No access to the GUI from where I am right now. But here is what I have configured to handle something similar.
In this case,
eth0 = WAN - 107.182.76.27
eth1 = LAN1 (10.8.25.0/24) - My network with webservers and stuff 10.8.25.100 = Nginx proxy
eth2 = LAN2 (10.99.0.0/24) - Friend's network with his own router behind this (yes, he's double NAT'd).
Friend uses his own DNS and thus when he tries to get to one of my webservers, he attempts to hit the public IP. The router understands this but cannot hairpin because he is on a different LAN than the port-forward rules.
set port-forward auto-firewall enable set port-forward hairpin-nat enable set port-forward lan-interface eth1 ...rules here... set port-forward wan-interface eth0So I had to make hairpin rules for him. Your setup would be similar.
Rule 1 (port 443) and rule 2 (port 80) are looking for traffic coming in on eth2 that are destined for the WAN IP and sending the traffic to the Nginx Proxy instead.
set service nat rule 1 description 'Dwarf LAN HTTPS Hairpin' set service nat rule 1 destination address 107.182.76.27 set service nat rule 1 destination port 443 set service nat rule 1 inbound-interface eth2 set service nat rule 1 inside-address address 10.8.25.100 set service nat rule 1 inside-address port 443 set service nat rule 1 log disable set service nat rule 1 protocol tcp set service nat rule 1 type destination set service nat rule 2 description 'Dwarf LAN HTTP Hairpin' set service nat rule 2 destination address 107.182.76.27 set service nat rule 2 destination port 80 set service nat rule 2 inbound-interface eth2 set service nat rule 2 inside-address address 10.8.25.100 set service nat rule 2 inside-address port 80 set service nat rule 2 log disable set service nat rule 2 protocol tcp set service nat rule 2 type destinationI don't recall why I made masquerade rules (5001 & 5002) I am not sure these are needed. I was significantly not sober when this was implemented.
set service nat rule 5001 description 'Dwarf LAN HTTPS Hairpin' set service nat rule 5001 destination address 10.8.25.100 set service nat rule 5001 destination port 443 set service nat rule 5001 log disable set service nat rule 5001 outbound-interface eth2 set service nat rule 5001 protocol tcp set service nat rule 5001 source address 10.99.0.0/24 set service nat rule 5001 type masquerade set service nat rule 5002 description 'Dwarf LAN HTTP Hairpin' set service nat rule 5002 destination address 10.8.25.100 set service nat rule 5002 destination port 80 set service nat rule 5002 log disable set service nat rule 5002 outbound-interface eth2 set service nat rule 5002 protocol tcp set service nat rule 5002 source address 10.99.0.0/24 set service nat rule 5002 type masquerade set service nat rule 5999 description 'masquerade for WAN' set service nat rule 5999 outbound-interface eth0 set service nat rule 5999 type masqueradeNo firewall rules at this time. I still need to implement that to keep his stuff off my network except for the proxy. Maybe I'll go drink with him tonight and do that.