Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense - nginx reverse proxy and WAN-LAN blocked connection

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GLuDeR
      last edited by

      Hello all

      I have been using pfsense for a while and it is just great. But the only thing I still can't figure it out is how to make it work properly with a reverse proxy. This is my setup:

      Modem -> Router -> VLAN1 (172.x.y.z/24) -> WAN interface on pfsense
                  |     
                  –---> VLAN2 (192.a.b.c/22) -> LAN interface on pfsense
                                              -> other LAN connections

      Router forwards everything (DMZ zone) to the WAN interface of the pfsense box. Router provides also DHCP. DNS is provided by a LAN machine. pfsense box has NAT rule for all the service sitting inside my LAN

      I configured a reverse proxy (1 Public IP, different web domains served) in a specific LAN machine (for the records, I also tried with HA proxy module loaded into pfsense, but I had the same issue I will outline here below. And just to be clear, I do not block any private LAN traffic - RFC 1918 and I also disabled firewall rules on the same interface)

      From outside my LAN I can easily connect to ANY domain I host without no problem (reverse proxy works fine, config is ok). BUT from inside my LAN, I cannot if I use the OUTSIDE DOMAIN name (can't connect to machine1.domain.tld and machine2.domain.tld, but I can of course if I use machine1.domain.lan or machine2.domain.lan) since I got traffic from WAN to LAN blocked: "lock drop in log on ! em1" with TCP:PA flag. Again for the records, the DNS lookup works properly and return my public address to machine1.domain.tld.

      There is no way I can get rid of this rule. I tried with floating rules, clearing any flag, and any to any connection, but no luck.
      I tried adding a WAN to LAN connection on specific port (80 and 443) but not luck at all… so really not sure why and how I can have this sorted out.

      Pls note that I can't change the setup outlined above

      Is there any suggestion or better any direction you can point me to? FYI my google-fu experience hasn't be so successful so far.

      Thanks a lot for any feedback you can provide on this.

      Cheers
      GLuDeR

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.