OPNsense Forum

Hi

Since I would like to use the Torrent service to download and share some files on the Internet, I would like to know what is the correct procedure for creating the rules that allow you to use this service.

I am currently using OPNsense 18.7.8 64 bit.

Thanks

Bye

I'm still waiting for your answer.

Thanks

Bye

Hi,

if you do not have IDS/IPS in place, I would say that you have to create a rule that allow traffic on torrent standard ports (6881-6889 TCP) from LAN network to any on WAN.

Quote from: Dnz on November 29, 2018, 09:05:48 PM
Hi,

if you do not have IDS/IPS in place, I would say that you have to create a rule that allow traffic on torrent standard ports (6881-6889 TCP) from LAN network to any on WAN.

What is the correct procedure for creating this rule?

Thanks

Bye

Could someone please give me an answer?

Thanks

Bye

What works for me is UPnP. I don't like to use it but the ports close after they are not needed or I can close them myself.
I don't have to search for the correct ports and I can have my torrent program change it's port everytime it starts up.

Quote from: GDixon on December 01, 2018, 05:20:05 PM
What works for me is UPnP. I don't like to use it but the ports close after they are not needed or I can close them myself.
I don't have to search for the correct ports and I can have my torrent program change it's port everytime it starts up.

If I disabled the UPnP function, in which sections of OPNsense should I go to create the rules that allow the opening of the ports that serve the various Internet services (such as Torrent) to work properly?

When I will create the rules for using the Torrent service, which fields should I use?

Thanks

Bye

Could someone please give me an answer?

Thanks

Bye

Hi!

Sorry I would not come with a tutorial explaining in details and with pictures what should be done (lack of time), but until somebody else will (maybe) do that, I will point you to the following 2 scenarios:

• Use uPnP plugin - Find it in System: Firmware: Plugins - especially if your torrent client is uPnP compatible
• Use NAT, Port Forwarding Rule - Firewall: NAT: Port Forward - Chose a range of ephemeral ports (typically between 1024 and 65535) in your torrent client, and then create a new NAT (Port Forwarding) rule in your firewall for those chosen ports towards your torrent machine. (For that sake, it is possible to use a single port, but this requires the torrent client to use that particular port every time it restarts)

For how to do it for each of these cases please wait for someone else with more available time than me to write a step-by-step tutorial, or read the docs and search the forum for "upnp", "NAT" and/ or "Port Forwarding" - even if you can't find your exact case in particular, those search keywords will bring up posts describing how uPnP and NAT Rules work and examples of Port Forwarding done for alike scenarios, for other services.

Hope it helps... :)
Good luck!

Quote from: hutiucip on December 03, 2018, 11:18:43 AM
Hi!

Sorry I would not come with a tutorial explaining in details and with pictures what should be done (lack of time), but until somebody else will (maybe) do that, I will point you to the following 2 scenarios:

• Use uPnP plugin - Find it in System: Firmware: Plugins - especially if your torrent client is uPnP compatible
• Use NAT, Port Forwarding Rule - Firewall: NAT: Port Forward - Chose a range of ephemeral ports (typically between 1024 and 65535) in your torrent client, and then create a new NAT (Port Forwarding) rule in your firewall for those chosen ports towards your torrent machine. (For that sake, it is possible to use a single port, but this requires the torrent client to use that particular port every time it restarts)

For how to do it for each of these cases please wait for someone else with more available time than me to write a step-by-step tutorial, or read the docs and search the forum for "upnp", "NAT" and/ or "Port Forwarding" - even if you can't find your exact case in particular, those search keywords will bring up posts describing how uPnP and NAT Rules work and examples of Port Forwarding done for alike scenarios, for other services.

Hope it helps... :)
Good luck!

By default, does OPNsense 18.7.8 have the UPnP function enabled? If yes, how do I disable it?

Thanks

Bye

No, uPnP is not enabled - as I said, it's a plugin, you can find it in "Plugins" section, then install it. It's not installed (hence not enabled) by default.

I can't open port 36603 on the firewall towards the Pippo computer that doesn't have a firewall/antivirus because, when I try to use services, such as https://ping.eu/port-chk (https://ping.eu/port-chk), that check the status of a port, they indicate that this port is closed. How come?


My OPNsense configuration (the VDSL2+ router has been put in Bridged mode):


(http://i63.tinypic.com/dgqyr9.jpg)
(http://i68.tinypic.com/5yaq35.jpg)
(http://i67.tinypic.com/v2yd8x.jpg)
(http://i67.tinypic.com/141jsd2.jpg)

(http://i65.tinypic.com/j9ouuh.jpg)


So, where did I go wrong?


Thanks


Bye

Could someone please give me an answer?

