Unable to reach reverse proxy from WAN, everything working fine from LAN

Started by igordik, August 25, 2025, 05:37:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 25, 2025, 05:37:33 AM Last Edit: August 25, 2025, 07:25:46 PM by igordik
Hello everyone,

This is my first post here. I'm new to OPNsense and currently trying to migrate my network from pfSense.

I'm setting up OPNsense to expose a local web server to the outside world with TLS offloading. I've tried both Caddy and Nginx plugins and hit the same issue, so I suspect I'm missing something obvious in the general configuration rather than in the reverse proxy setup.

Both proxies work perfectly when accessed from the LAN: HTTP → HTTPS redirection, TLS offloading, and connecting to the upstream HTTP server in the local network all function as expected.
However, I cannot connect from the WAN at all. I can see the WAN pass rule being triggered in the firewall live view, but no connection is established.

**What I've done so far:**

1. Changed WebGUI to port 8433 and disabled HTTP redirect.
2. Added firewall rules to WAN: **PASS**, IPv4 TCP, from any to This Firewall on ports 80 and 443.
3. Followed the basic Caddy setup ([docs](https://docs.opnsense.org/manual/how-tos/caddy.html#standard-configuration)), except *General Settings → Disable certs* since I'm using a self-signed cert.
4. Also followed the basic Nginx setup ([forum guide](https://forum.opnsense.org/index.php?topic=19305.0)).

**How I test:**

From LAN:

1. Verified the domain resolves to the router's IP.
2. `curl -ikL http://domain.name` → gets a 308 redirect, then the actual website.
3. Confirmed the correct self-signed cert is served.

From WAN:

1. Same domain resolution check. (for router IP on WAN interface)
2. `curl` just hangs and times out.
3. Firewall live view shows the rule for port 80 being triggered (green).
4. `sockstat -l | grep :80` on the router shows the correct service (Nginx or Caddy, depending on what's running).

I'm running out of ideas on what might be wrong and would really appreciate any help.

Thanks in advance!
August 26, 2025, 04:52:33 AM #1
I think I should describe my setup in more detail to avoid confusion.

Since this is a pfSense → OPNsense migration project, the OPNsense box is currently sitting inside my local network behind pfSense (pfSense LAN network).

    pfSense LAN network: 10.10.1.0/24

    OPNsense WAN IP: 10.10.1.99

    OPNsense LAN network: 10.20.1.0/24 (with LAN gateway 10.20.1.1)

When testing from LAN (behind OPNsense):

    My test machine gets an IP in the 10.20.1.xxx range from OPNsense.

    domain.name resolves either via OPNsense DNS (Unbound DNS overrides) or by the /etc/hosts file on the test machine.

        Both dig domain.name and ping domain.name resolve to 10.20.1.1.

When testing from WAN (in front of OPNSense, behind pfSense):

    My test machine gets an IP in the 10.10.1.xxx range from pfSense.

    domain.name resolves either via pfSense DNS or the test machine's /etc/hosts.

        Both dig domain.name and ping domain.name resolve to 10.10.1.99 (the OPNsense WAN IP).

The results of the connection tests I described in my original post still apply under this setup.
Print
Go Up Pages1
User actions