Pfsense - nginx reverse proxy and WAN-LAN blocked connection

  • Hello all

    I have been using pfsense for a while and it is just great. But the only thing I still can't figure it out is how to make it work properly with a reverse proxy. This is my setup:

    Modem -> Router -> VLAN1 (172.x.y.z/24) -> WAN interface on pfsense
                –---> VLAN2 (192.a.b.c/22) -> LAN interface on pfsense
                                            -> other LAN connections

    Router forwards everything (DMZ zone) to the WAN interface of the pfsense box. Router provides also DHCP. DNS is provided by a LAN machine. pfsense box has NAT rule for all the service sitting inside my LAN

    I configured a reverse proxy (1 Public IP, different web domains served) in a specific LAN machine (for the records, I also tried with HA proxy module loaded into pfsense, but I had the same issue I will outline here below. And just to be clear, I do not block any private LAN traffic - RFC 1918 and I also disabled firewall rules on the same interface)

    From outside my LAN I can easily connect to ANY domain I host without no problem (reverse proxy works fine, config is ok). BUT from inside my LAN, I cannot if I use the OUTSIDE DOMAIN name (can't connect to machine1.domain.tld and machine2.domain.tld, but I can of course if I use machine1.domain.lan or machine2.domain.lan) since I got traffic from WAN to LAN blocked: "lock drop in log on ! em1" with TCP:PA flag. Again for the records, the DNS lookup works properly and return my public address to machine1.domain.tld.

    There is no way I can get rid of this rule. I tried with floating rules, clearing any flag, and any to any connection, but no luck.
    I tried adding a WAN to LAN connection on specific port (80 and 443) but not luck at all… so really not sure why and how I can have this sorted out.

    Pls note that I can't change the setup outlined above

    Is there any suggestion or better any direction you can point me to? FYI my google-fu experience hasn't be so successful so far.

    Thanks a lot for any feedback you can provide on this.


Log in to reply