After moving out of my old place, I set up my TrueNAS system with my new Verizon router, however I’m unable to get an access list working that will allow local traffic; instead I get an error 403. My current rule set is
- Allow
192.168.1.0/24
- Deny
all
I’ve confirmed the following on my router’s settings page:
- Subnet Mask
255.255.255.0
- Dynamic IP Range
192.168.1.2 - 192.168.1.254
So shouldn’t the above rule set work? I tried enabling “Pass Auth to Upstream” in the access list’s settings. but that didn’t change anything. That’s the only DHCP server on my network.
What do the NPM logs say?
Here’s what I found under /[nginx]/logs/proxy-host-17_error.log:
2025/12/05 09:14:57 [error] 102683#102683: *29424 access forbidden by rule, client: [my public IP], server: nginx-proxy-manager.nas.mydomain.com, request: "GET / HTTP/2.0", host: "nginx-proxy-manager.nas.mydomain.com", referrer: "http://192.168.1.158:30020/"
2025/12/05 09:21:21 [error] 102820#102820: *29485 access forbidden by rule, client: [my public IP], server: nginx-proxy-manager.nas.mydomain.com, request: "GET / HTTP/2.0", host: "nginx-proxy-manager.nas.mydomain.com", referrer: "http://192.168.1.158:30020/"
2025/12/05 09:22:54 [error] 102857#102857: *29506 access forbidden by rule, client: [my public IP], server: nginx-proxy-manager.nas.mydomain.com, request: "GET / HTTP/2.0", host: "nginx-proxy-manager.nas.mydomain.com", referrer: "http://192.168.1.158:30020/"
2025/12/06 22:38:01 [error] 144040#144040: *42807 access forbidden by rule, client: [my public IP], server: nginx-proxy-manager.nas.mydomain.com, request: "GET / HTTP/2.0", host: "nginx-proxy-manager.nas.mydomain.com", referrer: "http://192.168.1.158:30020/"
There are three entries before this one
While I understand why you don’t want to share a public IP, it does complicate troubleshooting the issue.
Is the “public IP” redacted from the logs an internet facing IP, specifically something starting with something other than 192.168.x.x?
If that’s the case then you have the issue right there, you are only allowing 192.168.1.0/24, so by the access list you set everything is working as you instructed it to.
While I understand why you don’t want to share a public IP, it does complicate troubleshooting the issue.
It’s my public IP, yeah. The one I can check using whatismyipaddress.com.
If that’s the case then you have the issue right there, you are only allowing 192.168.1.0/24, so by the access list you set everything is working as you instructed it to.
Wait, really? I’m almost positive that before I moved, I had this rule set exactly the same way, and it worked just fine. Besides, Verizon has already changed my IP address a few times, so entering it in manually isn’t really feasible.
So here’s a funny thing. I was looking at the Reddit thread that I looked at when I was setting this up the first time, and I found this:
Once you make any change to an access list, you need to go back to the proxy host that you applied that access list to and hit save again. Then give it a shot and see if it works.
And, uh…Yeah ¯\_(ツ)_/¯ it works now. Thanks for your time anyway!
Well, bad news. I thought this had worked, but it seems like it was a glitch in the timing. What I had done was:
- Turned off the access list for the host
- Saved it
- Turned back on the access list
- Saved it again
- Clicked the redirect link
It looks like it takes NPM a moment to get caught up with an access list, so when I tried it yesterday immediately after taking it off public access, it worked, but now it doesn’t.
Again, this is very strange because I swear that an access list for my private IP range worked perfectly fine before. I was at my family’s house though, so maybe my dad had configured something necessary in the router before I ever set up my TrueNAS server? This comment mentions needing to set up local DNS settings, but they only mention that for Pi-hole, which I don’t use (yet).
