HAProxy - Starting frontend http_listener: cannot bind socket



  • Hi All,

    I am trying to configure HAProxy to Load Balance 2 backend web servers.

    I have updated the web gui to not use port 443 and have disabled the redirect from port 80.

    I am using a dual WAN setup with a live FTTC service (WAN1) and a backup ADSL service (WAN2). ADSL service has a single public IP, FTTC service has 5 public IP addresses - 1 for PFSense and 4 Virtual IP addresses used for various services.

    I successfully managed to test a HAProxy setup on my ADSL line by having HAProxy bind to 'WAN Address' on port 80 and adding a corresponding Firewall rule for traffic from the WAN interface to 'WAN2 net'. Everything worked fine after a bit of tweaking.

    My problem came when I tried to transfer this to the live (WAN1). Initially I tried to have HAProxy listen on the 'WAN2 Address' but soon realised that this was going to bind to the IP address of the interface and NOT any of my Virtual IPs.

    I have tried to get HAProxy to bind to one of my virtual IPs on the WAN1 interface but I just get the message that the frontend http_listener cannot bind socket on port 80.

    I have also tried to get the HAProxy to listen on one of the Virtual IPs to bind to a different port that is definitely not being used for anything but still the same problem.

    I have also tried to create an additional Virtual IP address and also tried adding a CARP IP address but still the same problem.

    I have read in various places that some systems will not allow a program to bind to a nonlocal address unless net.ipv4.ip_forward = 1 is set in sysctl.conf so I don't know if I would need something similar to that?

    I'd be very grateful of any pointers in the right direction and will obviously provide any more info if required.

    Thanks in advance



  • Hi Adam,
    From what you describe it should work fine imo. The virtual ip must be of type carp or ipalias, both are possible, the proxy-arp and other are not possible, but seems like you tried the right way.

    If you run 'ifconfig' on console/ssh it does show the ip's your trying to use in haproxy?

    No tuning of sysctl should be needed.

    Regards,
    PiBa-NL



  • Hi PiBa,

    Thank you for your response. There is no reference of the virtual IP in ifconfig nor is there any reference of HAProxy but with HAProxy refusing to start I suppose that's to be expected.

    I have done a bit more testing on another pfsense box that I have here and it seems that the problem only comes about if I try to listen on a virtual ip address on an interface that is configured to connect via PPPoE. On my test box, if I configure the WAN interface as a static IP rather than PPPoE, it seems to have no problem listening on virtual IPs. as soon as I change the wan connection to use PPPoE, I get the same error.

    Do I need to consider putting my pfsense box in a routed subnet?

    Thanks again

    Adam



  • Hi Adam,
    Ive not dealt with pppoe much.. but tried to replicate your issue though. What i found that it was possible to start haproxy by adding the word "transparent" in the advanced setting of the 'external address' in the frontend.
    Can you try if that works for your situation.? (im not really sure what it does..)

    Other workaround might be to make haproxy listen on localhost and use a portforwarding rule to direct traffic from a specific external ip to a specific internal localhost ip 127.0.0.1 / 127.0.0.2 /.3 or seperate ports. But that creates a little overhead for the nat table i think, and is harder to maintain..
    Regards,
    PiBa-NL



  • Hi PiBa,

    I have tried with 'transparent' in the external address advanced setting and this does indeed allow the service to start but and when I view the Sockets in PFSense, it shows as HAProxy listening on the right address and port. It still doesn't show in ifconfig though and traffic doesn't seem to be reaching HAProxy (I have added a firewall rule allowing traffic from the wan interface to the VIP and confirmed in the logs that the rule is allowing traffic through).

    In testing, I have discovered that if I convert my WAN connection to a static IP address using the same address as the PPPoE connection uses (which obviously breaks my internet connection), then start HAProxy, then convert my WAN connection back to PPPoE, it does seem to work as expected - as soon as the server is rebooted though or HAProxy restarts, it starts complaining about not being able to bind to the socket again.

    I think I will have to consider using the second method that you mentioned or possibly use a separate modem to handle the PPPoE so I can set PFSense to use a static IP for the WAN connection.

    I'll post back with the results of this.

    Thanks

    Adam



  • Hi PiBa,

    Just to confirm, I was able to get things working using your method of adding a vip of 127.0.0.2 and then using NAT to forward to this. HAProxy had no problem binding to that address. There is not a huge amount of traffic going through the server, my setup is mainly for HA rather than load balancing so I don't think the extra overhead on the NAT table is going to cause any issues for now.

    Thank you so much for your assistance!

    Adam



  • Hi Adam,

    Could try binding the public VIP ip's to a localhost interface.?
    https://redmine.pfsense.org/issues/4026#note-1

    Regards,
    PiBa-NL


Log in to reply