OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • HAProxy Transparent Mode IPFW
« previous next »
  • Print
Pages: [1]

Author Topic: HAProxy Transparent Mode IPFW  (Read 4868 times)

rosu

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
HAProxy Transparent Mode IPFW
« on: February 22, 2017, 04:07:13 pm »
Hello

I'm using the HAProxy plugin and I needed to run it inline, in transparent mode. In order to make this work I had to add some IPFW rules and basically apply the modifications mentioned in this post: https://forum.opnsense.org/index.php?topic=2214.0

Of course the downside to this is that every update to OPNsense means that the changes need to be reapplied. I was wondering if anyone knew of a better way to make this work or could clarify the response from the previously mentioned post:

Quote
You probably can add a firewall rule using the interface to do the same thing, the included proxy server contains a link to create reflect rules to put the proxy in transparent mode.

Cheers
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13704
  • Karma: 1178
    • View Profile
Re: HAProxy Transparent Mode IPFW
« Reply #1 on: February 22, 2017, 04:52:45 pm »
Hi rosu,

If you let us know what you modified and what the use case behind it is we may be able to integrate it as a proper feature. :)


Cheers,
Franco
Logged

rosu

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: HAProxy Transparent Mode IPFW
« Reply #2 on: February 23, 2017, 05:12:05 am »
Hi Franco

What I modified is basically as per the post I mentioned previously:

Create a new file /usr/local/etc/ipfw_custom.rules for the custom IPFW rules:
Code: [Select]
add 3000 fwd localhost tcp from ${server_ip} 80 to any in recv vmx1
Modify /usr/local/etc/rc.ipfw to include the custom rules
Code: [Select]
# reload ipfw rules
/sbin/ipfw -f /usr/local/etc/ipfw.rules
if [ -f /usr/local/etc/ipfw_custom.rules ]; then
    /sbin/ipfw -f /usr/local/etc/ipfw_custom.rules
fi

Modify /usr/local/opnsense/service/templates/OPNsense/IPFW/rc.conf.d to enable IPFW
Code: [Select]
firewall_enable="{% if shapers or cp_zones %}YES{% else %}YES{% endif %}"
Then you can configure a backend in HAProxy via the Option pass-through section to use the client IP address as the source:
source 0.0.0.0 usesrc clientip

Just have to ensure that OPNsense is the default gateway for the servers you are load balancing. I believe there is an option called Transparent ClientIP on the pfSense HAProxy addin which will configure IPFW rules etc.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • HAProxy Transparent Mode IPFW
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2