Re: Tproxy with multiple interfaces

[Randy Wilson]

Hi Brian,


> you would then need to setup ipmasq in iptables to make the haproxy server
properly route the packets out to the internet and masq the source IP as the
haproxy eth0 IP

Unfortunately this wouldn't work, as packets route in to the web servers
through another router, and would route out through the HAproxy box.

I can setup a SNAT rule on the HAproxy box to change the source address,
which handles the outbound traffic from the web servers:

iptables -t nat -A POSTROUTING -s 192.168.3.65 -j SNAT --to xxx.xxx.97.154

They can route out externally through the HAProxy's eth1 using this method,
but it results in the web server being inaccessible externally. The web
server would receive a connection on xxx.xxx.97.154 through the router, and
send its reply through the HAProxy server. There is probably a way to ensure
that packets received on eth0 are routed out through eth0, and likewise for
eth1, by using routing tables on the web servers. The major issue with this
though, is that the web servers will be running Windows, and won't be
capable of this.

The only solution I can see to this is to not use the private interfaces
altogether, and proxy to the web server's eth0 interfaces.

I also can't speak for how the other environment works - it just does. And
flawlessly :)


Thanks,

REW

On Tue, Apr 12, 2011 at 5:02 PM, Brian Carpio  wrote:

> Randy,
>
>
>
> I can’t speak to how your other environment works, as it seems suspicious
> that it works the way you describe in fully transparent mode but I also
> can’t speak to the cttproxy patch as I’ve never used it. When you set the
> default gateway on the webservers to the haproxy eth1 interface you would
> then need to setup ipmasq in iptables to make the haproxy server properly
> route the packets out to the internet and masq the source IP as the haproxy
> eth0 IP.
>
>
>
> If the other environment is truly working then possibly you need to check
> two other settings on the non-working environment. On the haproxy
> environment make sure the below are set to 1… Possibly this will resolve
> your problems, if it does can you let me know because I can’t seem to wrap
> my head around the fact that it would work.
>
>
>
> cat /proc/sys/net/ipv4/conf/all/send_redirects
>
> cat /proc/sys/net/ipv4/conf/eth0/send_redirects
>
> cat /proc/sys/net/ipv4/conf/eth1/send_redirects
>
>
>
>
>
> *Brian Carpio *
>
> *Senior Systems Engineer*
>
> *[image: Description: Description: BroadHop Home Page]*
>
> *Office: +1.303.962.7242*
>
> *Mobile: +1.720.319.8617*
>
> *Email: bcar...@broadhop.com*
>
>
>
> *From:* Randy Wilson [mailto:randyedwil...@gmail.com]
> *Sent:* Tuesday, April 12, 2011 9:40 AM
> *To:* haproxy@formilux.org
> *Subject:* Re: Tproxy with multiple interfaces
>
>
>
> Hi Brian,
>
> Thanks for the response.
>
> I had previously tried this, but setting the default gateway on the web
> servers to point to the HAProxy server's eth1 results in the web servers
> losing all external connectivity, as the source address is always a private
> address.
>
> root@web:~# ping -c 5 8.8.8.8
> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
> ^C
> --- 8.8.8.8 ping statistics ---
> 5 packets transmitted, 0 received, 100% packet loss, time 4008ms
>
> root@haproxy:~# tcpdump -n -i eth1 icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
> 16:33:57.024999 IP 192.168.3.65 > 8.8.8.8: ICMP echo request, id 6180, seq
> 1, length 64
> 16:33:58.034080 IP 192.168.3.65 > 8.8.8.8: ICMP echo request, id 6180, seq
> 2, length 64
> 16:33:59.034036 IP 192.168.3.65 > 8.8.8.8: ICMP echo request, id 6180, seq
> 3, length 64
> 16:34:00.034104 IP 192.168.3.65 > 8.8.8.8: ICMP echo request, id 6180, seq
> 4, length 64
> 16:34:01.034266 IP 192.168.3.65 > 8.8.8.8: ICMP echo request, id 6180, seq
> 5, length 64
>
> Any other ideas?
>
> I'm currently running a similar setup to load balance a mail cluster that's
> been in place for almost 4 years. The HAProxy servers use an older kernel
> with the cttproxy patch. The mail servers all receive connections from the
> HAProxy boxes on their eth1 interfaces and route back out to the them on
> their eth0s - without any iptables rules or routing tables.
>
>
> Thanks,
>
> REW
>
>
> On Tue, Apr 12, 2011 at 4:24 PM, Brian Carpio 
> wrote:
>
> Randy,
>
> The problem is the gateway on the backend webservers needs to be set as a
> VIP (or eth1 interface) on the HAproxy servers on their private interface
> (assuming you have two HAproxy servers and are using heartbeat for
> failover). It looks like from your ro

