I've put this in here because it involves using Gateway Groups and CARP.
I have an HA cluster of two (2) OPNsense servers that sits in front of two (2) HAProxy servers. In an effort to keep everything clean, the HAProxy servers are VMs separate and apart from OPNsense. I want to create a VIP where traffic to that VIP is routed by OPNsense to the HAProxy servers, providing they pass their health check (i.e. a simple PING test).
After bit of research I've found some information on the web suggesting that a can create using a Gateway Group + Firewall rules in OPNsense that would route the TCP request to the HAProxy server, providing they pass their PING health check. Has anyone had any suggest with something like this? And, if not this approach, what would you recommend?
I cannot install/enable HAProxy on the OPNsense firewalls, unfortunately. Received a hard "no" from the team.
Quote from: user290920 on October 01, 2025, 06:15:12 PMI cannot install/enable HAProxy on the OPNsense firewalls, unfortunately.
This would be my suggestion though. But not proxying layer 7 traffic, but just layer 4.
This means, you can setup HAproxy on OPNsense, configure a TCP backend pool with your existing HAproxy servers and a TCP frontend.
So the OPNsense HAproxy would do the health check of your backend HAproxy servers and forward traffic to them.
You can configure the backend as either active/backup or active/active.
So OPNsense does nothing else with the traffic than TCP forwarding.