Haproxy (pfsense pkg) in front of haproxy (normal install)



  • Hi,

    In our current setup we have 2 firewall in failover (carp IPs).
    Behind our firewalls we have 2 HAProxy (on linux) that should also be failover.

    For a production site, would you:

    • Configure HAProxy on pfsense, to tcp redirect to the active HAProxy server?
    • Leave the failover to linux, and configure everything (heartbeat, etc) on the HAProxy servers?

    Thanks,
    em



  • Its probably more a design decision than a wrong/right kinda thing.. I would likely keep pfSense in its primary function being a firewall and portforward the traffic to the active haproxy instance behind it. Though if you want to 'ease' a possible failover then haproxy on pfsense could do some connection retry or perhaps balance traffic over the two nodes to have more capacity/lower latency when both are up and traffic/acls/persistence allows..



  • Yes, this is exactly what I can't decide.

    I wonder if anyone used the pfsense' haproxy in a production environment, with high load, even with a basic haproxy config of two 'tcp' backends.


  • Moderator

    • Configure HAProxy on pfsense, to tcp redirect to the active HAProxy server?

    Why using such a heavyweight as HAproxy for simple tcp redirection? Why not using the "normal" internal load balancer function for that?

    Besides that, I'd probably go with setting those HAproxies up with HA themselves as you might need that not only from your WAN side, where pfSense is in front of them, but perhaps also need it internally and need a VIP on some LAN'ish side, too. So I'd go with HA on them. But I wouldn't use heartbeat (depending on your distro) but pacemaker/corosync for that.

    Greets



  • Thanks @JeGr I didn't know about this load-balancer option in pfsense.

    And you are right about the LAN VIP.

    :)