HAProxy with multiple NICs, outgoing isn't using the same NIC as incoming

Help!
1

Hi

I’m trying to run ADFS and WAP in HAProxy in a simple TCP setup…

ADFS running on 10.0.1.10/24 eth0
WAP running on 10.0.2.10/24 eth1

Default route is set for both nets:

MyHaproxy: #
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.1.1 0.0.0.0 UG 0 0 0 eth0
default 10.0.2.1 0.0.0.0 UG 1 0 0 eth1
.
.

Configuration

global
log /dev/log local0
log /dev/log local1 notice
maxconn 6000
tune.ssl.default-dh-param 2048
daemon
chroot /var/lib/haproxy
uid 99
gid 99
ssl-default-server-options force-tlsv12 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options force-tlsv12 no-tls-tickets
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

defaults
log global
option tcplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend ADFSFrontend
bind 10.0.1.10:443 interface eth0
mode tcp
default_backend ADFSBackend

frontend WAPFrontend
bind 10.0.2.10:443 interface eth1
mode tcp
default_backend WAPBackend

backend ADFSBackend
mode tcp
balance roundrobin
server 450adfs01 10.0.1.101:443 check
server 450adfs02 10.0.1.102:443 check

backend WAPBackend
mode tcp
balance roundrobin
server 450wap01 10.0.2.101:443 check
server 450wap02 10.0.2.102:443 check

Everything works fine if I access ADFS from everywhere, except from the WAPBackend servers - it seems this fails as the incoming traffic is coming from eth0, but the outgoing is presumed to go out eth1…

If I make ifdown eth1, the traffic is fine.

Best regards
Flemming

2

I’m not sure what fails - is it the TCP connection from the client to the frontend haproxy socket?

In that case, remove the “interface ethX” configuration from the bind lines. It restricts the listening socket to traffic from that particular ethernet interface and is probably not what you want.

Traffic to the WAPBackend servers (which are in the 10.0.2.0/24 subnet) will always go out of eth1, as eth1 is in that subnet. This is expected behavior.

3

Hi Lukas

The situation is as follows

If I receive a request on eth0 (in this case 10.0.1.10/24), I do want the my respond to go out on eth01… even if the source-address origins from the network eth1 is located on (10.0.2.0/24).

The reason for this, is that the ADFS login page will not work, unless the above is true.

I have solved this by making the following:

ADFS interface

echo “1 adfs” >> /etc/iproute2/rt_tables
/sbin/ip route add 10.0.1.0/24 dev eth0 table adfs
/sbin/ip route add default via 10.0.1.1 dev eth0 table adfs
/sbin/ip rule add from 10.0.1.10/32 table adfs
/sbin/ip rule add to 10.0.1.10/32 table adfs

WAP interface

echo “2 wap” >> /etc/iproute2/rt_tables
/sbin/ip route add 10.0.2.0/24 dev eth1 table wap
/sbin/ip route add default via 10.0.2.1 dev eth1 table wap
/sbin/ip rule add from 10.0.2.10/32 table wap
/sbin/ip rule add to 10.0.2.10/32 table wap

But as I often want to treat the different network on the HAProxy as “isolated” networks (due to issues before mentioned), then I did imagine the functionality was built in the system.

Best regards
Flemming