I have double NAT which is working , 443 is forwarded to NGINX which delivers some internal services.
ISP router provides 192.168.0.2 to WAN on OPNSense and the other network adapter on OPNSense is for local network 192.168.1.0/24
I created Alias with CF IPs from https://www.cloudflare.com/ips/ (https://www.cloudflare.com/ips/) , i also added GEOIP block rule. but it seems it doesn't block traffic. For example i can see my mobile phone accessing nginx from blocked address .
Now if i put Cloudflare IPs as an alias in NAT rule (mark as yellow) , traffic doesnt pass no matter if i am accessing via CLoudflare, so i had to add ALLOW ANY in SOURCES.
How can i secure my network so that only Cloudflare IPs are passed to NGINX on 443 .
Picture of FW rules
(//)
EDIT: CLoudflare CIDR was not correct