OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: FreeMinded on July 14, 2023, 02:10:55 pm

Title: Port forwarding / Firewall Destination Issue
Post by: FreeMinded on July 14, 2023, 02:10:55 pm

I'm a recent immigrant from the pfSense World and the following situation drove me crazy. I suspect a possible bug (or at least an unexpected behavior) and would be happy to be enlightened by a OPNsense guru if it's not.

I set up a Port Forwarding from my main WAN Interface (WAN_FIBER_Port) to a local network IP. As destination address I had WAN_FIBER_Port address set. All the traffic hitting the Firewall was being rejected by the default deny / state violation rule. The Logs showed the Firewalls Public IP as destination. After a while I realized that the rule does not apply.

It started to work when I set the destination to any. Later I tried manually setting the public IP or WAN_FIBER_Port net and both worked as well.

I was - coming from pfSense - expecting that WAN_FIBER_Port address would be the public IP which the interface gets by DHCP in this case. Somehow this does not seem to be the case. Interestingly WAN_FIBER_Port net works.

Is this intended behavior?

Title: Re: Port forwarding / Firewall Destination Issue
Post by: vpx on July 14, 2023, 02:21:38 pm

It seems you only created a NAT rule but not a firewall rule. Or the automatic rule was not created because you set "Filter rule association" to "None" in the NAT rule.

You need:

a) NAT rule in "Firewall: NAT: Port Forward"
b) FW rule in "Firewall: Rules: WAN"

Title: Re: Port forwarding / Firewall Destination Issue
Post by: FreeMinded on July 14, 2023, 02:41:33 pm

The Firewall rule was created (automatically by the NAT Port Forwading rule).

But looking at the WAN Interface again, I might have found the reason. I get IPv4 address x.y.z.237/24 assigned. So it's not a /32  but a whole /24 subnet range. Still the IP address on the interface is clear and WAN_FIBER_Port address should point to it.

Title: Re: Port forwarding / Firewall Destination Issue
Post by: vpx23 on July 14, 2023, 05:04:17 pm

So your WAN interface has the "IPv4 Configuration type" DHCP, right?

Is it a DHCP from your ISP or an own DHCP-Server?

Title: Re: Port forwarding / Firewall Destination Issue
Post by: FreeMinded on July 14, 2023, 08:01:38 pm

It's the DHCP from the ISP. Init7 to be precise.

Title: Re: Port forwarding / Firewall Destination Issue
Post by: vpx23 on July 14, 2023, 08:41:53 pm

Looking at their product site they only provide a single IPv4 address (/32 or /31 subnet) or a /29 subnet with 5 addresses. So it's either a mistake in the configuration on their site or a bug in OPNsense.

Title: Re: Port forwarding / Firewall Destination Issue
Post by: FreeMinded on July 17, 2023, 10:03:04 am

I still think the WAN_PORT_address should point to the address on that interface, no matter what the subnet is. This does not seem to be the case.

Title: Re: Port forwarding / Firewall Destination Issue
Post by: vpx on July 17, 2023, 03:14:38 pm

In the Lobby->Dashboard under Interfaces does it show the correct IP for WAN_PORT?

Title: Re: Port forwarding / Firewall Destination Issue
Post by: FreeMinded on November 06, 2023, 10:24:36 pm

Quote from: vpx on July 17, 2023, 03:14:38 pm

In the Lobby->Dashboard under Interfaces does it show the correct IP for WAN_PORT?

yes, it does.

Title: Re: Port forwarding / Firewall Destination Issue
Post by: vpx on November 07, 2023, 02:22:32 pm

I guess it is somehow related to this bug:

https://github.com/opnsense/core/issues/5588