SNAT to backend server

I’ve seen many articles related to SNAT and that the HAProxy can’t perform SNAT. They were all very old so I thought I would ask the question again to see if anything has changes.

Here’s my issue:

I have TCP connects that I need to terminate in the DMZ and then proxy those connection up to my internal trusted network. The issue I’m facing is my endpoint has custom screens that are determined by the clients source address so I will need to see the client address or at least be able to create some sort of one-to-one mapping.

I have haproxy configured and I was trying to use the SNAT function within the firewalld service but that only works if I source the connection from the server itself. Whenever I use the haproxy function its always sending the address of the haproxy server.

Any help would be greatly appreciated.

HAProxy is a layer 7 reverse proxy, so the backend servers will see the source IP as coming from HAProxy.

You can use PROXY PROTOCOL or X-Forwarded-For headers to tell the backend server what the Client IP address should be (but the application will need to support and understand that).

You can also use TPROXY mode (but only for directly connected subnets).

Thanks for the information. Because our haproxy is behind an F5 I created an irule to insert the proxy protocol (this is not http traffic) and then the haproxy has the receive-proxy statement on the frontend and the send-proxy-v2 to the backend. The backend is another VIP on the internal security zone and there I parse the client source from the proxy protocol.