HAProxy + manual outbound NAT reflection problem

  • I have setup HAProxy to load balance to a couple systems in my LAN from an aliased public IP on my pfSense firewall.  I have HAProxy configured as purely a TCP pass-through, with "Transparent Client-IP" enabled.  Access to the service works just fine when outside my firewall, but I need hosts on the LAN of my firewall to access the service as well.  The web application being served up is ridiculously restricted by license to both a URL and an IP address, so I can't use any kind of split-DNS to solve this problem.  (the name would still match, but the IP's wouldn't)

    I've been running in manual outbound NAT mode for a while, so I configured a new rule at the top of the stack for traffic exiting the LAN interface, sourced from the LAN subnet, and destined for the IP's of the servers in the HAProxy backend.  From what I understand, that should work…but it doesn't.  Looking at the HAProxy logs shows that the requests coming from LAN systems still have their private IP addresses as the source address.  As far as I can tell, HAProxy should see the LAN IP address of the firewall in the requests...but this isn't the case.  It's like HAProxy is doing something in advance of any of the outbound NAT rules...before traffic can get to them.

    Does anyone have any work-around for this oddball problem?  I know NAT reflection on HAProxied hosts won't work automatically, but I'm hoping there's a way to coerce functionality.

  • The fix for this was to move the HAProxied hosts to their own subnet and interface on the firewall, independent of the "LAN".  Then, hosts on the LAN can still benefit from the failover HAProxy provides.