What came first - the firewall or the HAProxy?



  • Hi everyone,

    I'm a newbie to pfSense and the load-balancing world but hopefully this is an easy one to answer.

    I have installed HAProxy package onto my virtual pfSense. When configuring HAProxy to send requests from the frontend to the backend, do I use the NATed address for the frontend or do I use the public IP of the frontend? Or does either work? I'm a little confused as to whether I need to NAT before sending the request/packet to the frontend or do I just need ACLs (and no NAT) and configure HAProxy frontend to listen directly on the public IP.

    For example:

    • WAN IP 1.1.1.1
    • LAN IP 10.0.0.1
    • I advertise 2.2.2.2 and 3.3.3.3 out the WAN to upstream carrier internet via FRR and BGP
    • 2.2.2.2 and 3.3.3.3 are the public addresses for two internal web servers - call them web2 and web3
    • 2.2.2.2 is for example.com and 3.3.3.3 is for fubar.com
    • The real IP of web2 is 10.0.0.2 and the real IP of web3 is 10.0.0.3

    I want to create a single frontend and use SNI to send the requests to the appropriate backend.

    Do I:

    • Create a VIP on the internal LAN 10.0.0.254
    • Create a 1:1 NAT from "any" to 10.0.0.254
    • Create firewall ACL on WAN interface to allow TCP/443 to 10.0.0.254
    • Create a frontend listening on 10.0.0.254
    • Configure SNI to send example.com to 10.0.0.2 and fubar.com to 10.0.0.3

    Or:

    • Create firewall ACL on WAN interface to allow TCP/443 from any to 2.2.2.2
    • Create firewall ACL on WAN interface to allow TCP/443 from any to 3.3.3.3
    • Create a frontend listening on 2.2.2.2 default backend 10.0.0.2
    • Create a frontend listening on 3.3.3.3 default backend 10.0.0.3

    Or is there another way of achieving the same thing?

    Thanks!



  • @kilofoxtrotmike based on what you say and what I understand: that second example. No need to NAT because the reverse proxy would terminate the incoming connection from the internet and starts a new connection to your internal webserver.



  • Hi @surinameclubcard thanks for taking the time to answer! I will definitely try that second example then. FWIW, I am currently using the first example i.e. NAT then HAProxy, and can confirm that does work.