Trouble with nginx (or me more likely)

tknospdr

I'm having an issue with accessing hosts behind pfSense that are being accessed through nginx proxy manager.

pf has several subnets on my network, WAN, LAN, and SECURE are the one's I'm dealing with for this issue.

I have a TrueNAS server on the LAN network that's hosting the proxy and it's serving a few hosts on itself and a few that are on other machines. As far as I can tell, NPM is working correctly.

I'm using host overrides in the DNS resolver for all the names I want to access via the pm.

I think the problem is probably my terrible lack of firewall rule knowledge. Here's what's weird. I can access all the hosts correctly from the SECURE network, but cannot get to any of them from the WAN or LAN networks.

WAN goes to an AT&T ONT. It's subnet is 192.168.1.0
LAN's subnet is 192.168.2.0
SECURE's subnet is 10.100.20.0

Edit: While writing this I changed the destination address of the WAN NAT rules to WAN address and now I can get to the hosts from outside the network (sort of) all of them but one work. I'll tackle that separately. One problem at a time.
Still can't seem to find a way to get clients on the same subnet to see the hosts.

I feel like I"m on the cusp of something. I have NAT reflection off system wide, but in reading about pure NAT, the docs mentioned something about client and server being on the same network. So for those specific rules I turned on pure NAT and turned on Automatic Outbound NAT for Reflection.

If I'm missing pertinent info just ask and I'll provide what I can.
Appreciate all the help from here on past problems I've had.

Bob.Dig

@tknospdr Why do you NAT everything? If you do SplitDNS, you only need to NAT on the WAN... And what is the reason for not using the webports on NPM.

Bob.Dig

@tknospdr Lets say, you can not use the webports for NPM for whatever reason. If you need to port forward everything, then I wouldn't use Split DNS at all. Instead, keep your port forwards but change the destination to your public IP on every rule, maybe with an FQDN-alias. You also don't need any NAT reflection for this to work. At least, if NPM isn't on LAN. I never would put my servers in my LAN.

tknospdr

@Bob-Dig said in Trouble with nginx (or me more likely):

@tknospdr Why do you NAT everything? If you do SplitDNS, you only need to NAT on the WAN... And what is the reason for not using the webports on NPM.

NPM is running inside a container on TrueNAS, its exposed ports are 30021 and 30022 mapping to 80 and 443 inside the instance. Hence I need to tell the internal networks what ports they actually need to head to.

@Bob-Dig said in Trouble with nginx (or me more likely):

@tknospdr Lets say, you can not use the webports for NPM for whatever reason. If you need to port forward everything, then I wouldn't use Split DNS at all. Instead, keep your port forwards but change the destination to your public IP on every rule, maybe with an FQDN-alias. You also don't need any NAT reflection for this to work. At least, if NPM isn't on LAN. I never would put my servers in my LAN.

It might make the most sense to move the TN server onto a new "server only" subnet. I'll have to give it some thought.

In the meantime, I'd like to use split DNS rather than NAT, but it sounds like you're saying it just won't work. Is that right?
I thought I read in another thread on here that it does seem to work for some folks, bur maybe it's due to the fact that I'm not using the standard ports.

At this point I really just want to figure out why what I'm trying to do isn't working.

tknospdr

Alright, just to get things working I deleted the host overrides and pointed the port forwards to WAN address and now all is well.

But I'd be happier with split DNS rather than this solution.