Hi!
I'm trying to get haproxy running and I have no static IP addresses from my ISP...
Common guides say just to use a wildcard listening address but that's an unsatisfying solution.
So I was thinking about to let haproxy run on the lan interface on the router and use nat to make it reachable from the outside, which works fine for IPv4 but not so fine for IPv6...
I used this equivalent IPv6 fw4 port forward rule:
config redirect
option name 'My not so working NAT66'
option src 'wan'
option dest 'lan'
option src_dport '443'
option dest_port '8096'
option dest_ip 'routers ula lan interface address'
option target 'DNAT'
list proto 'tcp'
option reflection '0'
option family 'ipv6'
The fw4 packet counter does increase but nothing shows up in the haproxy log.
haproxy is listening on this address.
Anyone has an idea?
Thanks.
//edit
hmm...
using the GUA address, it works but unfortunately the prefix is dynamic...
Is there an nft equivalent for the iptables suffix matching?
Or do I have to use a script to dynamically pull the address from the interface everytime the fw restarts?
//edit2
I couldn't find any info on the suffix matching.
So I ended up creating/modifying an fw script that pulls the gua from the lan interface and create the proper rule.
And a simple sed replace in the haproxy init script.
So I ended up running ha proxy on the lan interface.
Binded to the corresponding IPv4 and IPv6 ULA addresses on Port 443.
Changed uhttpd to listen only on loopback with port 8080.
Setting up the Port Forwards:
On for IPv4 and the IPv6 one using the ULA prefix both from port 443 to 443.
haproxy serving uhttpd (luci) and the other service on my network that I wanted to have behind haproxy with SSL encryption.
Setting up split dns.
And it works.
Only down side is, all internal traffic has to go through haproxy too.
But I don't wanted to setup haproxy on the machine running the other service.
And this way I can add more services, actually kinda neat.
Now, I need to figure out how to make dnsmasq ignore the gua addresses from the odhcpd host file.
I modified the default odhcpd update script to scrap the gua addresses but I'm not sure if this will break other things...
//edit
whoops... I didn't work.
To make it work the source routing must be disabled as described in the wiki: