Error 522 when trying to access origin server(Kemp load balancer)

Hey, I watched the Network Chuck Youtube video where he sets up a Load Balancer and ties the Cloudflare Domain Name to the Virtual IP address by mapping the Public IP address to the Domain Name, then port forwarding to the Virtual IP address. I set up my Kemp load balancer, created a VIP on the service and Portforwarded to my Kemp VIP, went to the IP access list and whitelisted all the Cloudflare IP addresses in KEMP and created a WAF rule to allow all the IP addresses. This works if I type in my public IP address, but if I try to type in my Domain name (that I created in Cloudflare) I get an Error 522. The A Record matches my Domain name to my Public IP address, my certificates are set up. etc(e.g when I connect to my Real Server via the VIP there is a certifcate lock which states it’s from Cloudflare CA). I sent an email to the Help Centre and was told to add all the IP addresses to the white list, which I did, I even turned off my gateway firewall off momentarily to test and i still get error 522. I know that there is no issue when I type in my public IP address, the only issue is from Cloudflare to my gateway when I type in my domain name.


I turned off Reverse Proxy and I can access the Virtual IP Address by typing in the Domain Name within my local network. However If I type in my Domain Name outside of my network, it doesn’t work. Furthermore, If I ping the domain name outside of my network it states that it cannot find the host? but if I ping within the network it resolves my Public IP Address. I don’t know what else I can do?

Just to confirm, you have managed to set up a configuration where the website can be accessed successfully from the Internet using the public IP address (assigned to the load balancer), but you are seeing connection timeouts (the 522 error) when using the domain name (also from the Internet)? If yes - and any security functionality on the load balancer / web server side is temporarily disabled to eliminate that as a potential cause - that would limit the scope significantly (pointing to a Cloudflare configuration issue).

Correct. However, I changed from the Load Balancer to PFsense with HA Proxy so I can safely content switch between my different servers on different subdomains I created on Cloudflare. If I type in my public IP address it automatically forwards to my PFSENSE Firewall, so i know there is no problem with forwarding. If however, I do the same with my domain name I get a 522 error. Do you think there would be an issue with my DNS setup? I am running a local PIEHOLE as a primary DNS server with an Upstream OPENDNS configuration… I have whitelisted all the Cloudflare IPV4 addresses everywhere I can think of…

UPDATE Changed Upstream Server to Cloudflare on Pi-Hole

Would it be possible to disable / open up the whitelist while troubleshooting? You said that the Cloudflare IP addresses have been added, but it would be nice to fully eliminate any security features as a potential source of the problem. Then it is more clear that some Cloudflare configuration might be the issue.

Regarding DNS, I believe the most interesting part is what your DNS configuration looks like in Cloudflare. I would expect that you have at least an A record for www or @ (preferably both to enable and, pointing to your public IP address with proxying (orange cloud) turned on. Could be interesting to see what happens if you temporarily turn the proxying off (grey cloud) by the way (that returns your public IP to the visitor instead of inserting Cloudflare servers in between).

I don’t think your choice of DNS resolver (Pi-hole with OpenDNS, and later Cloudflare you said) contributes to the problem, but you can of course try to access the IP and domain from, say, your phone with wifi and any VPN features disabled. Then you are truly accessing the IP/domain from the outside world and we can eliminate those parts as a cause as well.

Change configuration

I changed my configuration again, I set up a guacamole app on cloudron (Ubuntu VM), using the Cloudflare plugin. There is a success, as setting up the subdomains I created were automatically populated in the cloudflare DNS A records e.g guac.XXXXX.XXXX
, my. XXXXX.XXXXX etc. Due to the Cloudflare API plugin

I changed the portforwarding settings to point to my cloudron Ubuntu VM (this works as I can resolve cloudron if i type in my public IP address).

Now for a while, it worked in my internal environment, as I could resolve both subdomains and they would point to the respective servers. After a while both failed and I received the Error 522. I removed the proxy on both and I could resolve both domains within my local network, but I can’t resolve outside of my network (using mobile connection). This is the furthest I’ve gotten with respect to using the domains.

Remove Security

Turned off PFSENSE, Turned of network Firewall, Removed Proxy, VMWARE Firewall allows all connections, No security at gateway still cannot connect to domains remotely.

In Summary

I can resolve the Domain name in the internal network when the proxy is turned off. But I cannot resolve it outside of my network.

Would you mind sharing the domain name? I would be happy to take a quick look at the DNS side of this. Since your setup is quite a moving target to say the least, that might however be the last thing I can help you with here.

Is there a way I can direct message? I’m not a big fan of publishing my domain name while the proxy and security is turned off. Furthermore, my setup won’t be changing as this has actually been the one that’s got me as close to my solution as possible. Or I’ll publish once revers-proxy is enabled.

I assumed there would be a way to send direct messages, but I can’t find one. Just a page saying there should be a “message” button when you click on the avatar, which isn’t the case for me :slightly_frowning_face: That’s unfortunate.

Are you a Cloudflare employee?

No, I’m not.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.