Reverse proxy from Synology to opnsense

[Gerard]

Hello all, I currently have reverse proxy setup through synology nas. I’m looking to offload this from the nas to a new protectli that is running opnsense firewall.

Has anyone else setup an opnsense or even pfsense firewall with reverse proxy?

 

[one-eyed-king]

We use an opnsense in one of our projects, it does a great job and is rock stable.

The reverse prxoy configuration might not appear straight forward at first, because the configuration is splitted into different areas: nginx: Basic Load Balancing — OPNsense documentation. It's configuration capabilities are far beyond of what the Syno-RP is capable to do.

I can undestand the configuration order seems "reversed" for some people.

Don't try to manually edit conf files, as they are generated thru the ui and whatever you edit manualy will eventualy be lost.

 

[Gerard]

We use an opnsense in one of our projects, it does a great job and is rock stable.

The reverse prxoy configuration might not appear straight forward at first, because the configuration is splitted into different areas: nginx: Basic Load Balancing — OPNsense documentation. It's configuration capabilities are far beyond of what the Syno-RP is capable to do.

I can undestand the configuration order seems "reversed" for some people.

Don't try to manually edit conf files, as they are generated thru the ui and whatever you edit manualy will eventualy be lost.

I am completely lost on how to do it. For sure the capabilities of those firewalls are beyond my know how.

So with nginx, do you also use the let’s encrypt certificates on the router side as well?

-- post merged: 31. Oct 2021 --

Don't try to manually edit conf files, as they are generated thru the ui and whatever you edit manualy will eventualy be lost.

I wouldn’t even attempt

 

[one-eyed-king]

I am completely lost on how to do it

The approach is "decomposed" and spread over the 5 configuration steps in the docs (see link of my previous post).

Compared to the OPNsense reverse proxy, the Synology reverse proxy is extremly oversimplyfied when it commes to the ease of setup and supported features... The Synology rp just needs a hand full of parameters and builds a very limited opionated configuration for your, while with OPNsense you have to add more parameters that allow to configure almost every existing aspect of the nginx reverse proxy configuration.

So with nginx, do you also use the let’s encrypt certificates on the router side as well?

Yep, OPNsense has an extra letsencrypt plugin. It generall works, though, troubleshooting it in case of problem wasn't that easy. We also used it as OpenVPN/Wireguard server.

 

[Gerard]

@one-eyed-king what’s the difference with the haproxy package ? Because initially when looking into this I installed that one

 

[one-eyed-king]

I am not sure how to respond to that.

OPNsense is a full on enterprise grade firewall appliance with many integrated services, haproxy is a reverse proxy/load balancer.

So basicly your questions boils down to just the reverse proxy isolated? I believe in terms of functionality and performance haproxy beats nginx. In terms of usability OPNsense provides a well made UI for the nginx. I am not aware of any UI for haproxy.

I personaly never felt the need to take a closer look at haproxy. My Homelab consisting of 3 Docker Swarm nodes that run Traefik for load balancing/reverse proxying. Reverse proxy rules are defined by adding simple label on the swarm service declaration in the compose file. Traefik pics up those labels and applies their configuration as reverse proxy rules whenever a service is created/removed. I have a wildcard domain pointing to the WAN port, and use a wildcard certificate in Traefik. Thus the service labels are the only thing I need to configure to expose a container to the internet...

On my Job AWS provides a managed service for ever crazy demand I come up with. On projects outside AWS, it is usaly whatever kubernetes provides. The OPNSense is used in a project running on a OpenStack public cloud. OpenStack provides a fraction of what AWS offers.

 

[Gerard]

Thanks, I’ll give nginx a shot. I just need a simple reverse proxy for subdomain names to be directed to certain services. I’ll need let’s encrypt too, maybe even with the possibility of wild card capability.

 

[one-eyed-king]

But if you only need the reverse proxy, why don't you just use "nginx proxy manager"?

Docker - Install nginx-proxy-manager

In this resource I will show you how to install the "Niginx-Proxy-Manager" docker container on synology. For this container we need also a working mariadb/mysql database. This database install is not included in this installation process. This...

www.synoforum.com

 

[Gerard]

But if you only need the reverse proxy, why don't you just use "nginx manager"?

Is nginx manager the same as nginx?

 

[one-eyed-king]

I forgot the "proxy" in "nginx proxy manager".
Its a standalone application that wrapps nginx under the hood - not related to OPNsense.

 

[Gerard]

I forgot the "proxy" in "nginx proxy manager".
Its a standalone application that wrapps nginx under the hood - not related to OPNsense.

Got ya , so of all the things in opnsense nginx should be what I’m looking for

 

[Gerard]

So yesterday, after haven been connected directly to the opnsense firewall and setting it up, I tried a switch over from our internet provider router to opnsense…it didn’t go well.

I had issues where I couldn’t get out to the internet (dns issue) I then factory’d the settings and just tried the basic setup with wizard. Eventually I was able to get out to the internet, so now the next thing I need to work on is setting up the firewall. Prior to going to bed, I reverted back to the isp router until I have some more time to tweak the opnsense.

Initially during setup I just added all the port forwards I had on my isp router, which were setup properly. But because of the dns issue and when I factory defaulted they got wiped out. Something else that I did wrong (I think) was I set the wan interface to static thinking the up address to the modem is static 192.168.100.1. Also initially I had setup a gateway of 192.168.1.1, which is also the lan interface ip. After the reset I didn’t do those things and things were working so trial and error.

Now that I’m able to get out to the internet I’ll add those rules back in, and switch over to the opnsense firewall to see how it’s working.

For now I’m going to keep the reverse proxy and LE certs processes on the synology, until I can learn more about opnsense. Since these things are more complex I’m also worried about adding the wrong fw rules and being more exposed to than that of the isp router.

One thing I’m pondering is maybe make the switch to pfsense, since there’s a ton of videos I can watch and learn.

 

[one-eyed-king]

OPNsense is basicly the more modern Fork of PFsense. In our project I just made the RP and LE configuration. Most of the other configuration was done by our network gurus, including the integration with the ldap server.

What I like about OPNsense is that you it provides a rest api that can be easily driven by rest calls, which in the simplest case can be curl request.