Hi Eduard,

Im not sure about your iptables rules.. using pf/ipfw on FreeBSD myself...
But to me it looks like those last 4 [SYN] packets should have shown in a packetcapture on your webserver, unless they are re-routed elsewhere..

You could try a different IP in the source option :
  source usesrc clientip

Could you also remove all special packet re-routing/divert rules from the haproxy box.? And check again if the webserver then does receive a SYN from the 'client-IP' and sends back a SYN-ACK to the HAProxy server?

It still wont work then because the HAProxy process wont actually receive the SYN-ACK but it should show up on the lan-interface of that machine.

Then the remaining issue is how to write the proper redirect rule for the 'return traffic' coming from the webserver and point it to the 'local machine'..

As for the iptables, probably some other guy's can help better. But hope this helps in the 'debugging' a bit :). Also i found it usefull to start haproxy with the -d -V parameters to show on-screen what happens (told me it couldnt bind to a nonlocal ip at first tries..).


Reply via email to