Thanks

Bye

I may be wrong but even with a port forward or uPnP I get all ports closed when I do an outside the wan scan. The ISP may be the one doing that.

I use a cable modem thats just a bridge through Spectrum, has no router functions.

I can still connect and use any port forwards and uPnP works as expected. Have you tried  connecting or running your torrent program?

I use https://www.grc.com/x/ne.dll?bh0bkyd2 to check ports

I tried to do a scan of my torrent port with the above service and I noticed that my port is in Stealth status with the green background. What does this mean? What can I do to make sure that this service indicates that the status of this port was opened?

Thanks

Bye

OK, but what about your torrent client, what does it say about the port?

Quote from: hutiucip on December 07, 2018, 09:52:38 AM
OK, but what about your torrent client, what does it say about the port?

For my convenience, to do a test I ran eMule using the torrent port and noticed that this client connects to the various servers with low IDs and to the Kad network under the firewall (Connected:(firewalled)). So, how should I ensure that P2P clients don't see my hardware firewall?

Thanks

Bye

So, how would I be able to properly open the ports of the firewall hardware?

Thanks

Bye

I'm still waiting for an answer.

Thanks

Bye

Looking at your NAT rule it looks like you are not forwarding correctly. Destination should be the WAN if address, not the server you are redirecting to. Your live FW log should show you that is the if where the packets are being dropped.

If this does not resolve the issue you should verify the live FW logs and/or run a packet capture on your WAN if to verify the packets are coming through to your end and are not being intercepted/blocked by the ISP.

Keep seeding!

Quote from: miruoy on December 10, 2018, 06:59:44 PM
Looking at your NAT rule it looks like you are not forwarding correctly. Destination should be the WAN if address, not the server you are redirecting to. Your live FW log should show you that is the if where the packets are being dropped.

If this does not resolve the issue you should verify the live FW logs and/or run a packet capture on your WAN if to verify the packets are coming through to your end and are not being intercepted/blocked by the ISP.

Keep seeding!

In which destination field should I put WAN?

Thanks

Bye

There is only 1 field named "Destination" in the port forwarding config. Study the screenshot below to be spoon fed.

(https://i.imgur.com/mA72EO7.png)

Do note though that this should really be obvious if you have any experience with networking. Study this small diagram and It should become clear on why we are using the WAN as the "Destination" in the PAT rules.

External User/App ==> WAN ==> Your opnSense ==> Your Torrent Box

Also read up on this (https://stevessmarthomeguide.com/understanding-port-forwarding/) article to clarify what you are configuring.

I hope this helps you in better understanding your configuration.

I don't have any WAN logical interface having configured the firewall in order to use the PPPoE protocol for the Internet connection, as you can see from the attachments. The VDSL2+ router, connected to the WAN physical interface of the firewall, is in Bridged mode.


So, how can I solve the problem of the opened ports?


Thanks


Bye

Does anyone have a solution to my problem?

Thanks

Bye

Am I still waiting for your tip?

Thanks

Bye

Could someone help me?

Thanks

Bye

I reset the firewall and configured it in a standard mode with the PPPoE protocol but my problem remained.

How do I view all packets blocked by NAT?

Thanks

Bye

Quote from: balubeto on December 27, 2018, 12:02:33 PM
How do I view all packets blocked by NAT?

NAT cannot block, it is NOT A FIREWALL. It just looks like one because the packets won't find the real destination.

Quote from: fabian on December 27, 2018, 12:06:52 PM

Quote from: balubeto on December 27, 2018, 12:02:33 PM
How do I view all packets blocked by NAT?

NAT cannot block, it is NOT A FIREWALL. It just looks like one because the packets won't find the real destination.

How do I find out where these packages end up?

Thanks

Bye

In OPNsense, how do I analyze the firewall traffic to understand which packets pass and which not?

Thanks

Bye

Firewall, Log Files, Live View

Bart...

This is my current configuration:

(http://i66.tinypic.com/2n8amo4.jpg)
(http://i66.tinypic.com/1rrpkm.jpg)
(http://i67.tinypic.com/29dwff9.jpg)
(http://i64.tinypic.com/fcn3ax.jpg)
(http://i67.tinypic.com/jfkcw2.jpg)
(http://i65.tinypic.com/rh9947.jpg)
(http://i65.tinypic.com/mtrwad.jpg)
(http://i67.tinypic.com/2ak02l5.jpg)
(http://i63.tinypic.com/jsedsp.jpg)
(http://i63.tinypic.com/2cmvsj5.jpg)

The next two images represent the various port blocks:

(http://i67.tinypic.com/300che1.jpg)
(http://i65.tinypic.com/9k6n46.jpg)

How come? Is this normal?

