HAProxy with multiple NICs, outgoing isn't using the same NIC as incoming

@BlackAdderDK wrote:

Hi

I’m trying to run ADFS and WAP in HAProxy in a simple TCP setup…

ADFS running on 10.0.1.10/24 eth0
WAP running on 10.0.2.10/24 eth1

Default route is set for both nets:

MyHaproxy: #
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.1.1 0.0.0.0 UG 0 0 0 eth0
default 10.0.2.1 0.0.0.0 UG 1 0 0 eth1
.
.

Configuration

global
log /dev/log local0
log /dev/log local1 notice
maxconn 6000
tune.ssl.default-dh-param 2048
daemon
chroot /var/lib/haproxy
uid 99
gid 99
ssl-default-server-options force-tlsv12 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options force-tlsv12 no-tls-tickets
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

defaults
log global
option tcplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend ADFSFrontend
bind 10.0.1.10:443 interface eth0
mode tcp
default_backend ADFSBackend

frontend WAPFrontend
bind 10.0.2.10:443 interface eth1
mode tcp
default_backend WAPBackend

backend ADFSBackend
mode tcp
balance roundrobin
server 450adfs01 10.0.1.101:443 check
server 450adfs02 10.0.1.102:443 check

backend WAPBackend
mode tcp
balance roundrobin
server 450wap01 10.0.2.101:443 check
server 450wap02 10.0.2.102:443 check

Everything works fine if I access ADFS from everywhere, except from the WAPBackend servers - it seems this fails as the incoming traffic is coming from eth0, but the outgoing is presumed to go out eth1…

If I make ifdown eth1, the traffic is fine.

Best regards
Flemming

Posts: 1

Participants: 1

Read full topic