OPNsense Forum
Archive => 23.1 Legacy Series => Topic started by: FreeMinded on July 14, 2023, 02:10:55 pm
-
I'm a recent immigrant from the pfSense World and the following situation drove me crazy. I suspect a possible bug (or at least an unexpected behavior) and would be happy to be enlightened by a OPNsense guru if it's not.
I set up a Port Forwarding from my main WAN Interface (WAN_FIBER_Port) to a local network IP. As destination address I had WAN_FIBER_Port address set. All the traffic hitting the Firewall was being rejected by the default deny / state violation rule. The Logs showed the Firewalls Public IP as destination. After a while I realized that the rule does not apply.
It started to work when I set the destination to any. Later I tried manually setting the public IP or WAN_FIBER_Port net and both worked as well.
I was - coming from pfSense - expecting that WAN_FIBER_Port address would be the public IP which the interface gets by DHCP in this case. Somehow this does not seem to be the case. Interestingly WAN_FIBER_Port net works.
Is this intended behavior?
-
It seems you only created a NAT rule but not a firewall rule. Or the automatic rule was not created because you set "Filter rule association" to "None" in the NAT rule.
You need:
a) NAT rule in "Firewall: NAT: Port Forward"
b) FW rule in "Firewall: Rules: WAN"
-
The Firewall rule was created (automatically by the NAT Port Forwading rule).
But looking at the WAN Interface again, I might have found the reason. I get IPv4 address x.y.z.237/24 assigned. So it's not a /32 but a whole /24 subnet range. Still the IP address on the interface is clear and WAN_FIBER_Port address should point to it.
-
So your WAN interface has the "IPv4 Configuration type" DHCP, right?
Is it a DHCP from your ISP or an own DHCP-Server?
-
It's the DHCP from the ISP. Init7 to be precise.
-
Looking at their product site they only provide a single IPv4 address (/32 or /31 subnet) or a /29 subnet with 5 addresses. So it's either a mistake in the configuration on their site or a bug in OPNsense.
-
I still think the WAN_PORT_address should point to the address on that interface, no matter what the subnet is. This does not seem to be the case.
-
In the Lobby->Dashboard under Interfaces does it show the correct IP for WAN_PORT?
-
In the Lobby->Dashboard under Interfaces does it show the correct IP for WAN_PORT?
yes, it does.
-
I guess it is somehow related to this bug:
https://github.com/opnsense/core/issues/5588