[HAProxy] Unable To Transparently Proxy TCP Application Data

[bitgh0st]

I've recently migrated from pfSense to OPNsense and thus far I've absolutely loved the changes made and have been really enjoying my time with it. Thus far I've been able to translate everything I used to have over to OPNsense, with the exception of one very important thing...

I have multiple instances of an application which does not support the PROXY protocol nor does it support any HTTP headers. In order to proxy traffic to said application, without losing the original source IP (important), is to do so transparently. I use HAProxy as a means to direct clients to the appropriate server in addition to the usual load-balancing.

In pfSense, I would simply toggle the "Use Client-IP to connect to backend servers" option and it'd load an IPFW rule, a sloppy state pf rule, and it'd add "source ipv4@ usesrc clientip" to the relevant backend block's portion of the HAProxy config file and everything would work as expected. No added fuss.



With OPNsense, however, there is no such option and I haven't been able to find a usable solution to this problem. I can forward & proxy the traffic normally just fine, but that results in a loss of the client ip. The application requires this information to function properly, so that's not an option.

I've done some digging and I've found a possible workaround, which boils down to manually doing what the HAProxy plugin does in pfSense, and several threads asking if we'd ever see a similar feature added into OPNsense core or even just the plugin (e.g. https://forum.opnsense.org/index.php?topic=2214 & https://github.com/opnsense/core/issues/1883). There seems to be some pushback on this though, and I get the impression that this isn't really the, "OPNsense way" of handling it. So I'm left asking, what would be the preferable way to handle it?

I have tried to use the transparent proxy rules built into OPNsense, but that fails to address my needs. It creates a transparent nat, but, once proxied the application still logs the connection as though it came directly from the gateway instead of from an actual client.

It's totally possible I'm just missing something obvious with all this, so any help/input would be greatly appreciated. I really want to migrate to OPNsense, but sadly this has been a major blocker for me.

[guest28530]

I also have this problem, and I'm hoping for a solution as well.

[PetervdS]

Count me in too!!

I have been breaking my head over this one for a few days now, without good result. I also found that adding Proxy Protocol verions 1 or 2 on the back-end and 'source 0.0.0.0 usesrc clientip' on the Option pass-through field of the back-end should do it, but no cigar so far.

[koalified]

Has anybody solved this? I am breaking my head over this currently. Thanks

[cookiemonster]

Many additional options have been added to the plugin in the time since the original post.
I suggest to have a look at them. I wonder if you need the "option forwarded".

[meyergru]

I usually do this via plain port forwarding.

Matter-of-fact how should this even work with HAproxy in a dual-stack scenario? Incoming traffic can be IPv4 or IPv6 and is passed to the internal server by either IPv6 or IPv4 (you can only configure one). It is technically impossible to pass an incoming IPv6 to an IPv4 server on the network stack (it is possible via application means, like HTTP headers).