HA Proxy backend connection problem


To start I am new to HA proxy but I do have a working setup. I am facing an issue where I don’t know if its a specific pfsense issue or another.

Let’s start with what’s working

I have 2 interfaces: LAN and DMZ. My servers sitting on the DMZ ([] with the DMZ address on the firewall of []. My HA proxy is configured so that is listening and making the connections to the backend. I want all my servers sitting in the DMZ to only see DMZ connections being made to the. This works without issue.

What’s not working.
I have a remote LAN which contains other servers. This site is reachable over a S2S WireGuard connection. I once again have HA proxy set up where should be reaching out server backend to bring up my zabbix system landing page. I cannot understand why this isn’t working. At first, I thought this was a routing problem but I am able to successfully ping/ssh to the server from any of my DMZ servers. So that rules out firewall rules and routing. Next, I ssh to my pfsense and try to ping my remote server. That fails. Weird. Then I tried to SSH from my pfsense to the remote server. That fails. Then I tried to traceroute to the remote server and that fails.

When I ping from my pfsense to the but this time sourcing from my DMZ interface it works.
ping -S
PING ( from 56 data bytes
64 bytes from icmp_seq=0 ttl=63 time=130.842 ms
64 bytes from icmp_seq=1 ttl=63 time=124.843 ms

So far I’m thinking that HA proxy won’t work unless there are directly connected LAN segments on the firewall to send traffic to. Any ideas?

Yes - DNS is set up to point to my PFsense DMZ interface -

Yes - Firewall rules currently have a permit any/any

No, haproxy only layer 4 access to the remote net. Can you telnet from your dmz to the remote net? In which way is haproxy running? Http/https, ssl or tcp mode?

Telnet fails:
@GA-FW1]/root: telnet 80

Ping fails:
GA-FW1]/root: ping
PING ( 56 data bytes

Ping Sourcing from DMZ interface successful:
GA-FW1]/root: ping -S
PING ( from 56 data bytes
64 bytes from icmp_seq=0 ttl=63 time=48.618 ms

Telnet from DMZ server and pings are successful.

haproxy running in http/https (offloading) on the FrontEnd.

Fixed it. There was a fundamental misunderstanding from what Tom stated in his video to whats seen in the packet capture and firewall logs
Although HA proxy is listening to , the firewall will use whichever interface according to the routing table it needs in order to reach the backend servers. I thought, incorrectly, that what address that the PFsense is listening to WILL BE THE ADDRESS that it initiates traffic to towards the backend which is not the case. My firewall was using the Wireguard P2P interface ( link in order to reach the remote server which of course is fine but the server has no idea where lives so its sends it out towards the gateway and out to the internet.

right :wink: yes, you are correct :wink: the firewall will initiate the connection from “SELF” on whatever interface it has closest to. Glad you figured it out :wink: