Thank you for your help. It turns out the problem was beyond my control and in the network/routing layer. There were some rules in place preventing address spoofing.
I'm all set now and things are working correctly. Ed ------------------------------ ✉ Eduard Martinescu <emartine...@salsalabs.com> | ✆ (585) 708-9685 | [image: http://www.salsalabs.com] <http://www.salsalabs.com/> - ignite action. fuel change. On Tue, May 7, 2013 at 4:31 PM, PiBa-NL <piba.nl....@gmail.com> wrote: > Hi Eduard, > > Im not sure about your iptables rules.. using pf/ipfw on FreeBSD myself... > But to me it looks like those last 4 [SYN] packets should have shown in a > packetcapture on your webserver, unless they are re-routed elsewhere.. > > You could try a different IP in the source option : > source 0.0.0.0 usesrc clientip > > Could you also remove all special packet re-routing/divert rules from the > haproxy box.? And check again if the webserver then does receive a SYN from > the 'client-IP' and sends back a SYN-ACK to the HAProxy server? > > It still wont work then because the HAProxy process wont actually receive > the SYN-ACK but it should show up on the lan-interface of that machine. > > Then the remaining issue is how to write the proper redirect rule for the > 'return traffic' coming from the webserver and point it to the 'local > machine'.. > > As for the iptables, probably some other guy's can help better. But hope > this helps in the 'debugging' a bit :). > Also i found it usefull to start haproxy with the -d -V parameters to show > on-screen what happens (told me it couldnt bind to a nonlocal ip at first > tries..). > > Greets > PiBa-NL >