Hello
I'm using the HAProxy plugin and I needed to run it inline, in transparent mode. In order to make this work I had to add some IPFW rules and basically apply the modifications mentioned in this post: https://forum.opnsense.org/index.php?topic=2214.0
Of course the downside to this is that every update to OPNsense means that the changes need to be reapplied. I was wondering if anyone knew of a better way to make this work or could clarify the response from the previously mentioned post:
QuoteYou probably can add a firewall rule using the interface to do the same thing, the included proxy server contains a link to create reflect rules to put the proxy in transparent mode.
Cheers
Hi rosu,
If you let us know what you modified and what the use case behind it is we may be able to integrate it as a proper feature. :)
Cheers,
Franco
Hi Franco
What I modified is basically as per the post I mentioned previously:
Create a new file /usr/local/etc/ipfw_custom.rules for the custom IPFW rules:
add 3000 fwd localhost tcp from ${server_ip} 80 to any in recv vmx1
Modify /usr/local/etc/rc.ipfw to include the custom rules
# reload ipfw rules
/sbin/ipfw -f /usr/local/etc/ipfw.rules
if [ -f /usr/local/etc/ipfw_custom.rules ]; then
/sbin/ipfw -f /usr/local/etc/ipfw_custom.rules
fi
Modify /usr/local/opnsense/service/templates/OPNsense/IPFW/rc.conf.d to enable IPFW
firewall_enable="{% if shapers or cp_zones %}YES{% else %}YES{% endif %}"
Then you can configure a backend in HAProxy via the Option pass-through section to use the client IP address as the source:
source 0.0.0.0 usesrc clientip
Just have to ensure that OPNsense is the default gateway for the servers you are load balancing. I believe there is an option called Transparent ClientIP on the pfSense HAProxy addin which will configure IPFW rules etc.