Dynamic redirect/Port Forward/HA failover routing


behind my OpenWrt Router, i have a 2 Reverse Proxy's (HAPROXY). I'd like to setup a basic master/slave failover.

          │OpenWrt    │
            │    │
┌───────────┴┐  ┌┴───────────┐
│HAPROXY01   │  │HAPROXY02   │
││  ││
└───────────┬┘  └┬───────────┘
            │    │

OpenWrt has a Port Forward 443:WAN-IP to 443:HAPROXY-IP. Quite common so far.

I'd like build a a Failover for these two Reverse Proxys.

I was thinking for a simple solution to check when the Master Reverse Proxy is down, update the PortForward Destination to the Slave Node.
Changing the portforward Destination IP in the redirect rule from to

What would be the way to go. Is a reload of firewall rules enough or do i have to restart the Firewall after each redirect failover?

Dynmaic Routing depending on the health status of the Destination possible?
If A is down, send to B.

The other solution would be to use VRRP/keepalived on both HAProxy systems, and share a virtual IP between both. If the Reverse-Proxys have to distinguish on themselves, if they are master or slave, all the fan with quorum, fencing and splitbrain starts.

Therefore, at the moment i want to keep the focus on a solution to update the routing on my OpenWrt Device.
On the OpenWrt Router it's easy to distinguish which destination is reachable, i could keep static IP's on my destinations, also round-robin would be easier.

Any ideas how to do that on OpenWrt in an elegant way?

There is a fast way to do that, just add the new rule above the old. That will have immediate effect.
Then you can update the firewall config file as well, so that the change can survive a firewall restart or reboot.

And how would you do that? I'm not sure if the answer is super smart, and i do not understand, or it misses just 95% of the answer?

If you have the port forwarding rule on line #1, then you insert the rule to port forward to the alternative rule in line #1, pushing the first rule in place #2. Adding rules like this doesn't require any firewall restart, however you should update the firewall config anyway to anticipate for random firewall reload or router restart.

Install and configure keepalived on your haproxy nodes.
And setup your nat rule on Openwrt pointing to the virtual IP. No need for on the fly reconfigure something.