Which v6 interface to bind HAProxy to?

  • Hi,

    I setup pfSense for the first time around a week ago, and I've just finished setting up DHCPv6 on BT Infinity.

    I've got a HAProxy frontend setup handling port 80/443 to various backends. This is currently bound to WAN Address (IPv4). I've tried also binding the frontend to WAN Address (IPv6) but when I apply the configuration HAProxy (correctly) refuses to bind as WAN address is reading as an fe80: address.

    After some reading it appears that BT are using link-local -> link-local for the PPPoE IPv6 link. Which means that the WAN interface will never be assigned a prefixed address. This complicates things for me a little as I don't understand how to get HAProxy exposed without anything public to bind on.

    All my other interfaces are getting IPv6 addresses successfully.

    My question; is it safe for me to bind HAProxy to LAN address (IPv6) then create a rule on my WAN interface to allow any port 80/443 to LAN address. My concern is that the webConfigurator runs on that interface on the same ports. (I've tried doing this with no issue and it all appears to work correct, I'm just concerned about exposing the admin interface remotely accidentally).

    I'm trying to work out how I'm able to access HAProxy externally if both HAProxy and webConfigurator via IPv6 are both bound to the same address on the same interface. More investigation required may be required here.

    Side note: do I need to add an explicit rule to block all inbound traffic on all interfaces, or is there a default rule to block if no matching rules are found?

    IPv4 life was simple, but I'm enjoying learning about IPv6.

  • Banned

    I'm not sure it will work, but I would try to add a virtual IP for HAProxy in this case.

  • I could do that, but my ISP allocates me a dynamic address - is there a way of allocating a /64 prefixed space to a virtual IP block? I can't work it out, nor can I find any documentation on how to do so.

Log in to reply