I think that your scheme will not work. The server will not be able to determine which proxy the data is coming from.

Thank you for the answer, in this case what can I do because I have no choice...
These proxies are in an MPLS network and all exit through a common public IP.​

Even if I use a different PSK encryption for each proxy to communicate with the Zabbix server?

I think the server will not figure out who exactly the data came from and will stumble even before the TLS establishment level.
Try it!
And write about the results!
PS
Use a VPN between sites - then the proxies will have their own well-defined addresses.

Why not use custom port + port forward?


proxy1: ListenPort=10051
proxy2: ListenPort=10052
...etc

Port Forward:
ExternalIP:10051 --> Forward to --> iplanproxy1:10051
ExternalIP:10052 --> Forward to --> iplanproxy2:10052
etc...

Agent for proxy1: **In this example we will consider that the external IP of the proxy is 3.23.45.150
Server=3.23.45.150
ServerActive=3.23.45.150:10051

Agent for proxy2: **In this example we will consider that the external IP of the proxy is 3.23.45.150
Server=3.23.45.150
ServerActive=3.23.45.150:10052

...etc​


Wellington

Maybe flip them to passive and get reverse proxy?
like nginx/traefik?
this is the easiest solution in my opinion

Or vpn.. there is no other way. If you not bother about 3rd party you could get free and easy tunneling with https://www.zerotier.com/
free up to 25 nodes (never configured with proxy/main server) but I dont see reason why it wouldn't work

it's the same thing.
the relevance here is concept.
For each service that will be accessible externally, you need to open a unique and exclusive port.
then configure each of them on a different port and do port forwarding.

Proxy example:
​
-
​
----
​

Or you can use in ActiveMode or VPN as already suggested by PeterZielony​ e Hamardaban​



Wellington​

oops, sorry Hamardaban​ got me excited in defending Passive Mode, it wasn't my intention to insult.
I also inform you that English is not my native language, I use Google Translator, many of your tips have already helped me a lot so I try to help as a form of thanks.

Back to focus and initial post.
Local/Internel IP: if Zabbix Server is on the same network or the networks are accessible via VPN
Public IP: if they are on different networks and different locations without VPN

As for the question: would 3 proxies in Active Mode and the same outgoing IP for the Zabbix Server be a problem?
Based on what we know about how Zabbix works, the answer is: No

Proxies are also Hosts like any other on Zabbix
And for Hosts in Active Mode, the Source IPs are ignored, validation is by Host Name/Proxy Name, which is why we are able to monitor hundreds of hosts behind the Firewall without any conflict.

If you choose Passive Mode the validation is: IP/DNS + Port + Host Name

In the Zabbix GUI under Proxy --> Active you have the Proxy Address field that serves to inform the Source IP (Internal or Public depending on the topology) allowed to send data as Proxy Name to the Zabbix Server.

Proxy in Active Mode with:
Blank Proxy Address: Any source if the Host Name is the same as the Proxy Name
Proxy Address defined: Validation is Proxy Name/Host Name + IP Source

Anyway, as I don't use Proxy in Active Mode, I may be wrong in some concept.
Share your knowledge and experiences and let's learn together.

Wellington​

Yes, let us know how it goes. I see Zabbix proxy protocol messages for active proxy contain the proxy name, so the source IP does not matter: https://www.zabbix.com/documentation...data-request-1

Also, TLS Client Hello message contains the TLS PSK identity, so the server has a way to identify the incoming TLS connection as well, see for example https://majornetwork.net/2023/10/dec...ith-wireshark/.

Markku

You don't have to mention any IP in the proxy configuration on the server side when using active proxies.

But if you want to limit the connection possibility (when not using TLS), then you must use the IP that the server sees (= the public IP I guess, from your description).

Markku

Hello everyone,
Thank you for the time you took to respond to me

I confirm that this works when I do not assign IP to my proxies on the servers given that they are in "active" mode.​

I have three Zabbix proxies on the same public IP. It can be tricky. From my experience, managing multiple proxies like that can lead to some exciting challenges, especially with traffic and data flow.

Using a good proxy service helps smooth things out. You might want to check out LightningProxies. They offer some solid options for handling multiple connections without headaches. It’s all about finding the proper setup that fits your needs. Remember that you should monitor everything closely to avoid any issues.

Please tell us more. What kind of problems did you experience?

Markku

I had a similar issue before, and what helped me test things more clearly was using Static Residential Proxies to simulate different IPs for each proxy. That way, I could avoid confusion caused by the same public IP and get consistent results when troubleshooting connections and proxy behavior.