Do it even easier: Run acme package on FW1 (I assume it's a CARP cluster with syncing?) and let it create a certificate for both names (fw1.xxx AND fw2.xxx). When it's done, select the cert for the webui. Then login to FW2 and select it, too, as certificates get synchronized automatically (if selected) to the secondary. There choose the same certificate as WebUI cert and be done :) Just check that you configure the acme service on fw1 to restart its own webserver after renewal AND via remote the service on fw2 (see the help for this)! Greets

@interloper Do you have a guide on how you setup your google domain settings for your subdomains? I am trying to figure it out but having a hard time. Here is my open topic on this forum (https://forum.netgate.com/post/830593). Thanks

The benefit is that you don't need to use port forwarding at all and you only need to have one port open. You can have HAproxy listen on the WAN on port 443 and send requests to the appropriate backend server based on the requested URL. You don't have to remember what port the services are running on externally just the FQDN. It isn't necessarily any more secure though. You only have one firewall rule on WAN so you can't apply different rules to each service at the firewall level. Connection limiting, traffic shaping etc. You still can have HAprxy listen on different ports though if you found you needed that. Steve

I moved the galaxy backend to the ssl offload fronted.

Added a custom ACL and used this https://stackoverflow.com/questions/23342036/haproxy-restrict-single-backend-by-ip-range

@jimp could you point me in the right direction how to setup so HAProxy on pfSense handels the certs ( not just getting them )

That was it, thank you for your help!

Probably not in this case.