Skip to Content

How to Configure HAProxy on pfSense for WAN to LAN Access

By: Author Alex Lim

Posted on

Categories Uncategorized

Learn how to set up HAProxy on pfSense to allow access from WAN to LAN networks using reverse proxy and NAT rules.

HAProxy is a popular open source software that provides high availability, load balancing, and proxying for TCP and HTTP-based applications. It can be installed on pfSense, a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.

One of the common use cases for HAProxy on pfSense is to act as a reverse proxy for web servers on the LAN network. This allows external clients to access the web servers using a single public IP address and domain name, while also providing SSL termination, caching, and security features.

However, what if you want to access the web servers on the LAN network from another WAN network, such as a VPN or a remote office? How do you expose HAProxy to the outside world and route the traffic from WAN to LAN networks?

In this article, we will show you how to configure HAProxy on pfSense for WAN to LAN access, using reverse proxy and NAT rules. We will also explain some of the challenges and solutions for this scenario, and provide some FAQs and a summary at the end.

Prerequisites

Before we begin, you will need the following:

  • A pfSense instance with two network interfaces: one for WAN and one for LAN
  • A HAProxy package installed on pfSense
  • A web server (or multiple web servers) on the LAN network that you want to access from the WAN network
  • A domain name that points to the public IP address of the pfSense WAN interface
  • A valid SSL certificate for the domain name (optional, but recommended)

Step 1: Configuring HAProxy on pfSense

The first step is to configure HAProxy on pfSense to listen on both the WAN and LAN interfaces, and to create a backend pool for the web servers on the LAN network.

To do this, follow these steps:

  1. Log in to the pfSense web interface and go to Services > HAProxy > Backend
  2. Click on Add to create a new backend pool
  3. Give the backend pool a name, such as “WebServers”
  4. Under Server List, click on Add to add a new server
  5. Give the server a name, such as “WebServer1”
  6. Enter the IP address and port of the web server on the LAN network, such as “10.0.1.5:80”
  7. Repeat the steps to add more servers to the backend pool, if needed
  8. Click on Save to save the backend pool
  9. Go to Services > HAProxy > Frontend
  10. Click on Add to create a new frontend
  11. Give the frontend a name, such as “WebAccess”
  12. Under Frontend Settings, select the WAN and LAN interfaces as the Listen Addresses
  13. Enter the port number that you want HAProxy to listen on, such as “443” for HTTPS
  14. Under SSL Offloading, check the box for Enable SSL Offloading
  15. Select the SSL certificate that matches the domain name, or upload a new one
  16. Under ACLs and Actions, click on Add to add a new ACL
  17. Give the ACL a name, such as “WebDomain”
  18. Select Host Matches as the Expression
  19. Enter the domain name that you want to use for accessing the web servers, such as “example.com”
  20. Under Actions, click on Add to add a new action
  21. Give the action a name, such as “WebBackend”
  22. Select Use Backend as the Action
  23. Select the backend pool that you created earlier, such as “WebServers”
  24. Click on Save to save the frontend

Step 2: Configuring NAT on pfSense

The next step is to configure NAT on pfSense to prevent NAT from occurring on traffic going from the LAN network to the WAN network. This is necessary because pfSense by default uses NAT for outbound traffic, which would change the source IP address of the LAN clients and break the reverse proxy functionality.

To do this, follow these steps:

  1. Go to Firewall > NAT > Outbound
  2. Select Hybrid Outbound NAT rule generation as the Mode
  3. Click on Save
  4. Click on Add to add a new NAT rule
  5. Under Source, enter the LAN network address and mask, such as “10.0.1.0/24”
  6. Under Destination, enter the WAN network address and mask, such as “192.168.1.0/24”
  7. Check the box for Do not NAT
  8. Click on Save to save the NAT rule

Step 3: Testing the Configuration

The final step is to test the configuration and verify that you can access the web servers on the LAN network from the WAN network using the domain name and the port number that you configured on HAProxy.

To do this, follow these steps:

  1. From a client on the WAN network, open a web browser and enter the domain name and port number, such as “https://example.com:443”
  2. You should see the web page of the web server on the LAN network
  3. You can also check the HAProxy statistics page on pfSense to see the traffic and status of the frontend and backend

Frequently Asked Questions (FAQs)

Here are some frequently asked questions and answers related to the topic:

Question: Why do I need to use HAProxy for WAN to LAN access?

Answer: HAProxy provides several benefits for WAN to LAN access, such as:

  • Simplifying the firewall rules and port forwarding on pfSense
  • Providing SSL termination and encryption for the web traffic
  • Balancing the load and improving the performance of the web servers
  • Caching and compressing the web content
  • Adding security features such as HTTP headers and ACLs

Question: What are the challenges and solutions for WAN to LAN access?

Answer: Some of the challenges and solutions for WAN to LAN access are:

  • The web servers on the LAN network may not be aware of the original client IP address, which can affect logging and authentication. To solve this, you can enable the transparent-client-ip feature on HAProxy, which will insert the original client IP address in a custom HTTP header, such as “X-Forwarded-For”. However, this feature only works for traffic coming from the WAN interface, not the LAN interface. Alternatively, you can configure the web servers to read the custom HTTP header and use it as the client IP address.
  • The web servers on the LAN network may use absolute URLs that point to the LAN IP address or hostname, which can break the links and images on the web page. To solve this, you can use the rewrite-host feature on HAProxy, which will rewrite the Host header and the Location header to match the domain name that you use for accessing the web servers. Alternatively, you can configure the web servers to use relative URLs or the domain name instead of the LAN IP address or hostname.