pfSense and HAproxy config for TP-Link Omada SDN Controller v5


Here’s how to setup pfSense and HAproxy for the Omada SDN Controller by TP-Link. This should work on the most recent version 5 of the SDN as of the date of this post.

Omada Controller Settings

Log into your Omada management page and then navigate to Settings>Controller. Under the section heading “Access Config”, disable Redirect HTTP to HTTPS“.

HAproxy Backend Settings

Log into pfSense and then add the HAproxy backend settings for the Omada server. The default https port number for Omada is 8043. Check the box for “Encrypt(SSL)”. It should look like this:

HAproxy Frontend Settings

Access Control Lists

Setup your frontend for the Omada server with the following ACLs:

Name: omada-acl
Expression: Custom acl
Value: var(txn.txnhost) -m str -i
Name: omada_rwt-acl
Expression: Custom acl
Value: var(txn.txnhost) -m reg -i ^[0-9]){1,5})?$

Your two ACLs should look like this:


Next, add the following frontend Actions for the Omada server:

Action: Custom
customaction: http-request set-var(txn.txnhost) hdr(host)
Action: http-request header set
Condition acl names: omada_rwt-acl
name: host
Action: http-request header set
Condition acl names: omada-acl
name: host
Action: http-response header replace value
Condition acl names: omada_rwt-acl
name: location
find: 8043
replace: %[hdr(location),regsub(8043,443)]
Action: Use Backend
Condition acl names: omada-acl
backend: omada

Your Actions should look like this:

Additional Reference

For additional reference, here’s the code for haxproxy.cfg:

frontend https
        bind *:443 ssl crt /etc/haproxy/certs/
        mode http
        option httplog
        option forwardfor
        http-request set-header X-Forwarded-Proto https
        http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
        http-response set-header Referrer-Policy no-referrer-when-downgrade
        acl omada-acl var(txn.txnhost) -m str -i OMADA.YOURDOMAIN.COM
        acl omada_rwt-acl var(txn.txnhost) -m reg -i ^OMADA\.YOURDOMAIN\.COM(:([0-9]){1,5})?$
        http-request set-var(txn.txnhost) hdr(host)
        http-request set-header host OMADA.YOURDOMAIN.COM:8043 if omada-acl omada_rwt-acl
        http-response replace-value location 8043 %[hdr(location),regsub(8043,443)] if omada_rwt-acl
        use_backend bk_omada if omada_rwt-acl
backend bk_omada
        server OMADA ssl verify none


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.