HAProxy - pfSense or VM?

In a business setting, would you suggest setting up HAProxy on pfSense itself or just do a port forward to a VM running HAProxy in a DMZ?

All the videos done by Tom - HAProxy on the PFSense

How To Setup ACME, Let’s Encrypt, and HAProxy HTTPS offloading on pfsense - YouTube

How To Create pfsense Let’s Encrypt Wildcard Certificates using HAProxy - YouTube

pfsense HA Proxy Troubleshooting - YouTube

Do the one that is easiest for you to manage.

I’ve seen a lot of the videos, I was just curious if those where geared towards homelabbers and/or internal usage or not.

Thanks, Tom! My train of thought is that I’m wanting HAProxy to be accessible from the Internet. If HAProxy was running on pfSense, then that Internet traffic is hitting the pfSense directly. If an attacker were able to exploit something on HAProxy, they would now be in the router. However, I feel like it would definitely be easier to manage.

Conversely, if HAProxy were on a VM, then pfSense would just be passing the traffic through to the VM. If the HAProxy on the VM was exploited, then the attacker would only have access to the VM (in a DMZ), so access is still pretty limited.

Yes, access would be limited but statistically most of the attacks occur based on software with known flaws not being up to date, not from unpatched 0 days which is why my question is about what is easier for you to manage.