RE: Tproxy with multiple interfaces

[Brian Carpio]

Randy,

I can't speak to how your other environment works, as it seems suspicious that 
it works the way you describe in fully transparent mode but I also can't speak 
to the cttproxy patch as I've never used it. When you set the default gateway 
on the webservers to the haproxy eth1 interface you would then need to setup 
ipmasq in iptables to make the haproxy server properly route the packets out to 
the internet and masq the source IP as the haproxy eth0 IP.

If the other environment is truly working then possibly you need to check two 
other settings on the non-working environment. On the haproxy environment make 
sure the below are set to 1... Possibly this will resolve your problems, if it 
does can you let me know because I can't seem to wrap my head around the fact 
that it would work.

cat /proc/sys/net/ipv4/conf/all/send_redirects
cat /proc/sys/net/ipv4/conf/eth0/send_redirects
cat /proc/sys/net/ipv4/conf/eth1/send_redirects


Brian Carpio
Senior Systems Engineer
[cid:image001.jpg@01CBF8F7.EABDD0F0]
Office: +1.303.962.7242
Mobile: +1.720.319.8617
Email: bcar...@broadhop.com

From: Randy Wilson [mailto:randyedwil...@gmail.com]
Sent: Tuesday, April 12, 2011 9:40 AM
To: haproxy@formilux.org
Subject: Re: Tproxy with multiple interfaces

Hi Brian,

Thanks for the response.

I had previously tried this, but setting the default gateway on the web servers 
to point to the HAProxy server's eth1 results in the web servers losing all 
external connectivity, as the source address is always a private address.

root@web:~# ping -c 5 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4008ms

root@haproxy:~# tcpdump -n -i eth1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
16:33:57.024999 IP 192.168.3.65 > 8.8.8.8<http://8.8.8.8>: ICMP echo request, 
id 6180, seq 1, length 64
16:33:58.034080 IP 192.168.3.65 > 8.8.8.8<http://8.8.8.8>: ICMP echo request, 
id 6180, seq 2, length 64
16:33:59.034036 IP 192.168.3.65 > 8.8.8.8<http://8.8.8.8>: ICMP echo request, 
id 6180, seq 3, length 64
16:34:00.034104 IP 192.168.3.65 > 8.8.8.8<http://8.8.8.8>: ICMP echo request, 
id 6180, seq 4, length 64
16:34:01.034266 IP 192.168.3.65 > 8.8.8.8<http://8.8.8.8>: ICMP echo request, 
id 6180, seq 5, length 64

Any other ideas?

I'm currently running a similar setup to load balance a mail cluster that's 
been in place for almost 4 years. The HAProxy servers use an older kernel with 
the cttproxy patch. The mail servers all receive connections from the HAProxy 
boxes on their eth1 interfaces and route back out to the them on their eth0s - 
without any iptables rules or routing tables.


