Re: Does the transparent can't work in FreeBSD?
2013/7/12 jinge altman87...@gmail.com: Hi PiBa-NL, I just follow your advice and find my pf configure is not correct rdr on vlan64 proto tcp from any to any - 127.0.0.1 port And I change to ipfw and fwd then it works corrently. ipfw add fwd 127.0.0.1, tcp from any to any via vlan64 in And you tell my I can use pf's divert-to, but after a test I found it doesn't work.Here is the configure pass in quick on vlan64 inet proto tcp from any to any divert-to 127.0.0.1 port So can your tell my the right configure? You can try to explicitly set original port : pass in quick on vlan64 inet proto tcp from any to any port 80 divert-to 127.0.0.1 port Also check that ipdivert is loaded. Joris Thank you. Regards Jinge On 2013-7-11, at 下午12:07, jinge altman87...@gmail.com wrote: Hi PiBa-NL, Thanks for your reply! And I will follow your advice! Regards Jinge On 2013-7-10, at 上午4:25, PiBa-NL piba.nl@gmail.com wrote: Hi Jinge, Im not exactly sure how this is supposed to work.. did manage to get transparent proxy for the server side working.. (the server is presented with a connection from original client ip.) This works with haproxy 1.5dev19 on FreeBSD8.3 with help of some ipfw fwd rules.. Your config also seams to be working (used some parts their-of to test..) Did require the following ipfw rule for me..: ipfw add 90 fwd localhost tcp from any to any in recv em1 Actually on pfSense it also needs -x haproxy as it is a bit customized.. And because i run 'ipfw' combined with 'pf' i also needed to configure pf with floating 'pass on match' rules to allow the 'strange traffic'.. That pf cannot handle.. If you however have FreeBSD 9 you might want to look into the divert-to rules that pf can make. Might make stuff simpler if it turns out to work.. Please report back your required settings (config if it changes) when you manage to get it working. Greetings PiBa-NL Op 9-7-2013 12:55, jinge schreef: Hi,all! We use haproxy and FreeBSD for our cache system. And we want to use the transparent option http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20transparent which for some compatiable things. But found it doest work. Here is the configure which worked in Ubuntu. frontend tcp-in bind : mode tcp log global option tcplog #distingush HTTP and non-HTTP tcp-request inspect-delay 30s tcp-request content accept if HTTP default_backend Direct backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response option transparent Can anyone tell my if is the FreeBSD can not support transparent here or my configure is not correct ? And how to make transparent work right. Thanks! Regards Jinge
Re: Does the transparent can't work in FreeBSD?
Hi Jinge, Nice that you have it working with ipfw. I have no hands-on experience with FreeBSD9 and those divert-to rules. Reading their explanation led me to expect it should be able to work, and resolve the issue of needing 2 firewalls pfipfw simultaneously. As Joris also writes you should probably not redirect all traffic that flows from any-to-any, but only that what was originally already going to the proper destination port so any-to-any. So possibly something like this: pass in quick on vlan64 inet proto tcp from any to any port divert-to 127.0.0.1 port If this can actually work, i currently do not know.. My only FreeBSD 9 pf knowledge is from reading its manual. So cant help with that. If you do manage to get the divert-to working please do share it with us. Greets PiBa-NL Op 12-7-2013 7:37, jinge schreef: Hi PiBa-NL, I just follow your advice and find my pf configure is not correct rdr on vlan64 proto tcp from any to any - 127.0.0.1 port And I change to ipfw and fwd then it works corrently. ipfw add fwd 127.0.0.1, tcp from any to any via vlan64 in And you tell my I can use pf's divert-to, but after a test I found it doesn't work.Here is the configure pass in quick on vlan64 inet proto tcp from any to any divert-to 127.0.0.1 port So can your tell my the right configure? Thank you. Regards Jinge On 2013-7-11, at 下午12:07, jinge altman87...@gmail.com mailto:altman87...@gmail.com wrote: Hi PiBa-NL, Thanks for your reply! And I will follow your advice! Regards Jinge On 2013-7-10, at 上午4:25, PiBa-NL piba.nl@gmail.com mailto:piba.nl@gmail.com wrote: Hi Jinge, Im not exactly sure how this is supposed to work.. did manage to get transparent proxy for the server side working.. (the server is presented with a connection from original client ip.) This works with haproxy 1.5dev19 on FreeBSD8.3 with help of some ipfw fwd rules.. Your config also seams to be working (used some parts their-of to test..) Did require the following ipfw rule for me..: ipfw add 90 fwd localhost tcp from any to any in recv em1 Actually on pfSense it also needs -x haproxy as it is a bit customized.. And because i run 'ipfw' combined with 'pf' i also needed to configure pf with floating 'pass on match' rules to allow the 'strange traffic'.. That pf cannot handle.. If you however have FreeBSD 9 you might want to look into the divert-to rules that pf can make. Might make stuff simpler if it turns out to work.. Please report back your required settings (config if it changes) when you manage to get it working. Greetings PiBa-NL Op 9-7-2013 12:55, jinge schreef: Hi,all! We use haproxy and FreeBSD for our cache system. And we want to use the transparent option http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20transparent which for some compatiable things. But found it doest work. Here is the configure which worked in Ubuntu. frontend tcp-in bind : mode tcp log global option tcplog #distingush HTTP and non-HTTP tcp-request inspect-delay 30s tcp-request content accept if HTTP default_backend Direct backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response option transparent Can anyone tell my if is the FreeBSD can not support transparent here or my configure is not correct ? And how to make transparent work right. Thanks! Regards Jinge
Re: Does the transparent can't work in FreeBSD?
