Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA Proxy transparent clientip and NAT reflection

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swa
      last edited by swa

      We have a situation where we have load balanced application on IIS that requires the realip and terminating SSL on the server (layer 4). Regretfully IIS does not use the proxy protocol for haproxy TCP, so we needed to do transparent clientip. Doing so killed NAT reflection, which the application also needs. The client does not want to use split DNS so we are in a bit of a bind. Relayd looked like it would have done the job, but apparently that is out as of 2.5 and not coming back. Any suggestions?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @swa
        last edited by

        @swa said in HA Proxy transparent clientip and NAT reflection:

        The client does not want to use split DNS

        Why not? Does the proxy anything, which is needed?

        You issue might have nothing to do with NAT reflection at all.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          So you had to use option 3 here?
          https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver

          Yeah, that's going to break NAT reflection in pf if it uses ipfw.

          Steve

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @stephenw10
            last edited by

            @stephenw10 said in HA Proxy transparent clientip and NAT reflection:

            So you had to use option 3 here?

            Option 1 does not work with TCP mode, which he is using.
            Option 2 need the proxyprotocol on the webserver, which isn't supported as he say.
            Option 3 is the one which he has set up and is trying to get work from inside the network.

            @swa
            I assume, you have a very good reason for using the transparent mode. Basically this should be avoided.

            S 1 Reply Last reply Reply Quote 0
            • S
              swa @viragomann
              last edited by

              @viragomann Split DNS is my first choice, and I will continue to push that, but just looking for some choices with transparent. The only reason we are using it is to get the realip on IIS .. it's nuts IIS does not support proxyprotocol.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @swa
                last edited by

                @swa
                And why don't you use a HTTP mode frontend?

                The only solution to get the transparent mode work from inside the network, I can think of, is to do masquerading towards the web server.

                S 1 Reply Last reply Reply Quote 0
                • S
                  swa @viragomann
                  last edited by swa

                  @viragomann They wanted to manage the certs on the IIS server. They juggle 30 and have a method already in place there. HTTP mode would require us to put term on the firewall :(. Plus HTTP mode is not a performant as tcp/transparent. We tried an outbound nat rule and that didn't seem to work while the transparent was on, but did work with it off. We'll give it another go as that was my first idea as well. Appreciate the suggestions.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @swa
                    last edited by

                    @swa
                    Anyway, the masquerading solution would replace the source IP of internal clients and you would loose this information as well with that.

                    So there is nothing else you can do on pfSense, when passing internal requests over HAproxy.
                    This will result in asymmetric routing issues, and I think, it's the client, which does not accept the respond directly from the web server, since he sent the request to the gateway before.
                    However, it should work if client and server reside in different network segments.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.