I just installed HAProxy in pfSense following one of Lawrence’s tutorials on YouTube. Everything works fine from outside my network, but inside my network, it’s not working.

I’ve already set the DNS resolver to host overrides my pfsense.xxxxxx.com IP to return the local ip 192.168.1.7, for example. Any ideas on how to resolve this issue would be greatly appreciated?

This site can’t be reached

pfsense.xxxxxx.com took too long to respond.

Try:

• Checking the connection
• [Checking the proxy and the firewall]

ERR_CONNECTION_TIMED_OUT

Are you trying to use haproxy to access pfsense itself?

Not only pfSense, Synology, Home Assistant, etc. all work great from outside the network but not inside. I have to connect through their IP addresses.

Internally you don’t route traffic to harpoxy and then back to the firewall. You set the certificate directly on pfsense in System–>Advanced–>Admin Access.

image1151×366 24.4 KB

For all other servers and whatnot you would change the DNS to point to HAProxy but not the actual firewall itself. It will be the LAN address.

For internal I create local DNS that points to the firewall’s internal LAN IP which will get redirected to HAProxy. I have IPs configured inside HAProx to include internal LAN IPs for access.

I changed the Admin webGUI to port 444 so it wouldn’t conflict with HAProxy.

So this way I can make use of ACME certs for my internal servers.

Below is how I configured the “external address” in HAProxy:

image1103×326 21.5 KB

Ignore my odd port numbers as my ISP blocks port 443 so this is my workaround.

I wouldn’t have done it that way. What I did is created a VIP and assigned that as my front end IP address for internal services. That way I don’t have to mess with changing the port number for pfsense to something else other than 443.

I’m not sure if it will even work if you are trying to reach pfsense through the HAproxy service.

can you show an example please…

I added LAN there but still not working …

I hadn’t thought of using Virtual IP for HAProxy. I will have to experiment with it.

Create a VIP

1. Firewall → Virtual IPs
   
   

   image721×167 9.26 KB

Make sure to choose an IP that isn’t an any way associated with any current network range.

Apply to HAproxy interface

image1140×620 37.7 KB

Set DNS record and CNAME’s

image737×568 30.6 KB

Notice that I have haproxy with the VIP and CNAME’s (alias) for it. In case I want to change the IP I don’t have to change all my entries. I only need to change one.

Why using a VIP , thats the part I don’t get?, Lawrence videos don’t use it

Because then you don’t have to change the ports for your LAN IP to reach the web interface of pfsense. You’re essential creating a usable IP for your HAProxy to use internally.

You can do what you want. I’m offering a suggestion and a better way to set this up IMO. For me, I don’t want my web interface for pfsense going through haproxy whenever I already can assign the a wildcard certificate directly in the web UI. Then for my other services I use the same wildcard certificate in haproxy. The way you are doing it and changing ports and junk that is completely avoidable just by simply setting up a VIP.

There is nothing wrong with the way you are doing it, unless you are running into issues where pfsense doesn’t allow the web UI to be proxied. For most things there are multiple ways to skin a cat, as they say.