Port Forwarding not respecting Selected Sources
I have recently begun hosting my Nginx Proxy Manager and Uptime Kuma instances on my Firewalla itself within Docker. Since I did not want to potentially mess up the iptables rules, I used the Port Forwarding setting and set source/dest port 443 from my WAN to 192.168.5.1, the IP of the Firewalla in one of my VLANs. I then set the source to my Cloudflare IPs target list. Obviously without this port forward, I cannot reach my Nginx proxied sites or my Uptime Kuma instance externally.
The issue arrises when, with my target list as the only selected source, you can still reach my port forwarded service outside of Cloudflare's IP range. If I do `http://my_ip:443` I am given a 400 response seen below from OpenResty (one of the components of Nginx Proxy Manager). This indicates the selected sources are not being respected.
For reference, here's is the content of the target list:
173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
And it can be found at https://cloudflare.com/ips-v4
-
When you are port forwarding, you can't port forward to firewalla itself, you will need to port forward to a device on the LAN. Is this what you are doing?
" used the Port Forwarding setting and set source/dest port 443 from my WAN to 192.168.5.1, the IP of the Firewalla in one of my VLANs."
Is this a new firewalla?
-
Here is the port forward itself out of iptables:
Chain FW_PRERT_PORT_FORWARD (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:https to:192.168.5.1:443And again, in the Firewalla app I set my personal Cloudflare IPs as a selected source for ingress. It does not appear to have respect that at all, given "source anywhere" in the iptables rule.
Please sign in to leave a comment.
Comments
7 comments