Cloudflare doesn't seem to be passing traffic to pfSense

Hi all,

I think I have Googled EVERYTHING under the sun both on this community forum, the Help site, and Google in general. I’m using the free version of Cloudflare.

I’ve run the Diagnostic test for my website, but it seems to hang on Running Diagnostic Test…

I can’t seem to figure out what is wrong. I’m using pfSense. I’ve set up HAProxy, but everything in pfSense tells me that when I use a CNAME such as abc.domain.com, it’s not passing that traffic to pfSense. I know that pfSense works, because the HAProxy, Firewall, etc. has not changed.

I’ve used my WAN IP address (aaa.bbb.ccc.ddd), and I see the traffic going to pfSense.

The only thing that changed is my certs. But I don’t know how to look at the logs for Cloudflare.

Can anyone help please??

Did you notice a change @thisisbenwoo after setting the proxy to :orange:?

No… I really can’t understand what I did :frowning:

Stay Safe!

1 Like

Hi @thisisbenwoo, can you check with your hosting provider and ensure port 443 is open on the origin server?

I’m the hosting provider and 443 IS open. It worked for months, and then suddenly it stopped.

Please stay safe!

b

Here’s the 443 rule on my firewall:


You can see from my firewall that everything is allowed.

Please stay safe!

b

Thank you, I do see the records are set to :orange:

Paging Dr.'s @matteo & @thedaveCA, I overheard them chatting about pfsense a while back and they may have some insight into the proper setup.

What certificate changes did you make just before it stopped working?

Do leave a few minutes. I need to check a thing, I do believe there is a small error in the firewall rule destination.

1 Like

The firewall rule looks good to me at first glance, assuming that haproxy is being used to ultimately forward the request. I do this on my pfSense so that I can route by vhost. Assuming that that is what you’re seeing?

@thisisbenwoo What version of pfSense? Any chance you recently upgraded to 2.5.1 and you have multiple WAN connections, a backup LTE or anything like that? If you aren’t on 2.5.1, don’t upgrade at this moment, there’s a bug (which I think is limited to MultiWAN, but there may be more to it, I’m not up to speed on it yet).

2 Likes

I did have to set the destination to “WAN address”, not sure if multiple IPSec tunnels count as multi-WAN.

I would also maybe suggest limiting the source to Cloudflare’s IPs, and then allowing the logging of the requests matching the rule, just to have some data…

1 Like

“This firewall” should include all IPs, making troubleshooting maybe easier since you can do it internally.

Logging the rule would be the next step, firewall logs first, then haproxy (ugg).

1 Like

That’s the word.

Yeah. But a should that works here.

The MultiWAN thing in 2.5.1 is something else, but it looks severely broken for all MultiWAN from what I saw on Reddit, basically limiting you to the main WAN for nearly everything.

I do Cloudflare to multiple modems, on separate pfSense WAN ports into haproxy to route within the LAN here. Same idea as this post, whether or not they use MultiWAN.

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.