I have a NAS running a web app on port 8081, with IP 192.168.0.2, and a reverse proxy server (separate machine) with IP 192.168.0.3. In order to access the web app (which I wouldn't want to expose to the internet directly) I portforwarded the reverse proxy to WAN (port 443), set up HTTPS and username/password authentication on it, then pointed the proxy to 192.168.0.2:8081, so that connecting from outside to https://mydomain.example.com lets me log in and access the service.
This works fine, but I'd like to prevent any device in my LAN that isn't 192.168.0.3 from bypassing the reverse proxy by connecting to 192.168.0.2 on port 8081. This way, should a PC on the network be compromised, nobody would be able to access the service without authenticating. I know a DMZ is usually the way to go with this but it would be extremely annoying, considering the NAS also runs a plethora of other services I would like to be able to connect to directly (SMB, Plex etc.). Moving the RP to the NAS isn't an option either as I want to use NGINX for Nextcloud too, and in general LetsEncrypt + NGINX via Docker (which my NAS uses) is clunky.
Is there a way to accomplish this with OpenWRT, by creating some sort of specific rule to block connections from any host that isn't 192.168.0.3 to host 192.168.0.2 on port 8081, leaving all other traffic intact? I've already tried traffic rules and unfortunately had no success.
My OpenWRT router has IP 192.168.0.1 on the LAN and 192.168.1.50 on the WAN, which is managed by a modem/router with IP 192.168.1.1, the only other device on the WAN, providing Internet access.