Thanks,

REW


On Tue, Apr 12, 2011 at 4:24 PM, Brian Carpio 
mailto:bcar...@broadhop.com>> wrote:
Randy,
The problem is the gateway on the backend webservers needs to be set as a VIP 
(or eth1 interface) on the HAproxy servers on their private interface (assuming 
you have two HAproxy servers and are using heartbeat for failover). It looks 
like from your routing table that eth0 on the webservers' gateway is pointed to 
the eth0 interface on haproxy this is why it works perfectly when you configure 
haproxy to use the public IPs on the webservers.

Once you change the default gateway on the backend webserver's to use eth1 on 
the haproxy server (or a VIP which lives on eth1 using heartbeat for failover 
between two haproxy servers) then it will work.

Brian Carpio
Senior Systems Engineer
Office: +1.303.962.7242
Mobile: +1.720.319.8617
Email: bcar...@broadhop.com<http://bcar...@broadhop.com>

From: Randy Wilson 
[mailto:randyedwil...@gmail.com<mailto:randyedwil...@gmail.com>]
Sent: Tuesday, April 12, 2011 8:29 AM
To: haproxy@formilux.org<mailto:haproxy@formilux.org>
Subject: Tproxy with multiple interfaces

Hi,

I'm trying to setup an HAProxy instance to transparently load balance a group 
of web servers. The HAProxy server and web servers each have two interfaces; 
eth0 as the public interface and eth1 the private. I'm trying to configure the 
load balancer to accept requests on port 80 on eth0 and transparently proxy the 
connections to the web servers over the private interfaces on eth1. I've 
configured the load balancer in the normal way for tproxy, and have the web 
servers routing out through it.

i.e.

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

ip rule add fwmark 1 dev eth0 lookup 100
ip rule add fwmark 1 dev eth1 lookup 100
ip route add local 0.0.0.0/0<http://0.0.0.0/0> dev lo table 100

root@haproxy:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

root@web:~#

Re: Tproxy with multiple interfaces

[Randy Wilson]

Hi Brian,

Thanks for the response.

I had previously tried this, but setting the default gateway on the web
servers to point to the HAProxy server's eth1 results in the web servers
losing all external connectivity, as the source address is always a private
address.

root@web:~# ping -c 5 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4008ms

root@haproxy:~# tcpdump -n -i eth1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
16:33:57.024999 IP 192.168.3.65 > 8.8.8.8: ICMP echo request, id 6180, seq
1, length 64
16:33:58.034080 IP 192.168.3.65 > 8.8.8.8: ICMP echo request, id 6180, seq
2, length 64
16:33:59.034036 IP 192.168.3.65 > 8.8.8.8: ICMP echo request, id 6180, seq
3, length 64
16:34:00.034104 IP 192.168.3.65 > 8.8.8.8: ICMP echo request, id 6180, seq
4, length 64
16:34:01.034266 IP 192.168.3.65 > 8.8.8.8: ICMP echo request, id 6180, seq
5, length 64

Any other ideas?

I'm currently running a similar setup to load balance a mail cluster that's
been in place for almost 4 years. The HAProxy servers use an older kernel
with the cttproxy patch. The mail servers all receive connections from the
HAProxy boxes on their eth1 interfaces and route back out to the them on
their eth0s - without any iptables rules or routing tables.


Thanks,

REW



On Tue, Apr 12, 2011 at 4:24 PM, Brian Carpio  wrote:

