HAProxy-Backend blocks routed vlan traffic
we have a weird haproxy-backend problem. HAProxy-backends seems to block routet traffic between two connected vlans, on the configured port.
Following is our setup:
VLAN1: Range: 192.168.40.0/22
VLAN2: Range: 192.168.47.0/24
Client1 want to reach directly, without the haproxy, the mailserver on the ports 993 and 465.
The Haproxy have a frontend and backend on the ports 993 and 465.
My test is a telnet session from Client1 to the mailserver over the ports 993 and 465. Boths tests are running into a timeout.
A telnet test to the port 143 to the mailserver gets an answer. All other listening ports from the mailserver can be reached, without the haproxy ports.
To make a negative test, I created a haprox-backend for port 143 to 192.168.42.3. After applying this change, I can't get a connection to port 143. After deleting the backend, connections are again possible.
Hint: The backend wasn't even in use from an frontend.
The interesting thing is that only the return packets get stuck in the firewall. Package recordings show on the client1 connections to the mail server, on the firewall connections from client1 to the mail server (no reply packages from the mail server to the client1) and on the mail server packages from client1 to the mail server and packages from the mail server to the client1.
#1 Updated by Jim Pingle over 1 year ago
- Project changed from pfSense to pfSense Packages
- Status changed from New to Not a Bug
This is almost certainly a configuration issue, and this site is not for support or diagnostic discussion.
See Reporting Issues with pfSense Software for more information.
If a specific bug is located, an issue can be opened for it at that time with more detail.
#2 Updated by Pi Ba over 1 year ago
Its likely because of transparent-client-ip feature enabled in the backend of haproxy, combined with the 'bug' / missing feature in pf that it doesn't support divert-reply rules (or something similar.) , so the ipfw fwd rule sends ALL reply traffic to localhost>haproxy for this to work at all..
Best workaround is probably to configure a second port or second IP-address on the backend server for exclusive use by haproxy..
@Jimp would you have any option to ask someone/anyone to implement the feature in 'pf' ? I gave it a try adopting a previously existing patch but Ermal didn't like that way.. quite a few years ago he was going to do it a better way which is out of my league of modifying, but i don't think it ever happened..