HAproxy unable to reach backends behind VPNs

WEBudo

I installed HAproxy and configured without any issues.
Frontend is bound to 0.0.0.0 (any) and HTTP servers on the LAN interface are working fine.
The problem is when I set a backend IP address that's behind a VPN, because it's always marked as DOWN even if I'm able to get HTTP response using "curl http://10.20.30.100:8123"
When backend host is set to any LAN host, it works just fine.

My scenario:
WAN static IP (ie: 190.1.2.3)
LAN net: 192.168.100.0/24
OpenVPN peer-to-peer net: 10.10.20.1 - 10.10.20.2
Remote VPN net: 10.20.30.0/24
Remote HTTP server: 10.20.30.100
Ping, traceroute, curl working fine from pfSense to 10.20.30.0/24 hosts
Remote VPN hosts able to reach LAN hosts

Just wondering if any of you have an idea of something I should try.

Thanks!

viragomann

@WEBudo said in HAproxy unable to reach backends behind VPNs:

The problem is when I set a backend IP address that's behind a VPN, because it's always marked as DOWN

The backend in HAproxy, I guess?
So care, that it is shown as up. With basic health check, HAproxy just tries to establish a TCP connection. If you can curl the site from pfSense, this should work as well.

WEBudo

Hello @viragomann
Yes, the backend in HAproxy ;)
Backend shows as down on the monitoring interface, but pingeable and "curl-able" from pfSense's SSH console.
It only happens with backends that are behind those vpn tunnels.
Bug? (don't think so... I'm sure there's something else I'm missing)

viragomann

@WEBudo
It necessary, that HAproxy detects to backen as online. Otherwise it won't forward traffic to it.

Your talking about an OpenVPN? Not IPSec by any chance?

Which health check have you configured?

WEBudo

@viragomann Got it working!
I wasn't able to reboot pfSense before because it's on production. Last night I scheduled a window and voilá... it works now.
Thanks!