Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense behind Traefik

    Scheduled Pinned Locked Moved
    Firewalling
    rules proxy
    2
    2
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      atxcoder
      last edited by

      I have a single docker server running a number of containers that are all running in bridge mode (share host ip, have their own ports).

      I use Traefik as a proxy server so each container can have its own url that maps directly to the specific port it is running on in the Docker server. I also do SSL termination on Traefik.

      Traefik sits in front of pfSense and is supposed to be passing along the client IP (X-Forwarded-For and X-Real-IP) and according to whoami it is. The issue is it seems pfSense is not (or maybe can't) block based on X-Forwarded-For or X-Real-IP. Is this correct? Has anyone setup pfSense behind Traefik or some other proxy server? Is there a different way of doing this?

      Here is a picture of what is happening

      traefik-pfsense-issue.png

      ipeetablesI 1 Reply Last reply Reply Quote 0
      • ipeetablesI
        ipeetables @atxcoder
        last edited by

        @atxcoder you need a Web Application Firewall (WAF) to do that, pfsense FW rules block at the ip layer. x-real-ip is application layer. The traffic is allowed because it came from 10.0.10.4.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post