While these images show the block of port 36603 analyzed by the service https://www.grc.com that reports the status Stealth on this port:

(http://i66.tinypic.com/dqov89.jpg)
(http://i66.tinypic.com/33lnw45.jpg)

So, how do I remove all these blocks so that I can use the Torrent network without any problems?

Thanks

Bye

Anybody understand what I'm doing wrong?

Thanks

Bye

Can you help me solve this problem?

Thanks

Bye

I have noticed that, when I create and apply the Torrent rule, an error appears (see attachment). Where am I wrong?

Thanks


Bye

Help!!!

You could start by trying with actual port number & ip instead of aliases and see if that makes any difference.

Now, no error appears but, when I check the port, the Internet service indicates that its status is closed. How come?


Thanks


Bye

So, how do I open the ports? In other words, why doesn't my NAT rule, which should open the Torrent port, work?

Thanks

Bye

I don't know, sorry... It seems to be fine, but it isn't... Even your PC firewall might be interfering, or even the modem, if the bridge mode is not quite a bridge... I don't really know.

It's difficult to find an answer having jut bits, and just from one single link in the chain.

There is no firewall enabled on the LAN computers.

The VDSL2 router should be set up correctly in Bridge mode because, a few months ago, I had a firewall hardware with pfSense and I did not have this problem. How come?

One thing I never understood: If I turn off NAT on the router, I can no longer access the Internet from the LAN computers. This happens with the old and the new firewall hardware. How come?

With OPNSense, is it possible to configure it so that it also acts as a full NAT for the entire LAN so that I can completely disable the router's firewall?

Thanks

Bye

Anybody still want to help me?

Thanks

Bye

Quote from: balubeto on January 09, 2019, 06:23:34 PM
There is no firewall enabled on the LAN computers.

The VDSL2 router should be set up correctly in Bridge mode because, a few months ago, I had a firewall hardware with pfSense and I did not have this problem. How come?

I never used pfSense, but I have a NAS (FreeNAS) and multiple services (like FTP) and plugins (like Transmission - a torrent client, Plex, Emby, NextCloud etc.) behind OPNsense and everything works like a charm accessed from both LAN and from WAN. I so conclude that your problem is not a "works with that, but not with this" problem.

Quote from: balubeto on January 09, 2019, 06:23:34 PM
One thing I never understood: If I turn off NAT on the router, I can no longer access the Internet from the LAN computers. This happens with the old and the new firewall hardware. How come?

A very expected behavior: your IPs set for LAN are not routable, so you can't access internet without a NAT device.

Quote from: balubeto on January 09, 2019, 06:23:34 PM
With OPNSense, is it possible to configure it so that it also acts as a full NAT for the entire LAN so that I can completely disable the router's firewall?

OPNsense already does that, full NAT, but NAT is a FW function. Can't really turn off FW, in it's entirety, without turning off NAT. There are settings and/ or rules for completely "avoiding" one or the other (as in, allow everything from anywhere to anywhere, and/ or translate everything from this WAN address to this LAN address, or the other way around, or no NAT at all), but otherwise you either have it as a router only, or as a router + FW (and with or without NAT).

I say it again: without directly seeing every link in the chain, every device on the path of your internet connection, I declare myself unable to help.

I truly hope you'll figure it out.
A good day to you!

How do I enable the OPNSense NAT to make the dynamic IP, provided by my ISP, routable for the LAN? In other words, I would like to disable the NAT of the VDSL2 router using this Internet service with the computers on the LAN.

Thanks

Bye

Enable bridge mode in your router/modem configuration. If it doesn't offer it, look for one that does (e.g. https://www.draytek.co.uk/products/business/vigor-130)

Bart...

Quote from: bartjsmit on January 14, 2019, 06:09:29 PM
Enable bridge mode in your router/modem configuration. If it doesn't offer it, look for one that does (e.g. https://www.draytek.co.uk/products/business/vigor-130)

Bart...

Sorry but my router is already in Bridged mode also because I use the PPPoE protocol of the firewall to use the Internet. So, my firewall hardware knows my public dynamic IP and the various DNS used by my provider.

So, how do I set OPNSense to do what I want to do?

Thanks

Bye

Quote from: balubeto on January 14, 2019, 06:58:47 PM
So, how do I set OPNSense to do what I want to do?

Thanks

Bye

The answer, actually the answers, were all given in previous replies here. At least, all the answers regarding exactly that, OPNsense config. As I stated before, something is amiss and not necessarily on OPNsense config... So I kindly ask you to allow me to say that keeping asking here what you should do is not enough any more... This is the most anyone limited to forum can help.

Good luck!