HAProxy Transparent Mode IPFW

[rosu]

Hello

I'm using the HAProxy plugin and I needed to run it inline, in transparent mode. In order to make this work I had to add some IPFW rules and basically apply the modifications mentioned in this post: https://forum.opnsense.org/index.php?topic=2214.0

Of course the downside to this is that every update to OPNsense means that the changes need to be reapplied. I was wondering if anyone knew of a better way to make this work or could clarify the response from the previously mentioned post:

You probably can add a firewall rule using the interface to do the same thing, the included proxy server contains a link to create reflect rules to put the proxy in transparent mode.

Cheers

[franco]

Hi rosu,

If you let us know what you modified and what the use case behind it is we may be able to integrate it as a proper feature. :)


Cheers,
Franco

[rosu]

Hi Franco

What I modified is basically as per the post I mentioned previously:

Create a new file /usr/local/etc/ipfw_custom.rules for the custom IPFW rules:

Code Select Expand

add 3000 fwd localhost tcp from ${server_ip} 80 to any in recv vmx1

Modify /usr/local/etc/rc.ipfw to include the custom rules

Code Select Expand

# reload ipfw rules
/sbin/ipfw -f /usr/local/etc/ipfw.rules
if [ -f /usr/local/etc/ipfw_custom.rules ]; then
    /sbin/ipfw -f /usr/local/etc/ipfw_custom.rules
fi

Modify /usr/local/opnsense/service/templates/OPNsense/IPFW/rc.conf.d to enable IPFW

Code Select Expand

firewall_enable="{% if shapers or cp_zones %}YES{% else %}YES{% endif %}"

Then you can configure a backend in HAProxy via the Option pass-through section to use the client IP address as the source:
source 0.0.0.0 usesrc clientip

Just have to ensure that OPNsense is the default gateway for the servers you are load balancing. I believe there is an option called Transparent ClientIP on the pfSense HAProxy addin which will configure IPFW rules etc.