Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Nginx reverse proxy refuse to work except when it and target is in bridge mode (no custom network)

Featured Replies

Hello i will try to keep it short, but i have tried for months to get a reverse proxy to play nice with my vlan segmented network and i am just not getting anywhere. Maybe someone can read below and give me some suggestions:

Just one note i have a cloudflare tunnel placed on vlan 20 that can communicate with vlan 10 so it is only the nginx having this kind of issue.

Network Topology & Environment

  • OS / Hypervisor: Unraid version 7.0.0.

  • Gateway: UniFi Gateway.

  • Switch Link: Port 6 on the UniFi switch connects directly to the Unraid host. It is configured as a full Trunk Port.

  • VLAN Trunk Profile: Native VLAN is set to Management (VLAN 1). Tagged VLAN Management is set to "Allow All" to pass 802.1Q frames for VLANs 10 and 20 down the wire

VLAN ID

Name

Subnet

Key IPs & Notes

1

Management

192.168.1.0/24

Unraid Host Management IP: 192.168.1.10

10

Servers-Trusted

192.168.10.0/24

Hosts internal target VMs/containers (e.g., Jellyfin: 192.168.10.5)

20

Servers-Untrusted (DMZ)

192.168.20.0/24

Target location for Nginx Proxy Manager (NPM: 192.168.20.70)

50

Guest

192.168.50.0/24

2. Hypervisor & Docker Configuration

  • Physical Interface: Bonded link (bond0) combining physical interfaces. It is running in active-backup mode.

  • Bridging Infrastructure: Enabled (br0), creating a standard Linux virtual bridge.

  • VLAN Tagging: Handled cleanly at the OS level, splitting out sub-interfaces br0.10 and br0.20.

  • Host Isolation: VLAN 10 (br0.10) and VLAN 20 (br0.20) have IP Assignment set to "None". The Unraid host has no IP footprint on these networks and acts purely as a Layer 2 virtual switch.

  • Docker Subsystem: Custom networks for br0.10 and br0.20 explicitly defined with correct subnets and gateways (e.g., 192.168.20.1 pointing to the UniFi Gateway).

  • Drivers Tested: Both macvlan and ipvlan (L2) have been tested. Host access to custom networks is currently Disabled.

3. Container Configurations & Port Forwards

Nginx Proxy Manager (NPM) Container Settings

  • Network Type: Custom br0.20-Servers-Untrusted.

  • Fixed IP: 192.168.20.70.

  • Web UI Port: 7818.

  • Template Port Configurations: HTTP mapped to 1880 (Container Port 1080); HTTPS mapped to 18443 (Container Port 4443).

Jellyfin Container Settings

  • Network Type: Custom br0.10-Servers-Trusted.

  • Fixed IP: 192.168.10.5.

Router Port Forwarding Rules (UniFi)

  • HTTP: WAN Port 80 -> Forwarded to 192.168.20.70 on Port 1880 (TCP).

  • HTTPS: WAN Port 443 -> Forwarded to 192.168.20.70 on Port 18443.

4. Symptoms & The Problem Breakdown

  • What Works: When NPM runs on Docker's default Bridge mode, it works completely. It successfully maps host ports (1880/18443 to container 80/443), hides behind the host's management IP (192.168.1.10), and proxies traffic to backend targets. Internal DNS resolution also works perfectly.

  • The Breakdown: The exact moment NPM is switched from Bridge mode to a custom network assigned to br0.10 or br0.20, all traffic fails.

  • Inter-VLAN Block: NPM cannot communicate across subnets to reach backend services like Jellyfin (192.168.10.5). This persists even when UniFi firewall rules are wide open.

  • External WAN Rejection: External connection attempts (e.g., via cellular data) time out or return a strict "Connection Refused" error.

Screenshot 2026-05-20 185158.png

Screenshot 2026-05-20 185259.png

Screenshot 2026-05-20 185526.png

Screenshot 2026-05-20 185612.png

Screenshot 2026-05-20 185618.png

Screenshot 2026-05-20 185803.png

Screenshot 2026-05-20 185909.png

image.png

Edited by Seagod

Solved by CandleSir

  • Community Expert
  • Solution
2 hours ago, Seagod said:

HTTP mapped to 1880 (Container Port 1080); HTTPS mapped to 18443 (Container Port 4443)

On custom networks like br0.X, the container gets its own IP so these mappings are not recognized. Think about it like using Host networking. Try routing using the "container ports".

  • Author
On 5/20/2026 at 10:22 PM, CandleSir said:

On custom networks like br0.X, the container gets its own IP so these mappings are not recognized. Think about it like using Host networking. Try routing using the "container ports".

omg you are right, thank you so much it's been driving me insane. I work IT Infrastructure and but very little container knowledge and at points i was reconsidering my whole career...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.