> Randy,
>
> The problem is the gateway on the backend webservers needs to be set as a
> VIP (or eth1 interface) on the HAproxy servers on their private interface
> (assuming you have two HAproxy servers and are using heartbeat for
> failover). It looks like from your routing table that eth0 on the
> webservers’ gateway is pointed to the eth0 interface on haproxy this is why
> it works perfectly when you configure haproxy to use the public IPs on the
> webservers.
>
>
>
> Once you change the default gateway on the backend webserver’s to use eth1
> on the haproxy server (or a VIP which lives on eth1 using heartbeat for
> failover between two haproxy servers) then it will work.
>
>
>
> *Brian Carpio *
>
> *Senior Systems Engineer*
>
> *[image: Description: Description: BroadHop Home Page]*
>
> *Office: +1.303.962.7242*
>
> *Mobile: +1.720.319.8617*
>
> *Email: bcar...@broadhop.com*
>
>
>
> *From:* Randy Wilson [mailto:randyedwil...@gmail.com]
> *Sent:* Tuesday, April 12, 2011 8:29 AM
> *To:* haproxy@formilux.org
> *Subject:* Tproxy with multiple interfaces
>
>
>
> Hi,
>
> I'm trying to setup an HAProxy instance to transparently load balance a
> group of web servers. The HAProxy server and web servers each have two
> interfaces; eth0 as the public interface and eth1 the private. I'm trying to
> configure the load balancer to accept requests on port 80 on eth0 and
> transparently proxy the connections to the web servers over the private
> interfaces on eth1. I've configured the load balancer in the normal way for
> tproxy, and have the web servers routing out through it.
>
> i.e.
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> ip rule add fwmark 1 dev eth0 lookup 100
> ip rule add fwmark 1 dev eth1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> root@haproxy:~# sysctl net.ipv4.ip_forward
> net.ipv4.ip_forward = 1
>
> root@web:~# route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse
> Iface
> xxx.xxx.97.00.0.0.0 255.255.255.0   U 0  00
> eth0
> 192.168.0.0 0.0.0.0 255.255.252.0   U 0  00
> eth1
> 0.0.0.0 xxx.xxx.97.155  0.0.0.0 UG0  00
> eth0
>
> ...
> server web1 192.168.3.65:80 source 192.168.3.64 usesrc clientip
> ...
>
> When testing this setup, the connection is correctly proxied to the web
> server through eth1 and a response is sent back to the HAProxy server on
> eth0, but it's ignored and the connection hangs.
>
>
> Here's some netstat output during the connection:
>
> HAProxy:
>
> Proto Recv-Q Send-Q Local Address   Foreign Address
> State   PID/Program name
> tcp0  1 xxx.xxx.48.1:42424  192.168.3.65:80
> SYN_SENT1386/haproxy
> tcp0  0 xxx.xxx.97.155:80   xxx.xxx.48.1:42424
> ESTABLISHED 1386/haproxy
>
> Web Server:
>
> Proto Recv-Q Send-Q Local Address   Foreign Address
> State   PID/Program name
> tcp

RE: Tproxy with multiple interfaces

[Brian Carpio]

Randy,
The problem is the gateway on the backend webservers needs to be set as a VIP 
(or eth1 interface) on the HAproxy servers on their private interface (assuming 
you have two HAproxy servers and are using heartbeat for failover). It looks 
like from your routing table that eth0 on the webservers' gateway is pointed to 
the eth0 interface on haproxy this is why it works perfectly when you configure 
haproxy to use the public IPs on the webservers.

Once you change the default gateway on the backend webserver's to use eth1 on 
the haproxy server (or a VIP which lives on eth1 using heartbeat for failover 
between two haproxy servers) then it will work.

Brian Carpio
Senior Systems Engineer
[cid:image001.jpg@01CBF8F3.6C9226D0]
Office: +1.303.962.7242
Mobile: +1.720.319.8617
Email: bcar...@broadhop.com

From: Randy Wilson [mailto:randyedwil...@gmail.com]
Sent: Tuesday, April 12, 2011 8:29 AM
To: haproxy@formilux.org
Subject: Tproxy with multiple interfaces

Hi,

I'm trying to setup an HAProxy instance to transparently load balance a group 
of web servers. The HAProxy server and web servers each have two interfaces; 
eth0 as the public interface and eth1 the private. I'm trying to configure the 
load balancer to accept requests on port 80 on eth0 and transparently proxy the 
connections to the web servers over the private interfaces on eth1. I've 
configured the load balancer in the normal way for tproxy, and have the web 
servers routing out through it.

i.e.

