HA Proxy transparent clientip and NAT reflection

swa · Jul 29, 2022, 10:35 AM

We have a situation where we have load balanced application on IIS that requires the realip and terminating SSL on the server (layer 4). Regretfully IIS does not use the proxy protocol for haproxy TCP, so we needed to do transparent clientip. Doing so killed NAT reflection, which the application also needs. The client does not want to use split DNS so we are in a bit of a bind. Relayd looked like it would have done the job, but apparently that is out as of 2.5 and not coming back. Any suggestions?

viragomann · Jul 29, 2022, 11:05 AM

@swa said in HA Proxy transparent clientip and NAT reflection:

The client does not want to use split DNS

Why not? Does the proxy anything, which is needed?

You issue might have nothing to do with NAT reflection at all.

stephenw10 · Jul 29, 2022, 2:24 PM

So you had to use option 3 here?
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver

Yeah, that's going to break NAT reflection in pf if it uses ipfw.

Steve

viragomann · Jul 29, 2022, 2:44 PM

@stephenw10 said in HA Proxy transparent clientip and NAT reflection:

So you had to use option 3 here?

Option 1 does not work with TCP mode, which he is using.
Option 2 need the proxyprotocol on the webserver, which isn't supported as he say.
Option 3 is the one which he has set up and is trying to get work from inside the network.

@swa
I assume, you have a very good reason for using the transparent mode. Basically this should be avoided.

swa · Jul 29, 2022, 4:28 PM

@viragomann Split DNS is my first choice, and I will continue to push that, but just looking for some choices with transparent. The only reason we are using it is to get the realip on IIS .. it's nuts IIS does not support proxyprotocol.

viragomann · Jul 29, 2022, 4:39 PM

@swa
And why don't you use a HTTP mode frontend?

The only solution to get the transparent mode work from inside the network, I can think of, is to do masquerading towards the web server.

swa · Jul 29, 2022, 4:45 PM

@viragomann They wanted to manage the certs on the IIS server. They juggle 30 and have a method already in place there. HTTP mode would require us to put term on the firewall :(. Plus HTTP mode is not a performant as tcp/transparent. We tried an outbound nat rule and that didn't seem to work while the transparent was on, but did work with it off. We'll give it another go as that was my first idea as well. Appreciate the suggestions.

viragomann · Jul 29, 2022, 4:57 PM

@swa
Anyway, the masquerading solution would replace the source IP of internal clients and you would loose this information as well with that.

So there is nothing else you can do on pfSense, when passing internal requests over HAproxy.
This will result in asymmetric routing issues, and I think, it's the client, which does not accept the respond directly from the web server, since he sent the request to the gateway before.
However, it should work if client and server reside in different network segments.