HAProxy working internally but not externally

Started by ashton324, June 27, 2025, 05:43:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 27, 2025, 05:43:02 PM
Hello all,

Just for some context. We bit the bullet about 2 weeks ago and moved from PFSense to OPNSense (which was a good choice in its self!). We run our servers via Hetzner bare metal, using Proxmox. Everything is working fine apart from HAProxy.

The OPNSense firewall has 3 external IP's attached to it (Hetzner require a separate MAC for each IP so we have set this up on the Proxmox NIC config) all IP's work fine.

(Example layout, redacted IP's apart from final octet)
Main WAN: 123.123.123.201
Secondary WAN: 123.123.123.117
Third WAN (DMZ): 123.123.123.237

OPNSense version: 25.1.9_2
HAProxy version: 4.6

On the old PF firewall, pretty much all we had to do was configure the backends and the frontend then the firewall rule on the DMZ WAN (237). The frontends were set to listen on 237 on port 443 and a non https on port 80. All worked grand.

However, moved over to OPNSense, and apart from the GUI difference and wording and with the help of some tutorials ive worked out the OPNSense equivlaent to what we had in PFSense.

So now down to the issue at hand.

We have binded our HTTPS and HTTP frontends to the DMZ IP (237) on the relevant ports, setup rules and conditions for URL checking and HTTPS redirects. We have then added a firewall rule into the 237 network to allow 443 and 80.

Internally this works totally fine, externally, I can see the traffic hit the firewall on the correct IP but the webpage says it cannot connect. Almost like the rules are not getting recognised when the client is external. When looking in the HAProxy logs, I can see internal traffic going to the right backend, but external traffic does not show at all.

The external DNS records are setup correctly, and for these certain sites we have no internal records, they look externally at the same records.

Side note: we are not using VIP's, we are using direct interfaces, in which all 3 IP's have their own gateway.

I have confirmed with 'sockstat -4 -l' that the 237 IP is listening on 443 and 80.

On the firewall rule, I have tried the destination as * and as "This firewall", but have the same result for both. I was thinking maybe it's a NAT or port forward issue, but for the life of me even adding them rules I cannot get this to work externally.

Any help massively appreciated as i'm at a loss!
June 28, 2025, 01:35:02 AM #1
This can now be closed. Managed to figure it out, we had a wider issue with port forwarding and NAT across secondary WAN interfaces. Which was caused by the global reply-to checkbox been checked. Once un-checked it all started working.

Thanks
Print
Go Up Pages1
User actions