[REQUEST] HAProxy Transparent Mode IPFW

[NunoHiggs]

This is an extract of a request by user @rosu form this forum thread.

What I modified is basically as per the post I mentioned previously:

Create a new file /usr/local/etc/ipfw_custom.rules for the custom IPFW rules:

Code:

add 3000 fwd localhost tcp from ${server_ip} 80 to any in recv vmx1

Modify /usr/local/etc/rc.ipfw to include the custom rules
Code: [Select]

/sbin/ipfw -f /usr/local/etc/ipfw.rules
if [ -f /usr/local/etc/ipfw_custom.rules ]; then
/sbin/ipfw -f /usr/local/etc/ipfw_custom.rules
fi

Modify /usr/local/opnsense/service/templates/OPNsense/IPFW/rc.conf.d to enable IPFW
Code: [Select]

firewall_enable="{% if shapers or cp_zones %}YES{% else %}YES{% endif %}"

Then you can configure a backend in HAProxy via the Option pass-through section to use the client IP address as the source:
source 0.0.0.0 usesrc clientip

Just have to ensure that OPNsense is the default gateway for the servers you are load balancing. I believe there is an option called Transparent ClientIP on the pfSense HAProxy addin which will configure IPFW rules etc.

Is it possible to incorporate HAProxy Transparent Mode IPFW thru the opnsense webgui?

Thanks!
Nuno

[NunoHiggs]

Hello? Is it possible?

[fraenki]

Is it possible to incorporate HAProxy Transparent Mode IPFW thru the opnsense webgui?

Technically speaking it might be possible, but I'm unsure if it's possible to properly integrate it.

That being said, as the current maintainer of the HAProxy plugin I will not be able to work on this for several months. Contributions/patches are welcome, though.

[fraenki]

@fichtner Please assign to me (and add the "help wanted" label).

[AdSchellevis]

Can't you just use the nat/forward options already in OPNsense (which uses pf), just like our proxy does?
(the link used to template the squid rules)
https://fw-ip/firewall_nat_edit.php?template=transparent_proxy

If there's anything missing there, we should be able to add it, but when possible we tend to use pf for our firewall and only ipfw for edge cases (like captive portal and traffic shaping).

[NunoHiggs]

@AdSchellevis was that question for me? I would if i knew how :)

PS: thanks for all of your hard work!

[AdSchellevis]

@NunoHiggs yes, that question was indeed for you :) I would start using the template rule which you can create using the above link and alter the parameters to match your situation.

[NunoHiggs]

@AdSchellevis i've been trying with the transparent proxy template like you said, but i cannot get it to work.
Using the template i get a transparent nat but

it bypasses the HAproxy all together and i am not getting the client IP on the endpoint where the HAproxy connects to that was the intended result.

[fraenki]

In many situations there are alternative ways available to get the client IP:

• Use HAProxy in HTTP(S) mode and enable the X-Forwarded-For header
• Use HAProxy's PROXY protocol if your application supports it (Dovecot, Postfix)

I'll close this issue now, but if someone wants to work on this we'll reopen it of course.
(@AdSchellevis, since this issue was created in core, would you please close it please?)