> Hi, > > my current traffic flow with "source 0.0.0.0 usesrc clientip" and with > "source publichaproxyip usesrc clientip": > > haproxy receives a SYN from the client and does a normal tcp handshake > which works fine. Additionally haproxy forwards the SYN to the backend > with the client ip as source ip, backend sends SYN/ACK back to haproxy, > haproxy sends this to the client. client is confused because he send one > SYN but receives two SYN/ACK. > > it would be perfect if haproxy would establish a connection with the > node and a second with the backend, any ideas on how to tell haproxy to > not forward packets from the backend but to answer them by himself?
You need to take a decision: do you want a local source IP (your test) OR a remote source IP (which is what you seem to want in the end) You cannot have both. If the former is the case, then disable ip_forwarding in your kernel. For the latter, you won't have the problem you just mentioned. Lukas