This guide is meant to solve the issue when using TrueNAS Scale apps with Nginx Proxy Manager, which is not running on default HTTP(S) ports because those are already used by TrueNAS web interface.
In case of isolated TrueNAS instance it's possible to change web interface ports so Nginx proxy can use HTTP(S) defaults, but that configuration intervenes with other TrueNAS features like cloud sync and duplication.
Port forwarding may sound like "obvious" solution, but the catch is when both client and server devices are connected to the same local network, there is no routing involved, which means no port forwarding as well.
Workaround for this situation is to create loopback interface on the router which is then used as "virtual" address for the server, effectively enabling us to configure port forwarding.
Exact configuration steps varies based on router manufacturer so you need to do a bit of your own research, but considering most of them should use standard terminology the following section describes the common procedure.
| Property | Value | Comment |
|---|---|---|
| Local network | 192.168.1.0/24 |
|
| Router address | 192.168.1.1 |
|
| Server address | 192.168.1.254 |
|
| Webproxy port | 30021, 30022 |
Defaults for Nginx proxy app |
| Router LAN interface | eth1 |
Might be irrelevant for some consumer-grade routers |
| "Virtual" server address | 192.168.254.1 |
Pick any address which does not collide with your existing networks |
| Server hostname | truenas.lan |
Everything is configured on the router only, you should not need to change anything on your server or client devices.
Replace example values to match your configuration.
-
Create loopback interface
Assign it the "virtual" server address
192.168.254.1/32. -
Create static DNS record
Add A record for
truenas.lantargeting loopback address192.168.254.1and enable subdomain matching, either by some checkbox or by adding separate record with wildcard*.truenas.lan(depending on router model). -
Create NAT rule rewriting packet destination
This is redirecting communication from "virtual" to real server address and changing port number - effectively doing port forwarding.
Property Value Comment Inbound interface eth1Might not be needed (depending on router model) Destination address 192.168.254.1"Virtual" server address Destination port 80Standard HTTP port Protocol tcpAction type dst-natMight be called differently (depending on router model) To address 192.168.1.254Real server address To port 30021Nginx proxy HTTP port -
Create NAT rule rewriting packet source
This rule MUST be applied AFTER the previous one - configuration of rule ordering depends on router model, usually done via some priority number or categories like "incoming" and "outgoing".
This is enabling server to properly respond back through router instead of trying to send packets directly to original client address.
Property Value Comment Outbound interface eth1Might not be needed (depending on router model) Source address 192.168.1.0/24Local network address Destination address 192.168.1.254Real server address Destination port 30021Nginx proxy HTTP port Protocol tcpAction type src-natMight be called differently (depending on router model) To address 192.168.1.1Router address To port - Not changed -
Repeat steps 3 and 4 but now for SSL
Create another set of rules replacing port
80with443and port30021with30022.
Now any HTTP(S) request to hostname *.truenas.lan should be properly
routed to Nginx proxy ports, so you can configure proxy hosts to other
individual apps without colliding with any TrueNAS settings.
Enjoy! 🙂
PS: If you find other interesting use-case for this solution, feel free to share your thoughts in the comments!
Good morning, I tried to follow along with your instructions here, but as my router does not have the same exact field names I probably screwed something up. I'm using pfSense for your information.
I'm trying to send requests from units on my subnet for server:443 to server:60443
Do you know how the rules should be set up to rewrite in this case?
Would 1:1 NAT be useful at all?