ha proxy ssh add backend IP stops ssh connect

nopanic · Feb 20, 2023, 12:17 AM

Hello all,
Im running the latest pfsense with haproxy. It s a natted env. Im having a ssl/http proxy to an ssh server that works for month.
Today it stops, dont know why. Im fiddeling some hours around and could determine the "IP field" in "haproxy-backend" makes problems. Adding the correct internal IP in the IP filed stops the ssh connection and im not able to reconnect. Change the IP to an unused one makes the ssh connect ready. No matter if the backend is disabled. Setting the IP to an unused one works. 5 hours to checking this...
![alt text] (image url)

Can someone help?
Tia
Stefan

nopanic · Feb 21, 2023, 1:13 PM

Hello all,

it has something todo with

Use Client-IP to connect to backend servers.

When I chenge to wan all is working. But as I understand it correct, there should be "opt" set.
But with "opt" its not working.
Can someone help?

Tia
Stefan

viragomann · Feb 21, 2023, 1:13 PM

@nopanic said in ha proxy ssh add backend IP stops ssh connect:

it has something todo with
Use Client-IP to connect to backend servers.
When I chenge to wan all is working. But as I understand it correct, there should be "opt" set.
But with "opt" its not working.
Can someone help?

Disable the transparent mode.
What is the goal of using this?

nopanic · Feb 21, 2023, 5:49 PM

@viragomann I want the client IPs on the ssh server to block unwanted connections

Tia
Stefan

viragomann · Feb 22, 2023, 11:12 AM

@nopanic
You can do this on pfSense or in HAproxy as well.

nopanic · Feb 22, 2023, 11:38 AM

@viragomann okay. How? On the ssh server Im using an IDS for blocking and snort on pfsense. Are there other solutions?
thanks!
Stefan

viragomann · Feb 22, 2023, 1:02 PM

@nopanic
Do you want to simply block / allow certain IPs or do you need to inspect the traffic?
For inspection you can use snort or suricata, but I'm don't think that these tools can see much in an ssh traffic, since it's encrypted.

nopanic · Feb 22, 2023, 1:02 PM

@viragomann I want to inspect and in case ex. of bruteforcing block the client IP. With snort its running very well and on the the server I use ossec for blocking-

thanks
Stefan

nopanic · Feb 22, 2023, 1:52 PM

@nopanic courious: I disable the transparent mode and see on the server logs the client IP. Should it not be rewritten to the pfsense IP?

viragomann · Feb 22, 2023, 1:56 PM

@nopanic
I would expect to see the pfSense interface IP.
Maybe you forward the traffic to the backend by a NAT rule?

nopanic · Feb 22, 2023, 1:58 PM

@viragomann yes, the there is a forward nat rule

nopanic · Feb 22, 2023, 2:01 PM

@nopanic ahh okay , I disable those rules now I see the pfsense IP. But why I can not use the "opt" interface in transparent mode?

nopanic · Mar 7, 2023, 2:00 PM

@nopanic nat rule disabled, no connction, Trying now the opt interface in transparent.. its running!!

thanks for help!!

nopanic · Mar 7, 2023, 2:00 PM

@nopanic Hello all
I have to come back cause the traffic goes only from LAN to OPT. From WAN site I dont get a connection.
Courious: When I do tcp tranparent entries and wnat back to nat-forwarding I have to reboot the machine, so forwarding work again. I have to delete the entries and reboot. Disabling is not enough.

Can someone help?
Tia
Stefan