HAProxy with multiple NICs, outgoing isn't using the same NIC as incoming


I’m trying to run ADFS and WAP in HAProxy in a simple TCP setup…

ADFS running on eth0
WAP running on eth1

Default route is set for both nets:

MyHaproxy: #
Destination Gateway Genmask Flags Metric Ref Use Iface
default UG 0 0 0 eth0
default UG 1 0 0 eth1


log /dev/log local0
log /dev/log local1 notice
maxconn 6000
tune.ssl.default-dh-param 2048
chroot /var/lib/haproxy
uid 99
gid 99
ssl-default-server-options force-tlsv12 no-tls-tickets
ssl-default-bind-options force-tlsv12 no-tls-tickets

log global
option tcplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend ADFSFrontend
bind interface eth0
mode tcp
default_backend ADFSBackend

frontend WAPFrontend
bind interface eth1
mode tcp
default_backend WAPBackend

backend ADFSBackend
mode tcp
balance roundrobin
server 450adfs01 check
server 450adfs02 check

backend WAPBackend
mode tcp
balance roundrobin
server 450wap01 check
server 450wap02 check

Everything works fine if I access ADFS from everywhere, except from the WAPBackend servers - it seems this fails as the incoming traffic is coming from eth0, but the outgoing is presumed to go out eth1…

If I make ifdown eth1, the traffic is fine.

Best regards

I’m not sure what fails - is it the TCP connection from the client to the frontend haproxy socket?

In that case, remove the “interface ethX” configuration from the bind lines. It restricts the listening socket to traffic from that particular ethernet interface and is probably not what you want.

Traffic to the WAPBackend servers (which are in the subnet) will always go out of eth1, as eth1 is in that subnet. This is expected behavior.

Hi Lukas

The situation is as follows

If I receive a request on eth0 (in this case, I do want the my respond to go out on eth01… even if the source-address origins from the network eth1 is located on (

The reason for this, is that the ADFS login page will not work, unless the above is true.

I have solved this by making the following:

ADFS interface

echo “1 adfs” >> /etc/iproute2/rt_tables
/sbin/ip route add dev eth0 table adfs
/sbin/ip route add default via dev eth0 table adfs
/sbin/ip rule add from table adfs
/sbin/ip rule add to table adfs

WAP interface

echo “2 wap” >> /etc/iproute2/rt_tables
/sbin/ip route add dev eth1 table wap
/sbin/ip route add default via dev eth1 table wap
/sbin/ip rule add from table wap
/sbin/ip rule add to table wap

But as I often want to treat the different network on the HAProxy as “isolated” networks (due to issues before mentioned), then I did imagine the functionality was built in the system.

Best regards