Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What came first - the firewall or the HAProxy?

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 918 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      KiloFoxtrotMike
      last edited by

      Hi everyone,

      I'm a newbie to pfSense and the load-balancing world but hopefully this is an easy one to answer.

      I have installed HAProxy package onto my virtual pfSense. When configuring HAProxy to send requests from the frontend to the backend, do I use the NATed address for the frontend or do I use the public IP of the frontend? Or does either work? I'm a little confused as to whether I need to NAT before sending the request/packet to the frontend or do I just need ACLs (and no NAT) and configure HAProxy frontend to listen directly on the public IP.

      For example:

      • WAN IP 1.1.1.1
      • LAN IP 10.0.0.1
      • I advertise 2.2.2.2 and 3.3.3.3 out the WAN to upstream carrier internet via FRR and BGP
      • 2.2.2.2 and 3.3.3.3 are the public addresses for two internal web servers - call them web2 and web3
      • 2.2.2.2 is for example.com and 3.3.3.3 is for fubar.com
      • The real IP of web2 is 10.0.0.2 and the real IP of web3 is 10.0.0.3

      I want to create a single frontend and use SNI to send the requests to the appropriate backend.

      Do I:

      • Create a VIP on the internal LAN 10.0.0.254
      • Create a 1:1 NAT from "any" to 10.0.0.254
      • Create firewall ACL on WAN interface to allow TCP/443 to 10.0.0.254
      • Create a frontend listening on 10.0.0.254
      • Configure SNI to send example.com to 10.0.0.2 and fubar.com to 10.0.0.3

      Or:

      • Create firewall ACL on WAN interface to allow TCP/443 from any to 2.2.2.2
      • Create firewall ACL on WAN interface to allow TCP/443 from any to 3.3.3.3
      • Create a frontend listening on 2.2.2.2 default backend 10.0.0.2
      • Create a frontend listening on 3.3.3.3 default backend 10.0.0.3

      Or is there another way of achieving the same thing?

      Thanks!

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        surinameclubcard @KiloFoxtrotMike
        last edited by

        @kilofoxtrotmike based on what you say and what I understand: that second example. No need to NAT because the reverse proxy would terminate the incoming connection from the internet and starts a new connection to your internal webserver.

        1 Reply Last reply Reply Quote 0
        • K Offline
          KiloFoxtrotMike
          last edited by

          Hi @surinameclubcard thanks for taking the time to answer! I will definitely try that second example then. FWIW, I am currently using the first example i.e. NAT then HAProxy, and can confirm that does work.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.