[solved] HAProxy & Firewall

[alh]

I was playing around with Fail2Ban and wanted to block IPs that fail to auth with a HAProxy backend server. So I created an external alias and Fail2Ban updates that alias. So far so good. However, when I add a firewall rule to block src=ips in alias nothing happens. I had a look at the log and it seems like running HAProxy on publicip:port completely bypasses the firewall. There is nothing in the firewall logs but HAProxy logs the connection. Is that correct?

So to work around this I would need HAProxy to bind to another IP and make a port forward from the public IP/interface?

[guest18661]

I just tested a rule on external server. I put the source as that server's IP, WAN as my interface and block as the action. It worked fine. I was not able to load a website served by a server behind HAProxy which is running on the opnsense firewall. I deleted the rule and was able to load the website.

I didn't test using fail2ban with an external alias, but I don't think you need to worry about it being an issue with haproxy and it bypassing the firewall. There is probably something else going on with the way the rule is configured or other rules bypassing it, or something going on with the way the alias is updated perhaps.

[alh]

Thanks so much for your input. There were two issues:

• The rule was indeed bypassed by another rule (HAProxy is running on a second IP on WAN), so a rule with DST "WAN address" bypassed it (although I though that this only contains the primary IP of the interface)
• The alias needs really long to be reloaded in the firewall rules. So the alias updates just fine, but then it takes roughly 1-2 minutes until the IP is blocked.

Do you by any chance know on how to trigger this manually, could only find the endpoint "reconfigure" but I'm not sure that is correct.