Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to connect to backend if Transparent ip is enabled in HAProxy

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 756 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      justinxa
      last edited by

      Hi ,
      I have HAProxy installed with frontend serving at 443. i have a backend serving with ssl enabled. When i enable Transparent IP, i am not able to connect to the backend.
      What i really want is to connect to the backend with HTTPS mode Frontend and get the source/client ip from the traffic.

      Regards,
      Justin X.

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @justinxa
        last edited by

        @justinxa

        • Does the (web)server use pfSense machine as its default route?
        • Is the client on a different subnet as the (web)server?

        If these criteria are not met, then it will not work due to asynchronous routing and the fact that haproxy is a full proxy that terminates the client connections.

        1 Reply Last reply Reply Quote 0
        • J
          justinxa
          last edited by

          @PiBa

          • Does the (web)server use pfSense machine as its default route? - Yes.
          • Is the client on a different subnet as the (web)server? - No. Pfsense has two NiCs attached which are on two subnet i.e. External subnet and Internal Subnet. the webserver is on the internal subnet.

          Are you suggesting i keep pfsense and webserver on the same subnet.

          Regards,
          Justin X.

          P 1 Reply Last reply Reply Quote 0
          • P
            PiBa @justinxa
            last edited by

            @justinxa
            For using transparent-client-ip i suggest moving the webserver to a different lan / vlan / OPT1 network than from where the clients are connecting from. So traffic to/from it will always pass through pfSense.

            As for your question about pfSense being on the same subnet, 'yes too all'..

            • pfSense and the webserver will be on the same subnet
            • also pfSense and the ISP should be on the same subnet
            • AND also client and pfSense would be on the same subnet...

            pfSense would have 3 nic's one for each network.. (those could be vlan's which are effectively treated as additional nic's) But well needs a managed switch that can be configured to trunk and tag certain ports with vlan traffic..

            .

            Or, use a different solution like X-Forward-For header or proxyprotocol. Either of which would also need to be configured / supported by the (web)-server.. So the chance of these being possible are low if traffic it isn't send to a regular webserver.. And even then might need some extra plugin to support the proxyprotocol. Personally i think transparent-client-ip is the 'most compatible' option.. but well it does require separated client<>server networks....

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.