Archive > 19.7 Legacy Series

Setting up HAProxy for basic port forward


Hello all,

I'm a long time (somewhat) advanced computer/network hobbyist.  Until recently, I've always used off the shelf router/firewall/WAP all in ones (most recently Asus.)  With the desire to escalate my hobby to the next level (and the fact I'm no longer trusting the all-in-ones) I'm upgrading my network.  The first stage is the OPNSense router.  This, I have installed on an appliance running a Core i7-7500U.  (I've repurposed the Asus as my WAP with the ultimate goal of changing over to Unifi and having 3 vlans.)

With the old Asus, it was easy to setup both DDNS and port forward.  Since this is a homelab type setup, I have some IoT devices that I want to remote access.  (This time of year, my sprinkler controller.)  I've been using my server as a test bed for configuration (Webmin, port 10000, not going to leave it open when I figure out how to make this work) and using my cell phone on 4g for the WAN access test.  Also using class b network, 172.18.x.x/21  Server is, static.

When I try to access it from my phone, I jet get a timeout on the connection.  What am I missing?  I've read who knows what and searched to the ends of the web, and I'm lost.

I also bought a domain on namecheap (ex. and have DDNS setup and working.  Following are the settings:

A + Dynamic -            Host: *    Value: 67.182.x.x                                        TTL: Automatic
Cname Record -          Host: *    Value:                                     TTL: Automatic
URL Redirect Record - Host: @    Value: Unmasked

I've opened port 10000 in the firewall using the following and verified open using Gibson Research Shields Up
Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: Any
Source port range: Any
Destination: WAN
Destination port range:10000-10000
Redirect target IP: server (using an alias I have working within the lan)
Redirect target port: 10000

Also created a Virtual IP as this is on a dynamic ip WAN:
Mode: IP Alias
Interface: Wan
Everything else is default config.

In HAProxy:  (Unless specified, the other settings are default values.)
Real server:
Name: ServerWebmin
Description: Webmin
Port: 10000
Mode: Active

Backend Pools:
Name: ServerWebmin_Backend
Mode: HTTP
Servers: ServerWebmin

Name: ServerWebmin_Condition
Condition Type: Path Starts With
Path Prefix: /*

Name: ServerWebmin_Rule
Select Condition: ServerWebmin_Condition

Public Service:
Name: ServerWebmin_Public
Listen Address:
Default Backend Pool: ServerWebmin_Backend
Select Rules: ServerWebmin_Rule

Thanks in advance.

RFC4632: Do not use "class" to describe subnets (obsoleted 13 years ago):

That being said:
1) Your haproxy listen IP (public service) is wrong, it should be listening on you external IP
2) Why are you using haproxy to forward ports? If it's a single server, just forward the port directly (under firewall)

Thanks deZillium for the reply.

It's funny you said the term became obsolete about 13 years ago.  That's about when I was in school changing my career path.  Most of what I learned was in the IT dept of my high school working summers (96-98) and just being a general hobbyist since I was 8 (having a father who was a system engineer helped.)  This level of network config is new to me, but I was familiar with the general concepts, not the implementation.

1. The listen address is a virtual IP I created tied to the WAN address (listed in the config I posted.)  From my research since I'm behind a dynamic IP, I couldn't assign the WAN IP address as the listen port as it could change without notice.  Breaking the proxy.

2. It was my understanding I needed to use HAProxy when using an external domain.  My ultimate goal was to be able to enter, as an example, from outside the LAN to be able to make adjustments to the controller while at work.

Thanks again for your input.  I value your expertise and willingness to help.

You only need a port forwarding rule for that, you don't need haproxy (unless the "endpoint" refuses to talk to anything outside of its network **cough** HP switches **cough**).

Get rid of haproxy and any additional IPs you have added. Add a port forwarding rule, interface WAN, source any, destination any, port (the port you want), internal IP (the internal IP for the controller you are trying to connect to). Hint: set up a port alias if you need more than one ports and use that alias in the rule instead of a port.

Sidenote: since IoT devices aren't exactly on the cutting edge of security, make sure that that controller is on its own interface (VLAN) without any access to the rest of your network, because when the day comes that it will be added to a botnet (and the day **will** come eventually), you don't want that threat in your network.

I would personally set up a VPN and access the controller that way, instead of opening access to it to the world, but that's just me. This post is for educational purposes only, don't blame me when the controller eventually gets compromised  ;)


[0] Message Index

Go to full version