Hi, Everyone.
Hope you guys can help me, I have setup HAProxy in my pfsense. I am using Cloudflare to host my domain and external DNS. I have Synology NAS behind the HAProxy, I am able to make Synology Drive and Photos work with HAProxy but I am having trouble making Surveillance Station work. Here is a breakdown of the issues that is happening:
-
Using the mobile client behind my network. I am not able to login using camera.mydomain.com:443
-
Using a mobile client connected 4G/5G, I am able to authenticate but not able to play live view or any recording
-
On a Desktop Client using camera.mydomain.com:443 I am able to login and view the live video and recording
I have attached the stats for my camera:
Please let me know what information you needed to help me address this issue so I can provide it.
I have never use HAPorxy with Synology but since it works on desktop my guess the mobile app is looking for something that HAProxy does not pass over the proxy connection.
Hi, Tom.
Thanks for the reply, yeah I guess this is more of mobile client issue. I have also open a ticket with Synology and I will update this thread once we get a response from support.
Hi, Everyone.
I have finally fixed the issue, the Synology support provide me this kb article: https://kb.synology.com/en-global/Surveillance/tutorial/WebSocket_connection_fail_streaming_issue
Surveillance station is using websocket, I have a bit of googling and found this discussion in netgate forum: Websockets configuration in HAProxy | Netgate Forum
This help me fix my issue. Here is what I have added in frontend configuration:
1 Like
Just to expand on this if anyone like me did not get this first time, make two entries within your Frontend, under the actions (backend)… of course yours will match what youve named your backend.
No settings altered within Synology, all default. Mine is working great with Surveillance Station on a Xpenology VM on proxmox.
hope this adds more and helps
Wanted to thank you guys and reiterate that this works – weird (but that is probably just due to my lack of understanding haproxy fully)
I will try to attach my screenshots to help with nuiances of differnt systems.
You have to first create custom ACLs
Then create the BAckend actions
Old thread @reymond070605 @LTS_Tom @WeeDaz
Hopefully one of you will see this
Thanks for the solution provided! I am now able to connect remotely via my mobile app (DS Cam) – what’s weird is that I still get an error when trying to connect through the desktop client on windows pc or mac – should be able to get there by https://mysynology.mydomain.com - my haproxy is set to forward 443 to 5001 for this web address, (like I said - works for the mobile app)
For the desktop client I get error noted in the attached pic
BTW - if I just go to https://mysynology.mydomain.com in a web browser - I am able to access my DSM (which is port 5001)
I am glad this thread help you address your DSCam issue.
In regards to your current issue, are you accessing your camera via your windows PC or Mac computer while those machines are connected behind pfsense or while connected directly to internet?
Actually either for both questions! The main use scenario would be direct internet connection (outside of the pfsense environment) and a connection to Surveillance Station (with the app – on EITHER mac or PC) For some resason the connection with DS Cam is now flawless
And the connection the Synology DSM (via a browser) works great with haproxy forwarding the 443 SSL request to port 5001
But the Surveilance Station won’t connect
I have been connection with a Wireguard VPN and direct IP address connection … OR … via the Synology Qucikconnect address
I have users that it is hard to explain and have then use the VPN on several differnt devices - so I was trying to make the connection easier with an easier to remember we address
I wonder if it takes forwarding to some differnt port(s) for Surveillance Station vs DS Cam ??
PS
Just saw these deny rules in my incoming pfsense firewall
Weird ports that SS is apparently trying to access ???
In regards to external access, aside from web browser access and DS Cam. I have not tried connecting the surveillance station client from the Internet.
In regards to local access, what I did is I have created VIP pointing to the surveillance station server:
Then configure this in the DNS over ride:
Configure it in the load balancer frontend, backend will be the same:
I then did firewall rule because my IoT device where my mobile is located and the server is on a separate vlan and firewall rules completely separating them:
That is how I access it locally. I hope this help and apology for delay of response I am located on the otherside of the world. 
