Access reverse proxy on LAN from Guest network?

I have a Nginx reverse proxy running on the LAN network. I have created a Guest interface and redirected DNS and DHCP traffic via traffic rule, and it works great.

I host a few public services with a Nginx Proxy Manager (NPM) instance that is hosted in a VM on LAN subnet. I want devices on the Guest network to be able to access those services also. I can reach the proxied services through their DNS FQDN from WAN and LAN, but not from devices connected to the Guest interface.

I created a traffic rule that allow port 80 443 from the guest interface to the reverse proxy VM's IP address but the proxied services can not be accessed. If I temporarily allow the NPM web interface port (81) in the firewall rule, I can access it from Guest using http://IPaddress:81.

What can be the issue here?

Edit the DNAT rule(s) you created to access the services from wan by adding lan and guest to the Reflection zones tab section.

Thanks for the reply. I can see the feature you describe is miccing from my luci version. I'm on 22.03.2 and I see there is an update for luci-app-firewall. Until I schedule a full system upgrade of OpenWrt, is it safe to update luci-app-firewall?

Do NOT update anything. If you are not familiar with uci, open /etc/config/firewall using a text editor and add the following to the rules:

	list reflection_zone 'lan'
    list reflection_zone 'guest'

Alternatively post the result of uci show firewall.

It worked like a charm. Thank you!

can it be done with luci?

It is available in the Advanced Settings tab of the DNAT rule since version 23.05.

is this the one you are talking about?


i can't figure out a setting. i have two zones, one is lan (10.10.10.1-255) and the other is guest (10.10.12.1-255). the server is on 10.10.10.200 running a reverse proxy for services. port 80 and 443 of the router is forwarded to that server. what setting should i set to enable access to my websites? because right now the whole world can access it but not my guest network.

What version do you have? I was on 22.03 and the Luci setting was not introduced until 23.05. If you have < 23.05 then you have to edit /etc/config/firewall as suggested above and it will work wonders.

so i just copy and paste

list reflection_zone 'lan'
list reflection_zone 'guest'

at the end of the file?

my version is 22.03 , there is no option for reflection zones, but there is one on my dumb access point that is running 22.05 but due to a bug I can't upgrade to 22.05 for my main router.

can you guide me that if I do this by editing /etc/config/firewall, all I have to do is paste this?

config rule 'xyz'
list reflection_zone 'lan'
list reflection_zone 'guest'

You must edit the redirect rule(s) by adding the reflection zones to each rule
For example:

config redirect
        option src 'wan'
	    option dest 'lan'
        option target 'DNAT'
        option name 'Some_name'
        list proto 'tcp'
        option src_dport '443'
        option dest_port '443'
	    option dest_ip '192.168.1.92'
	    list reflection_zone 'lan'
	    list reflection_zone 'guest'
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.