OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: rosu on February 22, 2017, 04:07:13 pm

Title: HAProxy Transparent Mode IPFW
Post by: rosu on February 22, 2017, 04:07:13 pm
Hello

I'm using the HAProxy plugin and I needed to run it inline, in transparent mode. In order to make this work I had to add some IPFW rules and basically apply the modifications mentioned in this post: https://forum.opnsense.org/index.php?topic=2214.0

Of course the downside to this is that every update to OPNsense means that the changes need to be reapplied. I was wondering if anyone knew of a better way to make this work or could clarify the response from the previously mentioned post:

Quote
You probably can add a firewall rule using the interface to do the same thing, the included proxy server contains a link to create reflect rules to put the proxy in transparent mode.

Cheers
Title: Re: HAProxy Transparent Mode IPFW
Post by: franco on February 22, 2017, 04:52:45 pm
Hi rosu,

If you let us know what you modified and what the use case behind it is we may be able to integrate it as a proper feature. :)


Cheers,
Franco
Title: Re: HAProxy Transparent Mode IPFW
Post by: rosu on February 23, 2017, 05:12:05 am
Hi Franco

What I modified is basically as per the post I mentioned previously:

Create a new file /usr/local/etc/ipfw_custom.rules for the custom IPFW rules:
Code: [Select]
add 3000 fwd localhost tcp from ${server_ip} 80 to any in recv vmx1
Modify /usr/local/etc/rc.ipfw to include the custom rules
Code: [Select]
# reload ipfw rules
/sbin/ipfw -f /usr/local/etc/ipfw.rules
if [ -f /usr/local/etc/ipfw_custom.rules ]; then
    /sbin/ipfw -f /usr/local/etc/ipfw_custom.rules
fi

Modify /usr/local/opnsense/service/templates/OPNsense/IPFW/rc.conf.d to enable IPFW
Code: [Select]
firewall_enable="{% if shapers or cp_zones %}YES{% else %}YES{% endif %}"
Then you can configure a backend in HAProxy via the Option pass-through section to use the client IP address as the source:
source 0.0.0.0 usesrc clientip

Just have to ensure that OPNsense is the default gateway for the servers you are load balancing. I believe there is an option called Transparent ClientIP on the pfSense HAProxy addin which will configure IPFW rules etc.