What came first - the firewall or the HAProxy?
-
Hi everyone,
I'm a newbie to pfSense and the load-balancing world but hopefully this is an easy one to answer.
I have installed HAProxy package onto my virtual pfSense. When configuring HAProxy to send requests from the frontend to the backend, do I use the NATed address for the frontend or do I use the public IP of the frontend? Or does either work? I'm a little confused as to whether I need to NAT before sending the request/packet to the frontend or do I just need ACLs (and no NAT) and configure HAProxy frontend to listen directly on the public IP.
For example:
- WAN IP 1.1.1.1
- LAN IP 10.0.0.1
- I advertise 2.2.2.2 and 3.3.3.3 out the WAN to upstream carrier internet via FRR and BGP
- 2.2.2.2 and 3.3.3.3 are the public addresses for two internal web servers - call them web2 and web3
- 2.2.2.2 is for example.com and 3.3.3.3 is for fubar.com
- The real IP of web2 is 10.0.0.2 and the real IP of web3 is 10.0.0.3
I want to create a single frontend and use SNI to send the requests to the appropriate backend.
Do I:
- Create a VIP on the internal LAN 10.0.0.254
- Create a 1:1 NAT from "any" to 10.0.0.254
- Create firewall ACL on WAN interface to allow TCP/443 to 10.0.0.254
- Create a frontend listening on 10.0.0.254
- Configure SNI to send example.com to 10.0.0.2 and fubar.com to 10.0.0.3
Or:
- Create firewall ACL on WAN interface to allow TCP/443 from any to 2.2.2.2
- Create firewall ACL on WAN interface to allow TCP/443 from any to 3.3.3.3
- Create a frontend listening on 2.2.2.2 default backend 10.0.0.2
- Create a frontend listening on 3.3.3.3 default backend 10.0.0.3
Or is there another way of achieving the same thing?
Thanks!
-
@kilofoxtrotmike based on what you say and what I understand: that second example. No need to NAT because the reverse proxy would terminate the incoming connection from the internet and starts a new connection to your internal webserver.
-
Hi @surinameclubcard thanks for taking the time to answer! I will definitely try that second example then. FWIW, I am currently using the first example i.e. NAT then HAProxy, and can confirm that does work.