• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PFSense + Nginx Reverse Proxy : can't see real visitors IP

General pfSense Questions
4
10
1.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    notarobot
    last edited by Nov 13, 2020, 11:47 AM

    Hello everyone,

    I have a problem that I think may come from a misconfiguration of PFsense.
    I host my services on my network through a Nginx Reverse Proxy and everything is working fine. PFSense NAT send all requests on ports 443 and 80 to the Reverse Proxy all is good.
    The only problem is the IP I see in my logs is always the PFSense adress and not the real on from visitors.

    Can someone help me understand what's wrong here ?

    1 Reply Last reply Reply Quote 0
    • K
      kiokoman LAYER 8
      last edited by Nov 13, 2020, 12:29 PM

      haproxy ?
      backend / advanced settings / Transparent ClientIP

      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
      Please do not use chat/PM to ask for help
      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

      1 Reply Last reply Reply Quote 0
      • N
        notarobot
        last edited by Nov 13, 2020, 12:34 PM

        I'm using Nginx and for now I want to continue using it but thanks for you input !

        1 Reply Last reply Reply Quote 0
        • K
          kiokoman LAYER 8
          last edited by kiokoman Nov 13, 2020, 12:49 PM Nov 13, 2020, 12:44 PM

          ah I hadn't read well

          if you are only natting then there is nothing on pfSense side to do
          the real ip is already sent to your nginx proxy

          maybe you need to configure something on nginx to forward the real ip

          https://www.digitalocean.com/community/questions/nginx-reverse-proxy-ip-forwarding
          https://www.digitalocean.com/community/questions/how-do-i-forward-client-ip-instead-of-proxy-ip-in-nginx-reverse-proxy
          https://rtcamp.com/tutorials/nginx/forwarding-visitors-real-ip/

          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          1 Reply Last reply Reply Quote 0
          • N
            notarobot
            last edited by Nov 13, 2020, 1:02 PM

            The adress that arrives to Nginx in the first place is the one of the router so it's wrong.

            Nginx is then correctly configured to transmit this to the various web apps.

            1 Reply Last reply Reply Quote 0
            • N
              notarobot
              last edited by Nov 15, 2020, 11:32 AM

              It's ok I just had to deactivate to of my NAT outbound rules and it's working now !

              R 1 Reply Last reply Jan 7, 2021, 9:55 AM Reply Quote 0
              • R
                R0GGER @notarobot
                last edited by R0GGER Jan 7, 2021, 9:56 AM Jan 7, 2021, 9:55 AM

                @notarobot
                I have the same issue... Do you have a bit more details about what you've changed in pfsense? And where?

                1 Reply Last reply Reply Quote 0
                • S
                  stephenw10 Netgate Administrator
                  last edited by Jan 9, 2021, 6:54 PM

                  This would only happen if the internal interface has a gateway defined on it. Normally that should never be the case but sometimes both interfaces with be DHCP, in AWS for example.

                  Outbound NAT in it's default automatic mode with NAT to the interface IP traffic leaving any interface that has a gateway. If that is the case either switch to hybrid mode and add a do-not-NAT rule to prevent it or switch to manual mode and remove the rules on that interface.

                  Steve

                  R 1 Reply Last reply Jan 30, 2021, 10:26 PM Reply Quote 0
                  • R
                    R0GGER @stephenw10
                    last edited by Jan 30, 2021, 10:26 PM

                    @stephenw10

                    Thanks for your answer...
                    I am already using "Hybrid Outbound NAT rule generation", but how do I create a "do-not-NAT rule" and what settings should I choose?

                    1 Reply Last reply Reply Quote 0
                    • S
                      stephenw10 Netgate Administrator
                      last edited by Jan 31, 2021, 1:19 PM

                      Like any rule; match the traffic you need, traffic to not NAT here, then set the 'do not NAT' option.
                      https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#disabling-outbound-nat

                      Here you probably don't want to NAT anything leaving the LAN so your rule can be source: any, destination: LANnet or similar.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.