Im not sure about your iptables rules.. using pf/ipfw on FreeBSD myself...
But to me it looks like those last 4 [SYN] packets should have shown in
a packetcapture on your webserver, unless they are re-routed elsewhere..
You could try a different IP in the source option :
source 0.0.0.0 usesrc clientip
Could you also remove all special packet re-routing/divert rules from
the haproxy box.? And check again if the webserver then does receive a
SYN from the 'client-IP' and sends back a SYN-ACK to the HAProxy server?
It still wont work then because the HAProxy process wont actually
receive the SYN-ACK but it should show up on the lan-interface of that
Then the remaining issue is how to write the proper redirect rule for
the 'return traffic' coming from the webserver and point it to the
As for the iptables, probably some other guy's can help better. But hope
this helps in the 'debugging' a bit :).
Also i found it usefull to start haproxy with the -d -V parameters to
show on-screen what happens (told me it couldnt bind to a nonlocal ip at