Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense + Nginx Reverse Proxy : can't see real visitors IP

    General pfSense Questions
    4
    10
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      notarobot
      last edited by

      Hello everyone,

      I have a problem that I think may come from a misconfiguration of PFsense.
      I host my services on my network through a Nginx Reverse Proxy and everything is working fine. PFSense NAT send all requests on ports 443 and 80 to the Reverse Proxy all is good.
      The only problem is the IP I see in my logs is always the PFSense adress and not the real on from visitors.

      Can someone help me understand what's wrong here ?

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        haproxy ?
        backend / advanced settings / Transparent ClientIP

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • N
          notarobot
          last edited by

          I'm using Nginx and for now I want to continue using it but thanks for you input !

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by kiokoman

            ah I hadn't read well

            if you are only natting then there is nothing on pfSense side to do
            the real ip is already sent to your nginx proxy

            maybe you need to configure something on nginx to forward the real ip

            https://www.digitalocean.com/community/questions/nginx-reverse-proxy-ip-forwarding
            https://www.digitalocean.com/community/questions/how-do-i-forward-client-ip-instead-of-proxy-ip-in-nginx-reverse-proxy
            https://rtcamp.com/tutorials/nginx/forwarding-visitors-real-ip/

            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 0
            • N
              notarobot
              last edited by

              The adress that arrives to Nginx in the first place is the one of the router so it's wrong.

              Nginx is then correctly configured to transmit this to the various web apps.

              1 Reply Last reply Reply Quote 0
              • N
                notarobot
                last edited by

                It's ok I just had to deactivate to of my NAT outbound rules and it's working now !

                R 1 Reply Last reply Reply Quote 0
                • R
                  R0GGER @notarobot
                  last edited by R0GGER

                  @notarobot
                  I have the same issue... Do you have a bit more details about what you've changed in pfsense? And where?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    This would only happen if the internal interface has a gateway defined on it. Normally that should never be the case but sometimes both interfaces with be DHCP, in AWS for example.

                    Outbound NAT in it's default automatic mode with NAT to the interface IP traffic leaving any interface that has a gateway. If that is the case either switch to hybrid mode and add a do-not-NAT rule to prevent it or switch to manual mode and remove the rules on that interface.

                    Steve

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      R0GGER @stephenw10
                      last edited by

                      @stephenw10

                      Thanks for your answer...
                      I am already using "Hybrid Outbound NAT rule generation", but how do I create a "do-not-NAT rule" and what settings should I choose?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Like any rule; match the traffic you need, traffic to not NAT here, then set the 'do not NAT' option.
                        https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#disabling-outbound-nat

                        Here you probably don't want to NAT anything leaving the LAN so your rule can be source: any, destination: LANnet or similar.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.