Multi Public IP on single interface with HA Proxy

Curious · Jul 9, 2017, 9:23 AM

Hi All,

trying to replace ISA with HAProxy and am so far having no luck.

I continuously get the following error when trying to save my shared frontend.

"The following input errors were detected:

is not a valid source IP address or alias."

I've essentially copied my interface setup from ISA to PFsense on an OPT1 interface.

My OPT1 interface is the following.

IP address: 10.xx.xx.2/24
Gateway: 10.xx.xx.1/24

VIP Alias assigned to that interface:
203.xx.xx.56
203.xx.xx.57
203.xx.xx.58
203.xx.xx.59

I've also tried the following VIP config leaving the OPT1 interface settings the same

CARP:
Interface - OPT1
Address - 10.xx.xx.2/24

VIP:
203.xx.xx.56/24 assigned to 10.xx.xx.2 CARP interface
203.xx.xx.57/24 assigned to 10.xx.xx.2 CARP interface
203.xx.xx.58/24 assigned to 10.xx.xx.2 CARP interface
203.xx.xx.59/24 assigned to 10.xx.xx.2 CARP interface

No matter what HAProxy will not save the shared frontend after ticking the box and selecting the parent frontend

marcelloc · Jul 9, 2017, 1:29 PM

Assign 203.xx.xx.56 to opt1 interface and other 203.x addresses as virtual ips on the same interface.

Then configure haproxy on opt1 setting internal web serves as 10.x.x.x

Curious · Jul 9, 2017, 3:01 PM

@marcelloc:

Assign 203.xx.xx.56 to opt1 interface and other 203.x addresses as virtual ips on the same interface.

Then configure haproxy on opt1 setting internal web serves as 10.x.x.x

Don't think I can assign 203.xx.xx.xx to the interface directly as those WAN IPs come in from an upstream DMZ.

This may not be 100% accurate but traffic flow is like this public -> 203.x -> 10.x.x.1 -> 10.x.x.2 -> 203.x

marcelloc · Jul 9, 2017, 3:18 PM

If you don't have the 203 on the box, Configure haproxy without setting config on 203.x. Configure all with you 10.x network.

Do the upstream DMZ has nat configured from 203 to 10?

Curious · Jul 9, 2017, 3:55 PM

@marcelloc:

If you don't have the 203 on the box, Configure haproxy without setting config on 203.x. Configure all with you 10.x network.

So don't make any VIPs at all, just set the interface up with it's IP and the gateway IP?
I did think of this but I didn't know if HAProxy would be okay, I thought the WAN IPs would have to be defined somewhere.

@marcelloc:

Do the upstream DMZ has nat configured from 203 to 10?

~~I imagine it (upstream) has NAT otherwise the public traffic wouldn't make it past the private address space, right?~~ Yes upstream definitely has NAT.
I'll be okay to leave pfSense NAT as automatic because it's only replying to incoming connections and not establishing external connections on its' own.

So config should look like this?

Interface: OPT1
IP Address: 10.1.1.2
Gateway: 10.1.1.1

HAProxy Frontend
Listen on: OPT1 Address

Curious · Jul 9, 2017, 4:29 PM

Argh still can't get this to work.

I'm 100% sure traffic is hitting HAProxy it's just not being passed to the backend.

marcelloc · Jul 9, 2017, 6:16 PM

@Curious:

Argh still can't get this to work.

I'm 100% sure traffic is hitting HAProxy it's just not being passed to the backend.

Make sure you have firewall rules permitting incoming traffic and also check if haproxy see your webserver as online.