I have pfSense as router (2.7) for my network and recently installed HA-proxy (develop) as proxy.
The main reasons to install HA-proxy was to distribute in coming traffic towards my (virtual) servers. The idea is to use SNI to point to a webserver, to access my public services from both local and internet in an easy way (using a split dns) and to switch between my old and my new config. I am using both IPV4 & IPV6.
And … my intention was to do that for:
- the webserver(s)
- the mailserver(s) [ at the moment only one]
- the sftpservers
For the web-servers that works
And for the mailserver and the sftp-server, it does (almost) not.
The problem seems to be the SSH-handshake. The packages are:
- arriving at the HA-proxy frontend and
- are forwarded to the HA-proxy backend and
- towards the vlan gateway of the server-vlan
And despite that … it does not work
(connecting to the SSH-server does work using BitVise-client SSH-client from the local network, but that is the exception)
If I try to analyze the problem, it is clear from the logging that the initial handshake between the client(/source) and the mail-server / sftp-server causes the trouble. The connection starts and stops immediately due to a failing handshake.
My setup looks like this / some additional info:
- I did create a couple of VIPs to forward the local traffic to
- on the WAN interface, the relevant ports are passed to ‘This Firewall’ using FW-rules
- the HA-proxy-frontends are listen to both the WAN interface and the VIP (in ssl/https mode, in most cases one FE per portnumber)
- The HA-proxy backend’s are specific per portnumber
- If a backend is pointing to more than one server, there is only one active
- in case of SSH it is impossible to determine the destination
That brings me to a second problem … HA-proxy is … a proxy. So without additional measures the original source is gone / replaced by the proxy address. Which I absolutely do not like (specially in case of the sftp-server).
So … that is all . It almost works … but almost == not
So I hope that some one knows how to solve this ‘handshake issue’, other wise I have to go back to the classical ‘forward-rules’ for sftp and mail-server