OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: rosu on February 22, 2017, 04:07:13 pm
-
Hello
I'm using the HAProxy plugin and I needed to run it inline, in transparent mode. In order to make this work I had to add some IPFW rules and basically apply the modifications mentioned in this post: https://forum.opnsense.org/index.php?topic=2214.0
Of course the downside to this is that every update to OPNsense means that the changes need to be reapplied. I was wondering if anyone knew of a better way to make this work or could clarify the response from the previously mentioned post:
You probably can add a firewall rule using the interface to do the same thing, the included proxy server contains a link to create reflect rules to put the proxy in transparent mode.
Cheers
-
Hi rosu,
If you let us know what you modified and what the use case behind it is we may be able to integrate it as a proper feature. :)
Cheers,
Franco
-
Hi Franco
What I modified is basically as per the post I mentioned previously:
Create a new file /usr/local/etc/ipfw_custom.rules for the custom IPFW rules:
add 3000 fwd localhost tcp from ${server_ip} 80 to any in recv vmx1
Modify /usr/local/etc/rc.ipfw to include the custom rules
# reload ipfw rules
/sbin/ipfw -f /usr/local/etc/ipfw.rules
if [ -f /usr/local/etc/ipfw_custom.rules ]; then
/sbin/ipfw -f /usr/local/etc/ipfw_custom.rules
fi
Modify /usr/local/opnsense/service/templates/OPNsense/IPFW/rc.conf.d to enable IPFW
firewall_enable="{% if shapers or cp_zones %}YES{% else %}YES{% endif %}"
Then you can configure a backend in HAProxy via the Option pass-through section to use the client IP address as the source:
source 0.0.0.0 usesrc clientip
Just have to ensure that OPNsense is the default gateway for the servers you are load balancing. I believe there is an option called Transparent ClientIP on the pfSense HAProxy addin which will configure IPFW rules etc.