HAProxy: If I bind to ports 32768-65535, the computer lose access to other servers

JonDoe297 asked:

I need to configure a HAProxy frontend like this:

frontend web-server
    option forwardfor       except

    bind :8080
    bind :32768-65535

    default_backend service

But, that configuration don’t let me connect to other servers, internal or external.

$ wget www.google.com
--2016-12-22 23:21:13--  http://www.google.com/
Resolving www.google.com (www.google.com)..., 2607:f8b0:4006:804::2004
Connecting to www.google.com (www.google.com)||:80... failed: Cannot assign requested address.
Connecting to www.google.com (www.google.com)|2607:f8b0:4006:804::2004|:80... failed: Network is unreachable.

If I comment the line bind :32768_65535 and restart HAProxy, I can connect to other servers again.

I think I’m making HAProxy binds to ports that are necessary to start a connection, and that’s the reason why that configuration is causing this problem.

How can I configure HAProxy to listen in those ports, without that connection problem?


  • HAProxy 1.6
  • Ubuntu 16.04 (it’s a clean installation)

My answer:

So, haproxy is binding every local port from 32768 to 65535 inclusive. This is a problem because, by default, outgoing connections bind a local port within this range:

# sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768    60999

To resolve the issue you will need to select a local port range that is not otherwise going to be used on your system and reconfigure this sysctl to use it. For example:

sudo sysctl -w net.ipv4.ip_local_port_range="24576 32767"

(And make it persistent in /etc/sysctl.conf.)

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.