Problems connecting to TURN/STUN Server behind HAPROXY on PFSense

Networking Networking Software
, ,
1

Hello Level1Techs community! :smiley:

Im coming here because ive been having a very hard time trying to get a TURN/STUN server to run behind pfsense with haproxy for almost 2 weeks now, almost pulling my hair out.

Unfortunately i haven’t been able to find any answer to this anywhere else or anyone that configured a TURN server using coturn, behind haproxy on pfsense, so im hereby very kindly asking for help from the combined brainpower of the Level1Techs Community :pray: :sob:

I will explain my setup so its better understood as its a bit complex.

I have 18 VMs running on Proxmox:

  • PFSense (which all vms are connected and run their connections trough)
  • Many wordpress and other servers, nextcloud, folding@home, Matrix Synapse (which ive been having problems too but i will make a separate post for that) and a few other things.

Digital diagram is as follows:

Internet <–> Pfsense (WAN)| HAProxy |Frontend <-> Backend <-> Server (Ubuntu 18.04 with COTURN)

As you can see above, i have ports open on WAN for the Webservers, nextcloud, Matrix, TURN etc

Selection_065
Selection_0651042×628 163 KB

Below you can see that i have a frontend for the TURN server listening on port 3478 and 5349

haproxy frontends
haproxy frontends1044×622 135 KB

Below is the backend that the frontends connect to

Selection_066
Selection_0661057×392 52.5 KB

Below is the ports the turnserver vm is listening to

Selection_067
Selection_067873×167 70.4 KB

Running Ubuntu 18.04, with Coturn

Coturn config:

Listening to default ports set in the backend of haproxy as shown on the image
192.168.2.4 as listening ip
min/max ports default
realm set to my turn.mydomain.com
use-auth-secret
static-auth-secret=AAALKANSLKASJDFLKSJDFLAKSDJOFCOURSETHISISNOTMYSTATICSECRET
external-ip= (The VM pub ip adress)

everything else default

Proxmox has no firewall active on the vm.

UFW ports 80, 443, 3478 and 5349 open

Any attempt to connect and send traffic trough port 3478 fails, not even gonna mention the ssl port

(The same coturn configuration for port 3478 on a Linode (using L1Techs affiliate :+1:) is running perfectly fine and connectable on nextcloud, calls work perfectly well routing trough it )

i even tried putting nginx in front of the turn server, haproxy backend using 80 / 443, nginx listening to ports 80 / 443 with proxypass etc on it sending them to 127.0.0.1:3478 an coturn listening on 127.0.0.1 ports 3478 / 5349, but no luck there either…

As visible on the wan firewall rules screenshot, traffic reaches the firewall, but its not reaching the server at the other side of haproxy so i think my haproxy Frontend <-> Backend <-> Server pipe is messed somewhere in between but cant pinpoint where

What am i missing and messing up? :man_facepalming:

All the help or advice will be immensely appreciated :pray:

2

did you end up getting this working? im trying to get matrix-synapse working behind pfsense haproxy. i can get the static website to work, but i can’t get federation over port 8448 to work.

3

I think you might have your firewall rules upside down, meaning the first rule should be on the bottom, and the last rule should be on top.

4

You might have the same problem as @senses; It is hard to know for sure without seeing a post of your firewall rules.

5

Unfortunately i was not able to get it working after testing and trying for some more time.
Getting turn to work was not possible, synapse worked but no federation too, I will revisit this in the future again and give it another shot.