PFSense + Nginx Reverse Proxy : can't see real visitors IP
I have a problem that I think may come from a misconfiguration of PFsense.
I host my services on my network through a Nginx Reverse Proxy and everything is working fine. PFSense NAT send all requests on ports 443 and 80 to the Reverse Proxy all is good.
The only problem is the IP I see in my logs is always the PFSense adress and not the real on from visitors.
Can someone help me understand what's wrong here ?
backend / advanced settings / Transparent ClientIP
I'm using Nginx and for now I want to continue using it but thanks for you input !
ah I hadn't read well
if you are only natting then there is nothing on pfSense side to do
the real ip is already sent to your nginx proxy
maybe you need to configure something on nginx to forward the real ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
The adress that arrives to Nginx in the first place is the one of the router so it's wrong.
Nginx is then correctly configured to transmit this to the various web apps.
It's ok I just had to deactivate to of my NAT outbound rules and it's working now !
I have the same issue... Do you have a bit more details about what you've changed in pfsense? And where?
This would only happen if the internal interface has a gateway defined on it. Normally that should never be the case but sometimes both interfaces with be DHCP, in AWS for example.
Outbound NAT in it's default automatic mode with NAT to the interface IP traffic leaving any interface that has a gateway. If that is the case either switch to hybrid mode and add a do-not-NAT rule to prevent it or switch to manual mode and remove the rules on that interface.
Thanks for your answer...
I am already using "Hybrid Outbound NAT rule generation", but how do I create a "do-not-NAT rule" and what settings should I choose?
Like any rule; match the traffic you need, traffic to not NAT here, then set the 'do not NAT' option.
Here you probably don't want to NAT anything leaving the LAN so your rule can be source: any, destination: LANnet or similar.