OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: agrozdanov on March 26, 2021, 02:55:19 am
-
Good evening, Everyone
I hope, Everybody is safe and in good mood !
I was looking for a simillar issue but couldn't find a match so I apologize if I am repeating an issue. Also I have realised that the most available, even official OPNSense - HAProxy' manuals have the old interface shown which is giving even more trouble for the issue.
I am trying to implement HAProxy as an add-on on OPNSense- firewall.
In my DMZ I have two identical CentOS servers with identical web- pages (apache), and IPs - 192.168.100.50, and 192.168.100.100. The access to them from the wan over :80 is granted with a port- forwarding rule on the firewall.
Here's a link to the screenshots from opnsense - https://matrixcollegeca0-my.sharepoint.com/:f:/g/personal/agrozdanov_matrixcollege_ca/Enf3i5QhXz1GqTf75f1Jy2EBTGHcRJr_NMqIPaeFhW7Vxw?e=MV8CNg (https://matrixcollegeca0-my.sharepoint.com/:f:/g/personal/agrozdanov_matrixcollege_ca/Enf3i5QhXz1GqTf75f1Jy2EBTGHcRJr_NMqIPaeFhW7Vxw?e=MV8CNg).
There, you will see also my port- forwarding, and firewall related rules.
I have assumed, I might need a "virtual" ip- address for the load- balancer itself - 192.168.100.10:443 so I have putted it into the Public Services- section of HAProxy. I did it, thinking about how I would've do it If I would've introduce the HA Proxy on a separated PC but I might be wrong ...
Also, I noticed that using anything else than 127.0.0.1 into Public Service - Listen Address will not allow the HAProxy service to start (see the left- top corner of the screenshots, and 06.png) even though the "Test syntax" is done without any errors....
If I use 127.0.0.1:443 into Public Service - Listen Address, and change the port- forwarding rule accordingly, I see on the web- browser the administrative- web interface of the firewall so I am pretty sure it supposed to have a way to "translate" it to an internal, virtual IP ...
Please, give a hand with this issue.
Thank you, and Best Regards,
Asen
-
First you should set up a basic HAProxy config (wihout Load Balancing) and so on
-Change your WebUI Port of your FW
- You dont need a VIP for it
- Create an ALLOW Rule on WAN to WAN Adress (80/443)
- Setup your HAProxy Frontend, Backend and Real Servers
- Add firstly one Real Server to your Backend
- Disable SSL-Offloading if your apache Servers are doing SSL Stuff itself
-> Now you should be able to access your Webpage from the Outside
If thats running you can start to config your LoadBalancing
Note: And delete the NAT Portforwading on WAN - What is this for?
-
Thank you very much for the prompt reply, @lfirewall1243.
Let me try it, and will revert to you back if some additional issues will be encountered.
Best,
Asen
-
Good morning, @lfirewall1243.
I hope all is good with you !
I did all described, and it didn't work. Then, I have recreated it in another popular, free firewall, and it was working exactly as you have described it. I have checked the reason, and I have noticed, when I allow the ping on wan, it is not working with OPNSense. I saw a threat https://forum.opnsense.org/index.php?topic=3763.0 (https://forum.opnsense.org/index.php?topic=3763.0) where @franco was giving an explanation of that issue, and I think this is the reason because with the other installation, and recreation exactly the same situation, fw- rules, etc., the ping on wan is working, and I am able to achieve everything as you have explained.
To be honest, I didn't understand @franco's explanation how to fix the ping issue, so if you can help with this it will be very appreciated.
Thank you, and Best Regards,
Asen