Yes

Update: ditched the second OpnSense and figured out that MTU discovery with PVE and stuff needs some hard tweeking. Got it to work now. Hit me up for guidance 😅

Should the nginx Proxy receive that package? If i trace between the LAN Host and GW, there are no Public IP’s

I think I let it rest for a day, I’m confused

Hm, could be a little bit much but Public IP -> WG0 -> Proxy -> Router -> Server and back should not be ok?

What? That’s totally confusing. Took my Laptop (192.168.35.242), tethered to my Mobile (192.168.35.116) and wiresharked. 192.168.35.0/24 should never ever be a part of my Network.

Never got the time to learn to read Captures :'(

At a time I tried to use two proxies but I changed it back to one. The host I try to reach is a Docker Host with Immich running. So the only real proxy should be “192.168.1.1”.

There is one DNAT rule at the public OPNsense routing the HTTP/s traffic to my proxy. Inside my DMZ an LAN is no NAT, only routing. Back out again there is a Masq/SNAT rule for my local IPs

green boxes are IP, red are FQDN

Curl capture (made first so DNS is captured aswell)

Firefox capture

I tested with my Mobile with LTE and got the same results

Ah sry, bad choise but i masked my real LAN IPs