Getting BADREQ 408 only externally

Help!
1

Hi, I’ve been digging the internet all night trying to figure out this issue.

So basically I installed a HA Proxy instance to be used as Reverse Proxy.

This is my simple haproxy.conf config:

https://pastebin.com/T3MAwtu1

HAProxy internal IP: 192.168.30.120

HAProxy External IP: 212.x.x.102 NAT’d to internal

Apache server IP: 192.168.30.109

My workstation internal IP: 192.168.30.102

My workstation External IP: 212.199.xx.xxx

Checkpoint Policy & NAT:

Policy rule - https://i.imgur.com/drtYkQ6.png

NAT rule - https://i.imgur.com/jlt2jaL.png

All the packets in the firewall are accepted, none are blocked.

now, there are 2 scenarios:

  1. Testing in LAN ( Successfully ): shlomitest1.prv.co.il pointing to 192.168.30.120.

HAProxy Log: https://pastebin.com/jLvbtXnk

TCPDump Log: https://pastebin.com/0SPSkGhf

  1. Testing from WAN ( Unsuccessful ): shlomitest.prv.co.il pointing to 212.x.x.102.

HAProxy Log: https://pastebin.com/MdSUpyUz

TCPDump Log: https://pastebin.com/ypajJ6nN

This is really all the information I managed to collect.

I’m pretty lost right now as I tried everything I could :X

Appreciating any help!

Thank you

2

Haproxy never receives any actual request. The connection is established but there is no actual HTTP request in there and after 50 seconds it times out (you can see that by the cR disconnection reason and the 408 response).

What are the checkpoint logs saying?

It could theoretically be an MTU issue, but the first request should be quite small, so I really don’t get it.

What happens if on the Checkpoint instead of pointing to haproxy at 192.168.30.102, you point to the Apache server instead (just to check if the issue is also happening when the checkpoint points directly to 192.168.30.109)?