5

My current setup includes a pfSense firewall which port forwards public WAN traffic to a NAT internal IP.

Example:

  • 104.12.134.12:80 (WAN IP) port forwards all traffic to 192.168.1.104:80

This is working as expected, traffic is forwarded on correctly. The issue I'm having is I see the local IP (i.e. pfSense router IP, in this case, 192.168.1.1) within Nginx logs.

I've searched and lots of articles suggest using real_ip module, and setting X-Forwarded-For header, but this doesn't work.

Notes:

  • The IP of my router differs from the IPs I'm port forwarding (this is intentional).
  • I don't own 104.12.134.12, this is just an example.
steadweb
  • 161
  • 1
  • 7
  • Show your iptables line which does nat. – Ipor Sircer Dec 22 '16 at 01:18
  • 1
    Being pfSense, there's no iptables. If your router private IP shows in nginx logs, that's not a real-ip/proxying problem, but as @IporSircer suggests a NAT issue. How did you configure your port forwarding? – SYN Dec 22 '16 at 01:32
  • Is pFSense NAT the only thing in-between the WAN and server IP? Are you using the HAProxy module? – Gmck Dec 22 '16 at 04:34
  • @Gmck pfSense NAT is the only thing between WAN and server IP, there's no proxy between those. – steadweb Dec 22 '16 at 10:11
  • @SYN Port fowarding setup below. Interface: WAN Source address: * Source ports: * Dest. Addr: 104.12.134.12 Dest. Ports: 80/443 Nat IP: 192.168.1.100 NAT Ports: 80/443 – steadweb Dec 22 '16 at 10:15
  • http://imgur.com/a/VjDWy - I've blanked the real "Dest. Address" and "Description", but that's the setup. All rules are set to NAT Reflection enabled with NAT + Proxy. – steadweb Dec 22 '16 at 10:29

2 Answers2

1

You should use the load balancing capability of pfsense to do this (as described here : https://www.howtoforge.com/how-to-use-pfsense-to-load-balance-your-web-servers) instead of a NATING Rule.

You can define only one loadbalancing pool with only one server in it.

Besides, it will allow you to add nginx servers later If you need it.

Etienne J
  • 11
  • 1
1

This issue is now fixed.

My pfSense NAT outbound was configured incorrectly. I had both WAN and LAN mappings setup. Removing the LAN outbound mapping fixed it.

steadweb
  • 161
  • 1
  • 7