Hi PiBa-NL, I just follow your advice and find my pf configure is not correct rdr on vlan64 proto tcp from any to any - 127.0.0.1 port And I change to ipfw and fwd then it works corrently. ipfw add fwd 127.0.0.1, tcp from any to any via vlan64 in And you tell my I can use pf's divert-to, but after a test I found it doesn't work.Here is the configure pass in quick on vlan64 inet proto tcp from any to any divert-to 127.0.0.1 port So can your tell my the right configure? Thank you. Regards Jinge On 2013-7-11, at 下午12:07, jinge altman87...@gmail.com wrote: Hi PiBa-NL, Thanks for your reply! And I will follow your advice! Regards Jinge On 2013-7-10, at 上午4:25, PiBa-NL piba.nl@gmail.com wrote: Hi Jinge, Im not exactly sure how this is supposed to work.. did manage to get transparent proxy for the server side working.. (the server is presented with a connection from original client ip.) This works with haproxy 1.5dev19 on FreeBSD8.3 with help of some ipfw fwd rules.. Your config also seams to be working (used some parts their-of to test..) Did require the following ipfw rule for me..: ipfw add 90 fwd localhost tcp from any to any in recv em1 Actually on pfSense it also needs -x haproxy as it is a bit customized.. And because i run 'ipfw' combined with 'pf' i also needed to configure pf with floating 'pass on match' rules to allow the 'strange traffic'.. That pf cannot handle.. If you however have FreeBSD 9 you might want to look into the divert-to rules that pf can make. Might make stuff simpler if it turns out to work.. Please report back your required settings (config if it changes) when you manage to get it working. Greetings PiBa-NL Op 9-7-2013 12:55, jinge schreef: Hi,all! We use haproxy and FreeBSD for our cache system. And we want to use the transparent option http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20transparent which for some compatiable things. But found it doest work. Here is the configure which worked in Ubuntu. frontend tcp-in bind : mode tcp log global option tcplog #distingush HTTP and non-HTTP tcp-request inspect-delay 30s tcp-request content accept if HTTP default_backend Direct backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response option transparent Can anyone tell my if is the FreeBSD can not support transparent here or my configure is not correct ? And how to make transparent work right. Thanks! Regards Jinge
Re: Does the transparent can't work in FreeBSD?
Hi Jinge, Im not exactly sure how this is supposed to work.. did manage to get transparent proxy for the server side working.. (the server is presented with a connection from original client ip.) This works with haproxy 1.5dev19 on FreeBSD8.3 with help of some ipfw fwd rules.. Your config also seams to be working (used some parts their-of to test..) Did require the following ipfw rule for me..: ipfw add 90 fwd localhost tcp from any to any in recv em1 Actually on pfSense it also needs -x haproxy as it is a bit customized.. And because i run 'ipfw' combined with 'pf' i also needed to configure pf with floating 'pass on match' rules to allow the 'strange traffic'.. That pf cannot handle.. If you however have FreeBSD 9 you might want to look into the divert-to rules that pf can make. Might make stuff simpler if it turns out to work.. Please report back your required settings (config if it changes) when you manage to get it working. Greetings PiBa-NL Op 9-7-2013 12:55, jinge schreef: Hi,all! We use haproxy and FreeBSD for our cache system. And we want to use the transparent option http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20transparent which for some compatiable things. But found it doest work. Here is the configure which worked in Ubuntu. frontend tcp-in bind : mode tcp log global option tcplog #distingush HTTP and non-HTTP tcp-request inspect-delay 30s tcp-request content accept if HTTP default_backend Direct backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response option transparent Can anyone tell my if is the FreeBSD can not support transparent here or my configure is not correct ? And how to make transparent work right. Thanks! Regards Jinge