So I’ve went down the rabbit hole on trying to find a way to preserve source IPs on a port forward. I have port 443 forwarded from both of my WAN ports to my Traefik reverse proxy. I have crowdsec also running with Traefik. I figured out pretty quickly the UniFi was rewriting the source IPS as the only IPs Traefik and crowdsec were seeing were the IP of my UDM Pro SE. I’ve been able to SSH into my UDM and run commands that changes this behavior and I’ve also wrote a script that I can manually run on the UDM that works. I was fighting with trying to get a script to run on boot on the UDM but it’s my understanding that while this was once possible it no longer is. At least every way I have tried as failed to work. Has anyone found a persistent way to achieve this or is this just not possible.
Are you sure this is the UDM? I don’t know much about treafik, but it doesn’t sound like the proxy is passing the X-Forwarded-For and X-Real-Ip headers properly.
Relatively certain. Others have experienced the same thing and nailed it down to the same default UniFi process/configuration. Once I log into the UDM via SSH and change a couple of rules it works perfectly.
If that is the case then, no. It is not supported to take the CLI and make configuration changes. You could open a UniFi forum post and explain the situation there. Maybe there is a setting or maybe there is a feature that can be requested to add it to the UI.
I was able to get this working. I missed a small but apparently crucial config to get Traefik and Crowdsec to read the X-Forwarded-For. Minor oversight on my part but got it working without needing to dig into the guts of my UDM.