net/haproxy: unable to configure to listen on IPv6 address

[abraxxa]

When I try to configure a Public Service listening to an IPv6 address the following error is display on save:

Please provide a valid listen address, i.e. 127.0.0.1:8080 or www.example.com:443. Port range as start-end, i.e. 127.0.0.1:1220-1240

I guess this is just a validation error.
I tried both 2a01:....:1:443 as well as [2a01:.....:1]:443

OPNSense verion 18.1_1
os-haproxy plugin version: 2.4
UI URL: https://firewall.hartmaier.priv.at/ui/haproxy/#frontends

[abraxxa]

Looks like this regex doesn't match IPv6 addresses: https://github.com/opnsense/plugins/blob/master/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml#L317

[fraenki]

@abraxxa I can't reproduce this on OPNsense 18.1.6 (anymore). Is this still not working for you in the current release? If yes, then please provide a screenshot of the error message and the values that are not working.

[fraenki]

Closing this issue, because I can't reproduce it. Please report back how to reproduce this issue and provide a screenshot of the error.

[abraxxa]

Sorry for the delay, marking mails as important in the inbox isn't sufficient enough :(
I've checked it with 18.1.8 and it works now, thanks!

[fraenki]

@abraxxa Thanks for the confirmation!

[ssbarnea]

Clearly something is not working even with latest 19.7. I tried to add something like [2a02:8765:d000:123::1]:443 and it refuses to add it, displaying an error message which is useless for those trying to add an IPv6 address: Please provide a valid listen address, i.e. 127.0.0.1:8080 or www.example.com:443. Port range as start-end, i.e. 127.0.0.1:1220-1240.

[mimugmail]

Maybe your syntax is wrong?
https://forum.opnsense.org/index.php?topic=13695.msg64859;topicseen#msg64859

[fraenki]

@ssbarnea Please try this patch:

opnsense-patch -c plugins ec84327a

[ssbarnea]

@fraenki I applied the patch, restarted all services and I did allow me add the address. Still, I think that binding to ipv6 does not work for the haproxy.

I tried running netstat -ln6 and I am unable to see anything on 80 or 443, even if I configured them as public services. I do see port 53 open and I know that unbound is working on ipv6.

[mimugmail]

Can you try sockstat -6

[fraenki]

@ssbarnea I don't have an IPv6 test box, but binding on local IPV6 seems to work.

root@opnsense-test:~ # sockstat -6 | grep haproxy
www      haproxy    99791 4  tcp6   ::1:8088              *:*
www      haproxy    99791 12 tcp6   ::1:8080              *:*

Your HAProxy log may reveal why it is unable to bind to a certain address. Additionally, you may want to check if there are more detailed startup messages when using the RC script to start HAProxy:

root@opnsense-test:~ # service haproxy stop
Waiting for PIDS: 99791.
root@opnsense-test:~ # service haproxy start
Starting haproxy.

[abraxxa]

For me binding haproxy to the Internet IPv6 address assigned via DHCP works as long as the static IPv6 address entered in the haproxy config is available and hasn't changed.

[fraenki]

works as long as the static IPv6 address entered in the haproxy config is available and hasn't changed

True. HAProxy will even refuse to start if the configured listen address is unavailable (i.e. not configured on a local interface).

[ssbarnea]

I can confirm that this patches worked. Sorry that it took so long to reply. I mention that for some reason I had to add an extra rule to the firewall but that is clearly unrelated to the patch.

Thanks for fixing that!

[fraenki]

@ssbarnea Thanks for testing! The patch will be included in the upcoming release 2.19 of os-haproxy.