Page MenuHomeVyOS Platform
Create Task
Maniphest T6502

Load balancer reverse proxy does not allow forwarding SSH port
Closed, InvalidPublicBUG
Actions

Description

On attempting to set a reverse proxy service to TCP port 22:

# set load-balancing reverse-proxy service forgejo port 22

I get the following error message:

# commit

"TCP" port "22" is used by another service
[[load-balancing reverse-proxy]] failed

This behaviour is defined in this part of the code.

# netstat -tulpn | grep :22

Shows that on the IP address specified in the load balancer service, there is no SSH listening.

Seems like either:

  • An issue with the logical check if a port is already used
  • Missing permissions for the check to bind on port 22

Thanks you for resolving this issue. This blocks my current project from moving forward.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.5-rolling-202406190020
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

pr0ton11 created this task.Jun 19 2024, 11:22 AM
Viacheslav triaged this task as Normal priority.Jun 19 2024, 11:38 AM
pasik subscribed.Jun 19 2024, 11:41 AM
Viacheslav closed this task as Invalid.Jun 19 2024, 2:17 PM
Viacheslav subscribed.

Works fine:

set load-balancing reverse-proxy backend bk01 server srv01 address '192.168.122.16'
set load-balancing reverse-proxy backend bk01 server srv01 port '22'
set load-balancing reverse-proxy service ssh backend 'bk01'
set load-balancing reverse-proxy service ssh mode 'tcp'
set load-balancing reverse-proxy service ssh port '22'
set service ssh disable-host-validation
set service ssh port '2222'

Works fine without issues:

vyos@r4# sudo netstat -tulpn | grep :22
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      4079/sshd: /usr/sbi 
tcp6       0      0 :::22                   :::*                    LISTEN      9119/haproxy        
tcp6       0      0 :::2222                 :::*                    LISTEN      4079/sshd: /usr/sbi 
[edit]
vyos@r4#
vyos@r4# ss | grep :22
tcp   ESTAB 0      0                    192.168.122.14:2222  192.168.122.1:38412
[edit]
vyos@r4#
pr0ton11 added a comment.Jun 21 2024, 11:51 AM

This is not resolved on my side.

But it is clear now that this seems to be a logic error, because I am listening to specific IPv4 addresses for sshd. The IP I want HAProxy to listen on is a different IP (which sshd doesn't listen on) but vyos still reports a conflict.
Of course I could change the port of sshd, but this is not my goal, and just works around the issue.

Thanks for your help.

Viacheslav added a comment.Jun 21 2024, 12:23 PM

Provide a minimal example of configuration (set commands) to reproduce.