OK, so I took a step back, and implemented this using PF rules alone; ie rather than accepting/allowing the traffic through the CARP IP to HAProxy, I setup rules to NAT traffic that comes into the CARP IP to be forwarded back out on the CARP IP (as HAProxy was doing), and port forward the port that HAProxy was bound to, to connect it directly to RabbitMQ.
As a result of this, I am able to force a failover of the CARP IP to the secondary HAProxy node (without HAProxy running, with the same pf rules loaded) by taking down the interface of the primary, and due to pf-sync passing the states across to the backup node, my connection to RMQ is maintained, with only a ~1 second pause while the CARP IP moves, and otherwise neither end notices, ie the connection is not closed/dropped etc. I am also able to move it back again by bringing the primary node’s interface back up, and then taking the secondary interface down (as I do not have CARP configured to automatically preempt).
I realise I have gone totally offtopic and out of scope from HAProxy here, but I am just wondering what the advantage of using HAProxy in tcp mode is, and/or what the point of synchronised stick tables is, if it is unable to maintain an existing connection during/after a failover.
Is HAProxy just the wrong tool for the job for what I am trying to do? I ask this since PF supports tables of IP addresses, and I am able to add round-robin rules to NAT/proxy traffic to those IPs, along with source/destination stickyness etc, and I am able to dynamically add/remove IPs from the group, which seems to offer identical functionality to HAProxy, making it redundant.
I don’t mean for this post to come across as mean or belligerent etc, as reading it back it does sound that way, I’m just seriously trying to understand what the differences are between the functionality that CARP/pf/pfsync offers, vs HAProxy is.
Is it just that HAProxy offers additional/advanced functionality, which PF does not, such as checking of servers (which I am thinking I can implement as a shell script using nc -z and dynamically altering the PF rules), or other functionality which I am not using, such as SSL enc/decryption to reduce the load on backend web servers, and the stats interface etc?
The reason I ask is because I was given 2 standalone HAProxy machines (using CARP, without pf etc), and tasked with finding a way to make them properly redundant and able to maintain the existing connections in the case of a failover (which is why I was excited to find and implement the stick table replication functionality etc), and now it seems that I have been able to make the 2 machines able to proxy and failover seamlessly without using HAProxy at all, and I’ll probably have to explain how/why etc.
Thanks, and sorry for rambling a bit.