Odd situation...
I have setup a NAT/PF that redirects port 4433 to 443 for the dashboard UI so that I can access it externally (This is a personal setup). The odd thing is that from my phone Android/Chrome I can access it.
Trying from 2 different laptops (One Corporate controlled and the other personal) I am not. I have tried IE, Chrome, Opera and Firefox browsers to no avail.
What is going on?
Any help would be appreciated!
and for clarity, I have also tried to the do this for RDP using an alternate port inbound and redirect it to 3389 to no avail.
This is baffling!
I've inserted a NAT to redirect 3389:
-Interface: WAN
-TCP/IP Version: IPv4
-Protocol: TCP
-Source: Any
-Source port range
from: MS RDP
to: MS RDP
-Destination: WAN Address
-Destination port range
from: MS RDP
to: MS RDP
-Redirect target IP: 192.168.0.240
-Redirect target port: MS RDP
-NAT Reflection: Enabled (Have tried disabled also)
-Filter rule association: Yes
Automatic Rule Created:
-Proto: IPv4 TCP
-Source: *(Any)
-Port: 3389(MS RDP)
-Destination: 192.168.0.240
-Port: 3389(MS RDP)
-Gateway: *(Any)
-Schedule:
-Description: NAT
With the above F/W rule the attempt is denied:
__timestamp__ Jul 3 15:30:53
ack
action [block]
anchorname
datalen 0
dir [in]
dst 192.168.0.250
dstport 3389
ecn
id 53827
interface em0
ipflags DF
label Default deny rule
length 52
offset 0
proto 6
protoname tcp
reason match
ridentifier 0
rulenr 3
seq 2596550757
src 174.228.133.87
srcport 1240
subrulenr
tcpflags S
tcpopts
tos 0x20
ttl 110
urp 64240
version 4
Create a manual rule:
-Proto: IPv4 TCP/UDP
-Source: *(Any)
-Port: *(Any)
-Destination: 192.168.0.250
-Port: 3389(MS RDP)
-Gateway: *(Any)
-Schedule:
-Description:
Nothing gets entered into the log with the manual rule enabled, disable it and the deny continues?
I dont see how this could be expected behavior, help?
WOW!
Not sure what else to say!
Its been multiple months and over 100 have read the thread but not one contributor to help me resolve the issue.
you are redirecting to itself?
whats whit the 4433 and 433?
based on the rules you created it was never used?
to open a port goto
Firewall: NAT: Port Forward
disabled: unchecked
interface: {your wan interface}
TCP: ipv4 or 6
Protocol: TCP
Destination: {This firewall}
destination port range: what ever ports you want to open ex. external ports 4433
redirect target ip: {internal IP, ex 192.168.0.240}
redirect port: {it not the same with external... ex http or 80 if an internal webserver)
Firewall: NAT: Port Forward EXAMPLE a webserver
disabled: unchecked
interface: {WAN1; your wan interface}
TCP: ipv4 or 6
Protocol: TCP
Destination: {This firewall, or ip of firewall}
destination port range: 99 (what ever ports you want to open)
redirect target ip: 192.168.0.240 {your target internal IP or internal server ip}
redirect port: 80 {becuase it is a webserver)
do not answer the "source"
your destination is the firewall, since it is the one blocking your internal network
Hi,
if the source port is defined for most protocols, it's randomly chosen, from a pool of high ports . In 99,99% of the cases you do not restrict the source port in a firewall/NAT rule. Your rule will never match because the source port will never be TCP 3389 for RDP or 443 for https, It's the destination port you choose.
BR P
All,
I appreciate the reply, but there are no 4433 and 433 in any of the data I provided.
This was a simple Port Forward, not even a redirect so the inbound port is looking to be redirected from my external router VIA the DMZ redirect (Any/Any) to the OPNSense appliance and it is failing.
Being that I could not wait any longer I have established the rule on the external router and it is working fine, and to be able to support multiple I have refocused on port redirection 8080 --> 3389 (Yes, MS RDP).
I have monitored all the logs and see the traffic being passed to the target but no session is established but a direct rdp session works fine bypassing the OPNSense Appliance.
Using 8080 as I know it is an open port at my location.
Below is my configuration of the NAT:
Disabled: Unchecked
No RDR: Unchecked
Interface: WAN
TCP/IP Version: IPV4
Protocol: TCP
Source: Any/Any/Any
Dest/Invert: Unchecked
Destination: WAN Address
Destination Port: From: 8080 - To: 8080
Redirect Target IP: RDP (Alias)
Redirect Port: MS RDP [3389]
Pool Options: Default
Log: Checked
Description: Port Redirect 33389 --> 3389
NAT Reflection: Enabled
Filter Rule assoc: None (Manually Created)
Firewall Rule 01:
Action: Allow
Disabled: Unchecked
Quick: Checked
Interface: WAN
Direction: IN
TCP/IP Ver: IPv4
Protocol: TCP
Source/Invert: Unchecked
Source: Any/Any/Any
Destination: RDP (Alias)
Dest Port Range: From: MS RDP [3389] to: MS RDP [3389]
Log: Checked
Firewall Rule 02:
Action: Allow
Disabled: Unchecked
Quick: Checked
Interface: WAN
Direction: IN
TCP/IP Ver: IPv4
Protocol: TCP
Source/Invert: Unchecked
Source: Any/Any/Any
Destination: WAN Address
Dest Port Range: From: 8080 to: 8080
Log: Checked
I see the traffic being allowed in the F/W log but no session is established with the redirect.
OPNSense just does not seem to work any longer for this function. Or I am doing some really wrong and I am blind.
destination should be "this firewall" not wanaddress if you want to port forward
yes, writing wanaddress sound correct but the destination is "thisfirewall"
you already indicated that you have tap the "wan" port
(modem)---dmz opnsense/or port forward---(opnsense server)---nat port forward---(clients)
maybe you could write a network diagram
Changing the Destination to "This Firewall" made no change.
Diagram Below:
http://www.greenscott.com:8383/LABNet.png
does your opnsense have a public IP?
how is the WAN configure in your opensense?
It does not have a public IP, only an internal, that the xFinity router forwards (DMZ Port) all traffic to 192.168.0.250/24.