ha proxy ssh add backend IP stops ssh connect

nopanic

Hello all,
Im running the latest pfsense with haproxy. It s a natted env. Im having a ssl/http proxy to an ssh server that works for month.
Today it stops, dont know why. Im fiddeling some hours around and could determine the "IP field" in "haproxy-backend" makes problems. Adding the correct internal IP in the IP filed stops the ssh connection and im not able to reconnect. Change the IP to an unused one makes the ssh connect ready. No matter if the backend is disabled. Setting the IP to an unused one works. 5 hours to checking this...
![alt text] (image url)

Can someone help?
Tia
Stefan

nopanic

Hello all,

it has something todo with

Use Client-IP to connect to backend servers.

When I chenge to wan all is working. But as I understand it correct, there should be "opt" set.
But with "opt" its not working.
Can someone help?

Tia
Stefan

viragomann

@nopanic said in ha proxy ssh add backend IP stops ssh connect:

it has something todo with

Use Client-IP to connect to backend servers.

When I chenge to wan all is working. But as I understand it correct, there should be "opt" set.
But with "opt" its not working.
Can someone help?

Disable the transparent mode.
What is the goal of using this?

nopanic

@viragomann I want the client IPs on the ssh server to block unwanted connections

Tia
Stefan

viragomann

@nopanic
You can do this on pfSense or in HAproxy as well.

nopanic

@viragomann okay. How? On the ssh server Im using an IDS for blocking and snort on pfsense. Are there other solutions?
thanks!
Stefan

viragomann

@nopanic
Do you want to simply block / allow certain IPs or do you need to inspect the traffic?
For inspection you can use snort or suricata, but I'm don't think that these tools can see much in an ssh traffic, since it's encrypted.

nopanic

@viragomann I want to inspect and in case ex. of bruteforcing block the client IP. With snort its running very well and on the the server I use ossec for blocking-

thanks
Stefan

nopanic

@nopanic courious: I disable the transparent mode and see on the server logs the client IP. Should it not be rewritten to the pfsense IP?

viragomann

@nopanic
I would expect to see the pfSense interface IP.
Maybe you forward the traffic to the backend by a NAT rule?

nopanic

@viragomann yes, the there is a forward nat rule

nopanic

@nopanic ahh okay , I disable those rules now I see the pfsense IP. But why I can not use the "opt" interface in transparent mode?

nopanic

@nopanic nat rule disabled, no connction, Trying now the opt interface in transparent.. its running!!

thanks for help!!

nopanic

@nopanic Hello all
I have to come back cause the traffic goes only from LAN to OPT. From WAN site I dont get a connection.
Courious: When I do tcp tranparent entries and wnat back to nat-forwarding I have to reboot the machine, so forwarding work again. I have to delete the entries and reboot. Disabling is not enough.

Can someone help?
Tia
Stefan