My server is behind OpenWrt but for some reason i cannot get on my servers the client's real ip address

i have several nodejs and php applications (on a NGINX web server) on a server that is on a openwrt 20rc3 linksys wrt 3200acm router.
before it was always working, i got the proper REMOTE_ADDR and x-forwarded-for headers, but at some point it stopped working. is it some configurations in the port forwarding in the firewall or what?

please help!


1 Like

everything seems ok

basically in the nginx log it shows the router/the gateway ip address. which is weird. why it not shows the real ip address?

another weird is that in the error, you can see the valid client ip address:
2021/05/27 21:16:45 [error] 69414#69414: *313005 access forbidden by rule, client:, server:, request: "GET /wp-login.php HTTP/1.1", host: "", referrer: "

Did you upgrade or install anything? Did you have any config backups (via the System part of config UI) that you can check against?

nope, do not know exactly when it started going bad.

reference, similar problem:

Source address masquerading can be the result of a firewall SNAT rule:

  • LuCI > Network > Firewall > NAT Rules

what does it mean?

empty, no nat rule at all

iptables-save -c -t nat
Also run the opkg update; opkg install tcpdump; tcpdump -i any -evn tcp port 443 or tcp port 80 to capture some packets, stop with Ctrl-c after you have captured some.

1 Like

Detach the LAN network from the zone sygnusvpn and/or disable masquerading on that zone.

same result, it still thinks it is my router is the client ip, and because of this it always thinks i am in my local network and my domain that are secured by network/ip now all open because of this, given the client ip is instead of the real, so all domains open, so crazy.

ok, if i disable the sysgnusvpn zone it works, but the problem is i need to access that sygnusvpn on my lan.
how can i access the sygnusvpn on my lan and make it works with the remote_addr variable?

it was working both at once, why is it bad now?

Try this:

uci set firewall.@zone[3].masq_dest="!"
uci commit firewall
/etc/init.d/firewall restart

thanks so much!
it works now!
take care!
you are a GOD @vgaetera !

1 Like