Outbound / SNAT for backend servers

We’ve got a bunch of f5 servers we’re looking at replacing with haproxy. In addition to load balancing and application delivery, these can provide much needed SNAT to which we use as a gateway for backend servers that need to get outbound internet access.

It looks like haproxy doesn’t provide this as it terminates all connections / uses its own ip stack. I am curious as to what others are doing that need this.

First thing that comes to mind is putting a firewall in front of the haproxies and using the fw as the gateway for everything. Or perhaps maybe some iptables rules onto the haproxies themselves.

Just wondering what best practice / most efficient setup would be in this scenario. Thanks.

You can use the Linux routing/natting, but its certainly not best practice to do that on the same box that haproxy runs. I’d suggest to use a different VM or box for that.

Thank you for the response. We are going to use baremetal active/active (through BGP) for the haproxies. I guess the concern is throwing a VM up for a nat gateway in front would be a bottleneck.

So, if natting on haproxy isnt ideal, I guess I’d need say a hardware firewall pair for HA and faster line speeds - unless you or anyone has any other suggestions.

You can NAT on the underlying OS that haproxy runs out, I just don’t think that’s a good design, just like I don’t think it’s a good design to have an F5 do the same.

I don’t think you necessarily need hardware firewalls. You can just as easily NAT on a different box.