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

ip rule add fwmark 1 dev eth0 lookup 100
ip rule add fwmark 1 dev eth1 lookup 100
ip route add local 0.0.0.0/0<http://0.0.0.0/0> dev lo table 100

root@haproxy:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

root@web:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
xxx.xxx.97.00.0.0.0 255.255.255.0   U 0  00 eth0
192.168.0.0 0.0.0.0 255.255.252.0   U 0  00 eth1
0.0.0.0 xxx.xxx.97.155  0.0.0.0 UG0  00 eth0

...
server web1 192.168.3.65:80<http://192.168.3.65:80> source 192.168.3.64 usesrc 
clientip
...

When testing this setup, the connection is correctly proxied to the web server 
through eth1 and a response is sent back to the HAProxy server on eth0, but 
it's ignored and the connection hangs.


Here's some netstat output during the connection:

HAProxy:

Proto Recv-Q Send-Q Local Address   Foreign Address State   
PID/Program name
tcp0  1 xxx.xxx.48.1:42424  
192.168.3.65:80<http://192.168.3.65:80> SYN_SENT1386/haproxy
tcp0  0 xxx.xxx.97.155:80   xxx.xxx.48.1:42424  ESTABLISHED 
1386/haproxy

Web Server:

Proto Recv-Q Send-Q Local Address   Foreign Address State   
PID/Program name
tcp0  0 192.168.3.65:80<http://192.168.3.65:80> 
xxx.xxx.48.1:42424  SYN_RECV-


And the relevant entries from a tcpdump on each interface on each server:

HAProxy/eth0  IP xxx.xxx.48.1.42424 > xxx.xxx.97.155.80: Flags [S], seq 
1021535895, win 5840, options [mss 1418,sackOK,TS val 2448718 ecr 0,nop,wscale 
7], length 0

HAProxy/eth0  IP xxx.xxx.97.155.80 > xxx.xxx.48.1.42424: Flags [S.], seq 
504489330, ack 1158274356, win 5792, options [mss 1460,sackOK,TS val 230477 ecr 
1407043,nop,wscale 7], length 0

HAProxy/eth0  IP xxx.xxx.48.1.42424 > xxx.xxx.97.155.80: Flags [.], ack 1, win 
46, options [nop,nop,TS val 1407043 ecr 230477], length 0

HAproxy/eth1 IP xxx.xxx.48.1.42424 > 192.168.3.65.80: Flags [S], seq 391399045, 
win 5840, options [mss 1460,sackOK,TS val 230550 ecr 0,nop,wscale 7], length 0

Web/eth1 IP xxx.xxx.48.1.42424 > 192.168.3.65.80: Flags [S], seq 391399045, win 
5840, options [mss 1460,sackOK,TS val 230550 ecr 0,nop,wscale 7], length 0

Web/eth0 IP 192.168.3.65.80 > xxx.xxx.48.1.42424: Flags [S.], seq 4033028970, 
ack 391399046, win 5792, options [mss 1460,sackOK,TS val 6751967 ecr 
230550,nop,wscale 7], length 0

HAproxy/eth0 IP 192.168.3.65.80 > xxx.xxx.48.1.42424: Flags [S.], seq 
4033028970, ack 391399046, win 5792, options [mss 1460,sackOK,TS val 6751967 
ecr 230550,nop,wscale 7], length 0


NB. In this example I had set the usesrc setting to client so the client's port 
was used for readability, but the same occurs with clientip.

I'm sure this is occurring because the response connection is arriving on a 
different interface to the one HAProxy originated the connection to the web 
server on. Does anyone know of a way around this? Is there an iptables or ip 
rule that can be set to switch the return traffic from eth0 to eth1?

I have tried testing the setup by proxying the connections to the web server's 
pu

Tproxy with multiple interfaces

[Randy Wilson]

Hi,

I'm trying to setup an HAProxy instance to transparently load balance a
group of web servers. The HAProxy server and web servers each have two
interfaces; eth0 as the public interface and eth1 the private. I'm trying to
configure the load balancer to accept requests on port 80 on eth0 and
transparently proxy the connections to the web servers over the private
interfaces on eth1. I've configured the load balancer in the normal way for
tproxy, and have the web servers routing out through it.

i.e.

