Hassio not responding to requests from reverse proxy in different subnet

I can successfully route both directions via the cli, however home assistant (192.168.2.149) refuses to respond on 8123 if the request comes from my haproxy instance (10.20.192.1). Ping works both ways no problems, I can reach haproxy’s service ports with netcat from home assistant, and my ip_bans.yaml file is empty. Requests directly from the 192.168.2.0/24 network work fine.

I’ve verified with tcpdump that the request is being sent to the home assistant, and I have tried adjusting the “trusted_proxies” to both the specific haproxy address being used and the entire 10.20.192.0/24 network.

17:08:33.853866 IP 10.20.192.1.42678 > 192.168.2.149.8123: Flags [S], seq 2183108041, win 64860, options [mss 1380,sackOK,TS val 41961803 ecr 0,nop,wscale 7], length 0

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.2.0/24
    - 10.20.192.0/24
  ip_ban_enabled: false
  login_attempts_threshold: 5

I gave up and turned on masquerading. Even though when I ssh into the hassio box it has no trouble routing to my 10.20.192 subnet, seems like http can’t handle the proxy being in a different subnet/it blocks it