Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can pfsense detect requests and routing to set hostname

    Scheduled Pinned Locked Moved General pfSense Questions
    39 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • sysbitnetS
      sysbitnet
      last edited by

      Yes, I set.

      When i do this just for testing
      Firewall-NAT-Port-Forward-pm.jpg
      How can i see if i correctly configured and tried to access it, this is working perfectly.

      IP_ProxMox is set localhost IP set inside Firewall / Aliases / IP

      When i disable this Port Forward and now testing to login again like https://pm.domain.com:8006 i get this result

      503 Service Unavailable
      No server is available to handle this request.

      If i have a set like this inside HAProxy

      @sysbitnet said in Can pfsense detect requests and routing to set hostname:

      Inside Services / HAProxy / Backend

      Name: PM_8006
      Mode: active
      Name: pm
      Forward to: Address+Port
      Address: 192.168.100.3
      Port: 8006
      Encrypt(SSL): yes
      SSL checks: yes
      And in the Health check method set: basic

      How i configure On the Frontend part.

      Services / HAProxy / Frontend
      Name: PM_Front
      External address
      Listen address: WAN address (IPv4)
      Port: 8006
      SSL Offloading: yes

      In Access Control lists inside the same
      Name: pm
      Expression: Host matches
      CS: empty
      Note: empty
      Value: pm.domain.com

      In part Actions inside the same

      Action Use Backend the name that i set on PM_8006
      Condition acl names: the same name that i set in Access Control lists pm

      And inside the same Additional certificates select SSL Offloading what i on System / Certificates / Certificates

      The same certificate and added inside proxmox, because is letsencrypt wildcard certificate

      And when i try to visit https://pm.domain.com:8006/ the result is like this below message.

      503 Service Unavailable
      No server is available to handle this request.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        But do you see states on port 8006 in Diag > States?

        sysbitnetS 1 Reply Last reply Reply Quote 0
        • sysbitnetS
          sysbitnet @stephenw10
          last edited by

          @stephenw10 said in Can pfsense detect requests and routing to set hostname:

          But do you see states on port 8006 in Diag > States?

          If you mean on Diagnostics / States / States yes this is what i get as a result.

          Diagnostics-States-States.jpg

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Ok. So what is the LAB interface? What are the IPs there?

            I expect to see a port 8006 state on WAN whilst you're testing.

            sysbitnetS 1 Reply Last reply Reply Quote 0
            • sysbitnetS
              sysbitnet @stephenw10
              last edited by

              @stephenw10 said in Can pfsense detect requests and routing to set hostname:

              Ok. So what is the LAB interface? What are the IPs there?

              I expect to see a port 8006 state on WAN whilst you're testing.

              LAB interface is a local private network, 192.168.100.0./24

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Ok so I assume 192.168.100.254 is the LAN interface address.

                That state could be the backend on-line check.

                If you are trying to connect to it you should also see states on the WAN.

                sysbitnetS 1 Reply Last reply Reply Quote 0
                • sysbitnetS
                  sysbitnet
                  last edited by

                  I just tested with mobile internet and have this result
                  Diagnostics-States-States-2.jpg

                  1 Reply Last reply Reply Quote 0
                  • sysbitnetS
                    sysbitnet @stephenw10
                    last edited by

                    @stephenw10 said in Can pfsense detect requests and routing to set hostname:

                    Ok so I assume 192.168.100.254 is the LAN interface address.

                    That state could be the backend on-line check.

                    If you are trying to connect to it you should also see states on the WAN.

                    I get this result with a local private network because i use the same IP and for that reason, i get a local IP

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Ok so you do see a state open on the WAN. Do you also see a new state open on LAB when that happens? That's what you would expect to see if HAProxy is opening the backend.

                      If it isn't then it's probably not trying because it thinks the backend is down.

                      sysbitnetS 1 Reply Last reply Reply Quote 0
                      • sysbitnetS
                        sysbitnet @stephenw10
                        last edited by sysbitnet

                        @stephenw10 said in Can pfsense detect requests and routing to set hostname:

                        Ok so you do see a state open on the WAN. Do you also see a new state open on LAB when that happens? That's what you would expect to see if HAProxy is opening the backend.

                        If it isn't then it's probably not trying because it thinks the backend is down.

                        This is how it configures Backend and Frontend
                        @sysbitnet said in Can pfsense detect requests and routing to set hostname:

                        @stephenw10
                        I agree with you.