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

ip rule add fwmark 1 dev eth0 lookup 100
ip rule add fwmark 1 dev eth1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

root@haproxy:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

root@web:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
xxx.xxx.97.00.0.0.0 255.255.255.0   U 0  00 eth0
192.168.0.0 0.0.0.0 255.255.252.0   U 0  00 eth1
0.0.0.0 xxx.xxx.97.155  0.0.0.0 UG0  00 eth0

...
server web1 192.168.3.65:80 source 192.168.3.64 usesrc clientip
...

When testing this setup, the connection is correctly proxied to the web
server through eth1 and a response is sent back to the HAProxy server on
eth0, but it's ignored and the connection hangs.


Here's some netstat output during the connection:

HAProxy:

Proto Recv-Q Send-Q Local Address   Foreign Address
State   PID/Program name
tcp0  1 xxx.xxx.48.1:42424  192.168.3.65:80
SYN_SENT1386/haproxy
tcp0  0 xxx.xxx.97.155:80   xxx.xxx.48.1:42424
ESTABLISHED 1386/haproxy

Web Server:

Proto Recv-Q Send-Q Local Address   Foreign Address
State   PID/Program name
tcp0  0 192.168.3.65:80 xxx.xxx.48.1:42424
SYN_RECV-


And the relevant entries from a tcpdump on each interface on each server:

HAProxy/eth0  IP xxx.xxx.48.1.42424 > xxx.xxx.97.155.80: Flags [S], seq
1021535895, win 5840, options [mss 1418,sackOK,TS val 2448718 ecr
0,nop,wscale 7], length 0

HAProxy/eth0  IP xxx.xxx.97.155.80 > xxx.xxx.48.1.42424: Flags [S.], seq
504489330, ack 1158274356, win 5792, options [mss 1460,sackOK,TS val 230477
ecr 1407043,nop,wscale 7], length 0

HAProxy/eth0  IP xxx.xxx.48.1.42424 > xxx.xxx.97.155.80: Flags [.], ack 1,
win 46, options [nop,nop,TS val 1407043 ecr 230477], length 0

HAproxy/eth1 IP xxx.xxx.48.1.42424 > 192.168.3.65.80: Flags [S], seq
391399045, win 5840, options [mss 1460,sackOK,TS val 230550 ecr 0,nop,wscale
7], length 0

Web/eth1 IP xxx.xxx.48.1.42424 > 192.168.3.65.80: Flags [S], seq 391399045,
win 5840, options [mss 1460,sackOK,TS val 230550 ecr 0,nop,wscale 7], length
0

Web/eth0 IP 192.168.3.65.80 > xxx.xxx.48.1.42424: Flags [S.], seq
4033028970, ack 391399046, win 5792, options [mss 1460,sackOK,TS val 6751967
ecr 230550,nop,wscale 7], length 0

HAproxy/eth0 IP 192.168.3.65.80 > xxx.xxx.48.1.42424: Flags [S.], seq
4033028970, ack 391399046, win 5792, options [mss 1460,sackOK,TS val 6751967
ecr 230550,nop,wscale 7], length 0


NB. In this example I had set the usesrc setting to client so the client's
port was used for readability, but the same occurs with clientip.

I'm sure this is occurring because the response connection is arriving on a
different interface to the one HAProxy originated the connection to the web
server on. Does anyone know of a way around this? Is there an iptables or ip
rule that can be set to switch the return traffic from eth0 to eth1?

I have tried testing the setup by proxying the connections to the web
server's public interface on eth0 instead:

...
server web1 xxx.xxx.97.156:80 source xxx.xxx.97.155 usesrc clientip
...

And the transparent proxying works perfectly.

Any thoughts or suggestions appreciated.


Many thanks,

REW