Port forwarding 443 to internal Nginx uses wrong client IP

tdname · June 11, 2025, 12:07pm

Greetings,
I'm using OpenWRT 24.10 and my network LAN is:
192.168.1.1 (OpenWRT) ---> PC (192.168.1.19)

I successfully port forwarded OpenWRT's 443 port to PC's 443 and all seems working fine except that Nginx (which is running on that PC) detects all HTTP(S) requests as "originated from 192.168.1.1" and not from the real external client's IP.

I would like to setup some Nginx rules based on Internal or External IP, but if all requests has OpenWRT (192.168.1.1) as origin, it's not possible to do that.

On "Port forwarding" page --> "443" rule --> "Advanced settings" tab I already enabled:

"Enable NAT loopback"
Loopback source IP: "use external IP address"

I don't have any other NAT, firewall or strange settings: it's just OpenWRT default installation with only port 80 and 443 forwarded to that PC.

It seems not possible to let Nginx (installed on PC) see the real client's external IP......

Thx in advance.

frollic · June 11, 2025, 12:15pm

out of curiosity, why is this a problem ?

tdname · June 11, 2025, 12:26pm

Well, I said the reason: I would like to setup some Nginx rule based on internal or external client's IP.
I.e:

to display basic Authorization modal when a specific Domain/page is requested
to denied a Domain/page request if the Client is External

I'm currently out of home but if I read Nginx logs while I'm surfing my PC's webpages then all requests seems originated from INSIDE my LAN and not from external.

At work (where I'm now), using Cisco router and firewalls, if someone points to our public IP at a specific port then the HTTP(S) request is port forwarded to my PC and my Nginx (installed on my working PC) sees correctly the external IP and not our router's one.

eduperez · June 11, 2025, 1:01pm

Can you share your current firewall config file, please?

tdname · June 11, 2025, 1:14pm

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Nginx Reverse Proxy (80)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.19'
	option dest_port '80'
	option reflection_src 'external'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Nginx Reverse Proxy (443)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.19'
	option dest_port '443'
	option reflection_src 'external'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

krazeh · June 11, 2025, 1:37pm

Why is this in your lan zone config?

tdname · June 11, 2025, 1:44pm

incredible, that's the solution!!
Now the Client IP detected by Nginx is the external one.

Thx!

(I don't know why it but I suppose it was set by default after OpenWRT installation.....but if you asked it to me then I may have set it incorrectly during one of my tries)

eduperez · June 12, 2025, 3:47am

By default, masquing is only active on the WAN interface.