Inbound load balancing using HAProxy



  • Good morning,
    I am a novice user, so please bear with me… What I am trying to do is :

    I have two sites, connected with OpenVPN setup in a Lab Environment. Site A ( WAN Gateway : 10.1.1.230 and LAN A : 10.1.2.0/24 ) and Site B ( WAN Gateway : 10.1.1.233 and LAN B : 10.1.4.0/24 ).
    The OpenVPN has been set up and works fine. Also in the PFSense (Release 2.4.3) I have installed HAproxy (version 1.7.10) on PFSense Site A. I want to do load balance two Windows Web Servers running IIS. One webserver is on Site A and the other is on Site B. On PFSense in Site A, that I have HAProxy installed, I have created frontends and backends. The HAProxy works fine for the servers belonging in Site A, but when it must server the server in Site B, it can't.

    In the stats page the servers are all appear to be OK and are shown with green color. I think that I am missing something with the routing. Also from a virtual PC belonging in Site A, if I open a browser and enter the IP of the server that hosts the website, the website is displayed with no problem. The same if I do it form a virtual PC of Site B towards the website hosted in Site A, I see the website with no problem.

    In firewall rules in both sites I have allowed everything to be allowed, as this is a lab.

    Can you help me figuring out what am I missing?

    Not sure if I have written everything correctly... If you need more info please let me know!



  • Do you use 'transparent-client-ip' on the backend.? If so that could possibly cause issues.?.



  • Yes, I am using Transparent ClientIP.
    I have checked "Use Client-IP to connect to backend servers and form the drop down list I have checked LAN. I disabled this option and it works now with no problem.
    Because I don't know much of load balancing, why was this messing up the configuration?



  • Thank you very much for the help! :) :) :) I was struggling to find why this was happening for a week…



  • Well with that option 'transparent-client-ip' haproxy will try and create the connection to the webserver with a 'spoofed' client ip, for this to work the remote webserver and remote pfSense box must know how to route traffic back to haproxy while actually trying to reply back to that client-ip so firewall reply-to rules would need to be present in the rules.debug of the second site to make sure the reply passes back through haproxy.. Also i'm not sure if the reply capturing ipfw rules work properly on openvpn interfaces.. (ive never tried/checked..)

    Now without that option the client-ip as the webserver sees it is likely a ip in the tunnelnet, and that will make that replies from the webserver will route back easily to haproxy. So it will just work.. But the webserver wont know what client connected.. You could try other options for that like inserting the forward-for header, or using proxy-protocol.. But both might require configuration on the webserver to make it log/check that added header, or accept that protocol at all. It depends on if you need the client-ip there..



  • Thanks very much for explaining this to me! Very much appreciated! :)