NAT - change rule if internal server is down

Started by PelleH, February 03, 2020, 11:27:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 03, 2020, 11:27:26 PM Last Edit: February 03, 2020, 11:29:58 PM by PelleH
Hi,
is there any function to have opnSense to change NAT rule if internal server is down?

For example if a NAT rule port 80 points to internal server 192.168.1.10 and that server are down I want the traffic to go to 192.168.1.11.
I want this function in the firewall to avoid an extra server to solve this.


/Pelle
February 04, 2020, 10:25:51 AM #1
Use haproxy or nginx and reverse proxying for this. Then you do not need NAT, but terminate your HTTP-session on the firewall which will forward your request to the living system.

In haproxy it's pretty easy. Create a pool with 192.168.1.10 and 192.168.1.11, define one as active, the other as backup. Point your DNS record to your firewall and configure haproxy to listen on it.

Now it forwards your request to the living one, monitors both servers (you can define keep-alive method) and switch if the active one fails.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
February 04, 2020, 08:04:57 PM #2
Thanks. I was searching for a way to avoid an extra server (with haproxy).
If I should use this, is it possible to cluster this function, to avoid single point of failure?

/Pelle
February 05, 2020, 04:28:21 PM #3
If you run a 2nd OPNsense as carp cluster and same haproxy config, it will work. That's how I do it.

Just be aware that haproxy is not sync'ed with build-in ha-settings sync. You have to manually replicate your haproxy config.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
Print
Go Up Pages1
User actions