HAProxy frontend listening address



  • Hello,

    some tutorials about HAProxy are recommending to use VIPs as frontend listening address.
    What is the advantage/difference of using the custom address (VIP) vs the WAN address?

    And how does the firewall WAN rule look like (destination)?
    Is it "This Firewall (self)", the WAN address or the single host(VIP address) depending on the listening address?

    Thanks
    fluxx



  • Hi Fluxx,

    It kindof depends on how professional your setup is.
    You will usually have a VIP when you i.e. have two firewalls in a redundant setup.
    If one fails the other one takes over and the both will normally have different IP addresses.

    For this reason a Virtual IP is used as a listening address.
    If one firewall fails the other firewall will start Listening on the VIP address causing all traffic to be routed through that firewall.

    If you have a single firewall setup; I'd forget about it.
    The WAN rule will need to be arranged depending on where you want it to listen on.
    If you're using a VIP; you'll want to be using the VIP to listen on.
    If not I'd advise to use WAN since This Firewall is in fact comparible to any IP the firewall serves (I believe even 127.0.0.1)