traefik+pfsense: real IPv6 client IPs via HAProxy PROXY-v2 bridge

Replace the pfSense socat IPv6 forwarder (which masked every IPv6 client as 10.0.20.1) with a standalone HAProxy bridge using send-proxy-v2, so real IPv6 client IPs reach Traefik/CrowdSec. Traefik now trusts PROXY-v2 only from 10.0.20.1 on the web/websecure entrypoints; real IPv4 clients (ETP=Local, own source IP) are unaffected. Mail-over-IPv6 routed through the mail NodePorts (send-proxy-v2) too. Bridge is TCP/h2 only (no QUIC over IPv6). Persistence on pfSense: rc.d/ipv6proxy + ipv6_proxy.sh (config.xml shellcmd), keeping the nginx-off-[::] patch. Also fixes stale networking.md: Traefik was still documented on the shared .200; it moved to dedicated .203/ETP=Local on 2026-05-30. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 09:51:23 +00:00 · 2026-05-30 09:51:23 +00:00 · e9046e5a26
commit e9046e5a26
parent 16c9aafafa
4 changed files with 67 additions and 3 deletions
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@ -130,6 +130,9 @@ resource "helm_release" "traefik" {
            }
          }
        }
+        proxyProtocol = {
+          trustedIPs = ["10.0.20.1"]
+        }
      }
      websecure = {
        port        = 8443
@ -147,6 +150,13 @@ resource "helm_release" "traefik" {
          enabled        = true
          advertisedPort = 443
        }
+        # Accept PROXY-v2 ONLY from the pfSense HAProxy IPv6 bridge (10.0.20.1)
+        # so IPv6 clients (forwarded [2001:470:6e:43d::2] -> here) get their real
+        # IP for CrowdSec. Real IPv4 clients arrive with their own source IP
+        # (ETP=Local, not 10.0.20.1) and are unaffected.
+        proxyProtocol = {
+          trustedIPs = ["10.0.20.1"]
+        }
      }
      whisper-tcp = {
        port        = 10300