Guest VLAN and Haproxy/acme



  • I have a LAN with a mailserver. I have configured haproxy with acme, so my mailserver is accessible from the internet. The ssl offloading is handled by the firewall.

    I have a second LAN for guests which is a separate VLAN on the firewall. I have created a firewall rule and have set up a split DNS for the mail server. I can access the mail server from my guest LAN using the full dns name but as expected I get a certificate error.

    Is there an elegant way to solve this?


  • LAYER 8 Netgate

    1. Make an IP Alias VIP on Localhost using a /32 from an unused subnet. You can use other addresses here for other Localhost VIPs if the need arises.
    2. Port Forward the desired traffic from the outside to that VIP.
    3. Be sure the WAN rules pass the traffic to the VIP, not WAN address. The Auto-rules should be fine.
    4. Tell HAproxy to listen on that VIP on the frontend instead of the WAN address.
    5. Split DNS inside hosts to that VIP instead of the backend server itself.
    6. Look, Ma, no NAT reflection, and HAproxy does all the TLS for hosts inside and out.
    7. 🍹 Have a cocktail.

  • LAYER 8 Netgate

    You could also listen on the WAN and the VIP in the frontend and forgo the port forward, I suppose. They key is getting HAproxy in between all clients and the server whether they are connecting from the inside or outside.



  • I was on summer break, hence the late reply. I guess I started with step 7.

    Thanks for your reply! I will give it a try.


Log in to reply