OPNsense Forum

Hello,

i have a strange problem with Port-Forwarding.
For me it seams, that on the return path the outgoing port is wrong.
This result in an broken TCP stream and a not working connection.

My setup is:
WAN --- OpenSense WAN / Opensense LAN --- Backen Server

There is a NAT on the WAN Interface to the Backend Server:
Interface Proto Address Ports Address Ports IP Ports Description
WAN TCP/UDP * * WAN address 64738  10.10.10.10  64738

When i connect from the WAN site to the firewall i see the following tcpdump on the LAN side:
20:23:24.183448 IP 213.33.44.55.57058 > 10.10.10.10.64738: Flags [S], seq 3531215161, win 29200, options [mss 1460,sackOK,TS val 427892498 ecr 0,nop,wscale 7], length 0
20:23:24.184152 IP 10.10.10.10.64738 > 213.33.44.55.57058: Flags [S.], seq 1844491920, ack 3531215162, win 65160, options [mss 1460,sackOK,TS val 3780645410 ecr 427892498,nop,wscale 7], length 0

Connection from  213.33.44.55 with highport 57058 to 10.10.10.10 and the target port 64738 is correct.
Also the Answer from the target port 64738 to the highport 57058 is correct and follow the tcp stream.

But on the WAN side the tcpdump shows the following:
20:23:24.183326 IP 213.33.44.55.57058 > 95.213.33.44.64738: Flags [S], seq 3531215161, win 29200, options [mss 1460,sackOK,TS val 427892498 ecr 0,nop,wscale 7], length 0
20:23:24.184199 IP 95.213.33.44.56286 > 213.33.44.55.57058: Flags [S.], seq 1844491920, ack 3531215162, win 65160, options [mss 1460,sackOK,TS val 3780645410 ecr 427892498,nop,wscale 7], length 0
20:23:24.184297 IP 95.213.33.44.56286 > 213.33.44.55.57058: Flags [S.], seq 1844491920, ack 3531215162, win 65160, options [mss 1460,sackOK,TS val 3780645410 ecr 427892498,nop,wscale 7], length 0

The IP and the ports and the destination port from the incomming connection is correct.
But the outgoing reply is not from the expected port 64738 and so the TCP session breaks.
The random other highport (56286) match with no session and the return package is dropped.
There is also no ACK package and to the firewall also makes a package retransmit.

With the pftop i also can see the wrong port:
tcp       In  213.33.44.55:5058                           10.10.10.10:64738                                SYN_SENT:ESTABLISHED  00:00:03  00:00:30        7      420
tcp       Out 213.33.44.55:5058                           10.10.10.10:64738                             ESTABLISHED:SYN_SENT     00:00:03  00:00:30        7      420
tcp       Out 95.213.33.44:19810                            213.33.44.55:5058                              SYN_SENT:CLOSED       00:00:03  00:00:30        4      240

The pf rule for nat is:
rdr on vmx0 inet proto tcp from any to (vmx0) port = 64738 -> 10.10.10.10 port 64738
rdr on vmx0 inet proto udp from any to (vmx0) port = 64738 -> 10.10.10.10 port 64738
pass in quick on vmx0 reply-to (vmx0 95.213.33.44) inet proto tcp from any to 10.10.10.10 port = 64738 flags S/SA keep state label "ee17c60321be0a31ede97b6a7914d3fd"
pass in quick on vmx0 reply-to (vmx0 95.213.33.44) inet proto udp from any to 10.10.10.10 port = 64738 keep state label "ee17c60321be0a31ede97b6a7914d3fd"

With an additional outbound NAT rule is also was not able to fix the problem.
nat on vmx0 inet from 10.200.0.50 port = 64738 to any -> (vmx0:0) static-port

I have no idea where the configuration issue is and maybe someone can help me.

Kindly regards,
Gerald Prock

i'm also having problems port forwarding lan address

Maybe you have a manual outbound nat with source any which matches also the port forward?