HAProxy Frontend for IPv6

[simonszu]

Hi,

i have Opnsense in a DualStack Network. Inside this network there are some docker containers with IPv4 only, and i want to have HAProxy acting as a reverse proxy and as an "IPv6 offloader". I have configured IPv6 on the docker host and it can reach the internet via IPv6, so my Interface configuration in OPNsense seems to be correct.

I have created a firewall rule which allows IPv4 and v6 traffic on port 443 to enter the firewall. I have configured the docker container as a backend, and a matching frontend which has the v4 and the v6 listen address in the settings.

As a result, the service is reachable via v4, but not via v6. I do not see any v6 connections in the HAproxy log, however, when i enable logging in the appropriate firewall rule, i see the inbound traffic.

What am i missing here?

[simonszu]

I have to add: I am using OPNsense on a VM on a Hetzner server. It is configured like this: https://forum.netgate.com/topic/101501/anleitung-f%C3%BCr-hetzner-ipv6-mit-pfsense-als-router-vm-auf-esxi-server

For non-german speaking users: The WAN interface is set to DHCP, and it gets a link-local address. The LAN interface gets the public address Hetzner assigns me in their Robot tool. This is working in such a way that each VM can access the internet via IPv6, and i can ping the OPNsense VM on its public IPv6, which it has on its LAN address. However, i cannot access the HAProxy.

[ssbarnea]

Is https://github.com/opnsense/plugins/issues/540#issuecomment-527805198 the same bug? Apparently I cannot make haproxy to bind to ipv6 address. Maybe someone knows a trick about that?

[simonszu]

No. I solved it by unchecking "disable reply-to".

Your bug is different. The HAproxy plugin does not follow the IPv6 IP:port notation rule. Just remove the brackets, so to make it listen on v6 port 443, write dead:beef::1:443