Help With nat and understanding FW rules and port forwarding. please

[av8r]

I need help with understanding/configuring port forwarding with regards to using Caddy as reverse-proxy.

I have tried posting on Reddit but no luck, so hopefully all you smart people can educate me a little.

My OPN sense box lives on 192.168.1.0/24

My proxmox server lives on .200 and along with all my VM's exept for Caddy-server which lives in an ubuntu server VM on vlan .10 but proxmox is still the host.

I use CloudFlare as my dns domain name registrar and would like to only allow CloudFlare's IPs to access Caddy and then my services I want expxosed using HTTPS.

I have followed every tutorial out there and read up on the documentation, but I'm not getting any smarter. I have concluded with it has to be my firewall rules since SSL handshake failed, but "browser" is working "cloudflare" is working but "Host" gets error.

The services I want to gain access to from outside my network is TrueNAS, Nextcloud and Immich so far.

- I only want CloudFlare IP's to be able to reach Caddy for revers proxying
- I need Caddy wich lives on 192.168.10.10 to be able to get access to 192.168.200.1/24
- I would like to be able to use the "domain-name" from inside my network to gain access to these services as well.
- I would  like to be able to have HTTPS behind Caddy as well.

I had this all working with Kemp LoadMaster, but since Kemp Is throttled and you cannont update/patch Kemp's free  version I would like to switch over to Caddy.

I know there is a plugin on OS but in my head it is safer to have the Reverse_Proxy on a separate Vlan and My server's/apps on a separate Vlan from the RP. and also have The firewall on a separate Vlan.

Hopefully this makes (OPN)sense to some of you, and I would be very appreciative if you could help me get this set up correctly!!

I thought I had Figured this out, but sadly that's not the case...

[Saarbremer]

Hi,

you run a complex setup without having an idea what you're doing. I'd highly recommend to get familiar with basic network concepts (routes, gateways, traffic control, NAT) and without relying on too many "information" videos that usually have a lot of unmentioned assumptions and preconditions.

OPNsense docs points in its intro chapter towards other resources: https://docs.opnsense.org/intro.html

- I only want CloudFlare IP's to be able to reach Caddy for revers proxying
- I need Caddy wich lives on 192.168.10.10 to be able to get access to 192.168.200.1/24
- I would like to be able to use the "domain-name" from inside my network to gain access to these services as well.
- I would  like to be able to have HTTPS behind Caddy as well.

- Block all traffic on WAN (the default) and introduce a port forwarding for TCP 443 on the WAN IP towards caddy. https://docs.opnsense.org/manual/nat.html
- Make sure you define a matching PASS rule for that kind of traffic between the respective network interfaces on OPNSense.
- Either use split DNS (different resolution within your network wrt public internet) or use NAT reflection. Very helpful doc on this already exists in the forum: https://forum.opnsense.org/index.php?topic=34925.0
- Regarding HTTPS I don't understand your question.