                        How can testing what is the problem only leave this service, for example, i used to test proxmox.

                        Inside Services / HAProxy / Backend

                        Name: PM_8006
                        Mode: active
                        Name: pm
                        Forward to: Address+Port
                        Address: 192.168.100.3
                        Port: 8006
                        Encrypt(SSL): yes
                        SSL checks: yes
                        And in the Health check method set: basic

                        How i configure On the Frontend part.

                        Services / HAProxy / Frontend
                        Name: PM_Front
                        External address
                        Listen address: WAN address (IPv4)
                        Port: 8006
                        SSL Offloading: yes

                        In Access Control lists inside the same
                        Name: pm
                        Expression: Host matches
                        CS: empty
                        Note: empty
                        Value: pm.domain.com

                        In part Actions inside the same

                        Action Use Backend the name that i set on PM_8006
                        Condition acl names: the same name that i set in Access Control lists pm

                        And inside the same Additional certificates select SSL Offloading what i on System / Certificates / Certificates

                        The same certificate and added inside proxmox, because is letsencrypt wildcard certificate

                        And when i try to visit https://pm.domain.com:8006/ the result is like this below message.

                        503 Service Unavailable
                        No server is available to handle this request.

                        The web interface can be reached via https://youripaddress:8006 or https://pm.domain.com:8006
                        proxmox-login.jpg

                        When i open Stats FS i see Green for this profile
                        Stats-FS.jpg

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Oh this is simply the Proxmox webgui. That should work Did you add the Proxmox CA cert to pfSense so it will allow connections?

                          You should change the backend health-check to https. When that shows as available then proxied requests should do also.

                          sysbitnetS 1 Reply Last reply Reply Quote 0
                          • sysbitnetS
                            sysbitnet @stephenw10
                            last edited by

                            @stephenw10 said in Can pfsense detect requests and routing to set hostname:

                            Oh this is simply the Proxmox webgui. That should work Did you add the Proxmox CA cert to pfSense so it will allow connections?

                            You should change the backend health check to https. When that shows as available then proxied requests should do also.

                            I have a Let's Encrypt wildcard certificate, which i add inside ProxMox

                            Or you mean to add this from ProxMox to pfSenese proxmox-cert.jpg

                            When i change on Services / HAProxy / Backend
                            In the Health check method set: from Basic to HTTP when i have status Down

                            For now, only add my Let's Encrypt wildcard certificate on Services / HAProxy / Frontend

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              I'm just speculating that HAProxy cannot open a connection to Proxmox because it refuses the cert. However it should be OK if Proxmox is using a LE cert.

                              Try to open it from pfSense directly. It fails for me here because I'm using the self signed cert in Proxmox:

                              [24.03-RELEASE][root@m270-2.stevew.lan]/root: curl https://172.21.16.250:8006
                              curl: (60) SSL certificate problem: unable to get local issuer certificate
                              More details here: https://curl.se/docs/sslcerts.html
                              
                              curl failed to verify the legitimacy of the server and therefore could not
                              establish a secure connection to it. To learn more about this situation and
                              how to fix it, please visit the web page mentioned above.
                              
                              1 Reply Last reply Reply Quote 0
                              • sysbitnetS
                                sysbitnet
                                last edited by

                                I back with this case, when i use like this
                                Firewall-NAT-Port-Forward-pm.jpg

                                Is not meather did i enter Public IP https://xxx.xxx.xxx.xxx:8006 or https://pm.domain.com:8006

                                I get similar results on the ProxMox login screen
                                proxmox-login.jpg

                                In this case, the only SSL that it uses is the SSL that is installed inside ProxMox.

                                When i disable rule inside Firewall / NAT / Port Forward

                                And back inside HAProxy where in Frontend
                                PM_Front rule

                                Just inside SSL Offloading => Certificate use, for example, pfSense certificate and open in the same way first what i get is

                                Your connection is not private
                                Attackers might be trying to steal your information from pm.domain.com (for example, passwords, messages, or credit cards). Learn more
                                NET::ERR_CERT_AUTHORITY_INVALID

                                And when i agree with that and want to continue again like the final point get

                                503 Service Unavailable
                                No server is available to handle this request.

                                And inside Diagnostics / States / States get this like result
                                Diagnostics-States-States-2.jpg

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Did you try to open it with curl like I showed above?

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.