Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Haproxy (pfsense pkg) in front of haproxy (normal install)

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      emot
      last edited by

      Hi,

      In our current setup we have 2 firewall in failover (carp IPs).
      Behind our firewalls we have 2 HAProxy (on linux) that should also be failover.

      For a production site, would you:

      • Configure HAProxy on pfsense, to tcp redirect to the active HAProxy server?
      • Leave the failover to linux, and configure everything (heartbeat, etc) on the HAProxy servers?

      Thanks,
      em

      1 Reply Last reply Reply Quote 0
      • P Offline
        PiBa
        last edited by

        Its probably more a design decision than a wrong/right kinda thing.. I would likely keep pfSense in its primary function being a firewall and portforward the traffic to the active haproxy instance behind it. Though if you want to 'ease' a possible failover then haproxy on pfsense could do some connection retry or perhaps balance traffic over the two nodes to have more capacity/lower latency when both are up and traffic/acls/persistence allows..

        1 Reply Last reply Reply Quote 0
        • E Offline
          emot
          last edited by

          Yes, this is exactly what I can't decide.

          I wonder if anyone used the pfsense' haproxy in a production environment, with high load, even with a basic haproxy config of two 'tcp' backends.

          1 Reply Last reply Reply Quote 0
          • JeGrJ Offline
            JeGr LAYER 8 Moderator
            last edited by

            • Configure HAProxy on pfsense, to tcp redirect to the active HAProxy server?

            Why using such a heavyweight as HAproxy for simple tcp redirection? Why not using the "normal" internal load balancer function for that?

            Besides that, I'd probably go with setting those HAproxies up with HA themselves as you might need that not only from your WAN side, where pfSense is in front of them, but perhaps also need it internally and need a VIP on some LAN'ish side, too. So I'd go with HA on them. But I wouldn't use heartbeat (depending on your distro) but pacemaker/corosync for that.

            Greets

            Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            1 Reply Last reply Reply Quote 0
            • E Offline
              emot
              last edited by

              Thanks @JeGr I didn't know about this load-balancer option in pfsense.

              And you are right about the LAN VIP.

              :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.