LocalShareSpace > Technology > Guides > pfSense and HAproxy config for TP-Link Omada SDN Controller v5

pfSense and HAproxy config for TP-Link Omada SDN Controller v5

By

Michael

, , ,

Here’s how to setup pfSense and HAproxy for the Omada SDN Controller by TP-Link. This should work on the most recent version 5 of the SDN as of the date of this post.

Omada Controller Settings

Log into your Omada management page and then navigate to Settings>Controller. Under the section heading “Access Config”, disable Redirect HTTP to HTTPS“.

HAproxy Backend Settings

Log into pfSense and then add the HAproxy backend settings for the Omada server. The default https port number for Omada is 8043. Check the box for “Encrypt(SSL)”. It should look like this:

HAproxy Frontend Settings

Access Control Lists

Setup your frontend for the Omada server with the following ACLs:

Name: omada-acl
Expression: Custom acl
Value: var(txn.txnhost) -m str -i omada.yourdomain.com
Name: omada_rwt-acl
Expression: Custom acl
Value: var(txn.txnhost) -m reg -i ^omada.yourdomain.com(:([0-9]){1,5})?$

Your two ACLs should look like this:

Actions

Next, add the following frontend Actions for the Omada server:

Action: Custom
customaction: http-request set-var(txn.txnhost) hdr(host)
Action: http-request header set
Condition acl names: omada_rwt-acl
name: host
fmt: omada.yourdomain.com:8043
Action: http-request header set
Condition acl names: omada-acl
name: host
fmt: omada.yourdomain.com:8043
Action: http-response header replace value
Condition acl names: omada_rwt-acl
name: location
find: 8043
replace: %[hdr(location),regsub(8043,443)]
Action: Use Backend
Condition acl names: omada-acl
backend: omada

Your Actions should look like this:

Additional Reference

For additional reference, here’s the code for haxproxy.cfg:

frontend https
        bind *:443 ssl crt /etc/haproxy/certs/
        mode http
        option httplog
        option forwardfor
        http-request set-header X-Forwarded-Proto https
        http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
        http-response set-header Referrer-Policy no-referrer-when-downgrade
        
        #OMADA
        acl omada-acl var(txn.txnhost) -m str -i OMADA.YOURDOMAIN.COM
        acl omada_rwt-acl var(txn.txnhost) -m reg -i ^OMADA\.YOURDOMAIN\.COM(:([0-9]){1,5})?$
        http-request set-var(txn.txnhost) hdr(host)
        http-request set-header host OMADA.YOURDOMAIN.COM:8043 if omada-acl omada_rwt-acl
        http-response replace-value location 8043 %[hdr(location),regsub(8043,443)] if omada_rwt-acl
        use_backend bk_omada if omada_rwt-acl
        
backend bk_omada
        server OMADA 192.168.1.2:8043 ssl verify none

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Link copied!

Recent Posts

Tags

aruba automation breakfast calibration colorado credit cards DNS featured featured-travel finance graylog hawaii homeassistant homelab investment IRA linux-basics money networking ntopng options pi-hole powershell privacy productivity retirement Roth IRA sample-code security self-hosted stock storage taxes travel Vanguard Windows 10 Windows 11 zfs