

            @lavenetz said in HAProxy on pfSense anomaly:

            Which ports do I have to forward the the MiaB-Box

            I think, this is the wrong place to ask this question.
            Check the documentation of the app for details.

            The MiaB is showing so much errors

            Maybe the contents of the error messages give hints. But without knowing it, we are standing in the dark at all.

            L 1 Reply Last reply Reply Quote 1
            • L
              LAVenetz @viragomann
              last edited by

              @viragomann et al.: I'm totally unsure at the moment !!! I thought I could simply move the MiaB from a router that is switched to bridge mode, as I already did with like the other six web servers, to move it behind a pfSense with HAProxy and run the "sudo mailinabox" command. "Mistake", said the hedgehog and climbed down from the cactus. Maybe I have to use MiaB with the command "curl -s https://mailinabox.email/setup.sh | sudo bash"? But that would be a fresh start for me and not just a simple transfer from a router in bridge mode to an environment with pfSense and HAProxy. Sorry that would really be another topic in another location (but I felt like the issues described above in this topic got)! Or is there still salvation here?

              NightlySharkN 1 Reply Last reply Reply Quote 0
              • NightlySharkN
                NightlyShark @LAVenetz
                last edited by

                @lavenetz Friend, we most probably don't know. You should ask the Mailinabox people (/ community?), or consult the documentation.

                L 1 Reply Last reply Reply Quote 1
                • L
                  LAVenetz @NightlyShark
                  last edited by

                  @nightlyshark Hello, regarding my problem (= MiaB behind a pfSense with HAProxy) I found something called "NAT hairpinning", posted from Lloyd Smart, in 2015:

                  "It’s to do with being behind a NAT. I had the same trouble running MiaB within an LXC container. I had to turn on something called “NAT hairpinning” on the virtual bridge I was using. Try searching for something like that for your pfSense firewall. It’s a bit complicated, but basically the issue is that the traffic generated by the status checks reaches your NAT/firewall, and then doesn’t get routed back to your box like you’d think it would. This is because your firewall is only configured to forward external “incoming” packets to your box, but it sees this traffic as “internal” traffic that’s trying to get to your public IP. Since the firewall is your public IP, it thinks that the traffic has reached its destination, and it just dies there. This only happens when the box tries to talk to itself over the public IP. That’s why all the external stuff is probably working just fine, and also why you can access the box over its internal IP without any issues. What you need is a way for the firewall to know to treat traffic coming from your internal box IP that’s bound for your public IP the same as incoming traffic, and forward it back to your MiaB IP accordingly. That’s what hairpinning does."

                  Is this the solution?

                  NightlySharkN 1 Reply Last reply Reply Quote 0
                  • NightlySharkN
                    NightlyShark @LAVenetz
                    last edited by

                    @lavenetz That would be "NAT reflection" in PfSense.

                    L 1 Reply Last reply Reply Quote 0
                    • L
                      LAVenetz @NightlyShark
                      last edited by

                      @nightlyshark Oh, good to know! I've found it. I can turn it on and off per port. What should I most likely choose?

                      1. Standard
                      2. Activate (NAT + Proxy)
                      3. Activate (NAT only)
                      4. Deactivate
                      NightlySharkN 1 Reply Last reply Reply Quote 0
                      • NightlySharkN
                        NightlyShark @LAVenetz
                        last edited by

                        @lavenetz Only one MiaB, so, Standard, I think.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.