FW rule not working with Single host or network

[Webxorcist]

Hi,

I am fairly new to OPNsense, perhaps I missed other settings.

With HAProxy I made a Frontend that listens to a certain domain. I also made a Back-end with, atm, one web server in it. The idea is to add more web servers when needed.

Then I made a firewall rule in the External_Network. The rule simply says to accept port 80 traffic from any external source going to port 80 on any internal source.

Now when I punch in the domain in my web browser it shows me the website on the internal web server.

Now I want to tighten the rule, so I change it from any external source to a internal single host or network and I enter the IP address of the web server.

Somehow, the rule doesn't work any more now.

I am not sure what extra information to include in this post. What am I missing here?

[ChrisH]

If you use HAProxy, the connection from the external ends on the OPNsense box, not the web server. You have to allow traffic to port 80 on the IP that you configured in the HAProxy frontend.

[Webxorcist]

That is what I explained. But if the destination is ANY it works and when the destination is the web server IP it stops working.

[ChrisH]

Because the destination is not the webserver, but the OPNsense box.

Maybe this picture helps:
https://en.wikipedia.org/wiki/Reverse_proxy

[Webxorcist]

Hmm Ok

In the rule I make, I am allowing traffic on port 80 on the external interface. That is the same one in the frontend.

Why is it working when the rule is allowing ANY destination on the internal network and it stops working when I change it to a single host on the destination network? Working as is, showing the webpage on the web server.

[ChrisH]

What does the firewall log say?

[Webxorcist]

Basically, when destination is ANY the dynamic logs show the source IP (OPNsense Internal address) and the web servers (also internal) address and the action was allow.

When the destination is the web hosts IP the dynamic log shows the source IP (my workstation with the browser) and the external OPNsense IP and the action was block.

[ChrisH]

So add another rule to allow the connection it blocks now.

[Webxorcist]

Ok thanks. Now it works.

I was thinking incorrectly. I thought you would open it for only a specific internal host.
So now I opened the port on the external address of the OPNsense box.

So basically it now sends port 80 traffic to all servers in the HAProxy's Backend list?