PFSense + Nginx Reverse Proxy : can't see real visitors IP

notarobot · Nov 13, 2020, 11:47 AM

Hello everyone,

I have a problem that I think may come from a misconfiguration of PFsense.
I host my services on my network through a Nginx Reverse Proxy and everything is working fine. PFSense NAT send all requests on ports 443 and 80 to the Reverse Proxy all is good.
The only problem is the IP I see in my logs is always the PFSense adress and not the real on from visitors.

Can someone help me understand what's wrong here ?

kiokoman · Nov 13, 2020, 12:29 PM

haproxy ?
backend / advanced settings / Transparent ClientIP

notarobot · Nov 13, 2020, 12:34 PM

I'm using Nginx and for now I want to continue using it but thanks for you input !

kiokoman · Nov 13, 2020, 12:49 PM

ah I hadn't read well

if you are only natting then there is nothing on pfSense side to do
the real ip is already sent to your nginx proxy

maybe you need to configure something on nginx to forward the real ip

https://www.digitalocean.com/community/questions/nginx-reverse-proxy-ip-forwarding
https://www.digitalocean.com/community/questions/how-do-i-forward-client-ip-instead-of-proxy-ip-in-nginx-reverse-proxy
https://rtcamp.com/tutorials/nginx/forwarding-visitors-real-ip/

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

notarobot · Nov 13, 2020, 1:02 PM

The adress that arrives to Nginx in the first place is the one of the router so it's wrong.

Nginx is then correctly configured to transmit this to the various web apps.

notarobot · Jan 7, 2021, 9:55 AM

It's ok I just had to deactivate to of my NAT outbound rules and it's working now !

R0GGER · Jan 7, 2021, 9:56 AM

@notarobot
I have the same issue... Do you have a bit more details about what you've changed in pfsense? And where?

stephenw10 · Jan 9, 2021, 6:54 PM

This would only happen if the internal interface has a gateway defined on it. Normally that should never be the case but sometimes both interfaces with be DHCP, in AWS for example.

Outbound NAT in it's default automatic mode with NAT to the interface IP traffic leaving any interface that has a gateway. If that is the case either switch to hybrid mode and add a do-not-NAT rule to prevent it or switch to manual mode and remove the rules on that interface.

Steve

R0GGER · Jan 30, 2021, 10:26 PM

@stephenw10

Thanks for your answer...
I am already using "Hybrid Outbound NAT rule generation", but how do I create a "do-not-NAT rule" and what settings should I choose?

stephenw10 · Jan 31, 2021, 1:19 PM

Like any rule; match the traffic you need, traffic to not NAT here, then set the 'do not NAT' option.
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#disabling-outbound-nat

Here you probably don't want to NAT anything leaving the LAN so your rule can be source: any, destination: LANnet or similar.

Steve