Hi all, so this is something I was struggling with on the previous production series (19.7) and it's still an issue, after upgrading and after doing a complete fresh install of opnsense 20.1, restoring my config, and updating.
Essentially I'm trying to open up a port for TCP/UDP, and no matter what I try it doesn't open, sites like canyouseeme can't see the port open and trying to connect to something like a game through that port also doesn't work.
In this instance it's 25445 for one of my servers, DL380-G6 that's refusing to work.
I've cloned existing rules that do work, and show an open port on test sites, and allow connections, such as teamspeak, but when I try to add anything new it doesn't work and it's driving me absolutely insane.
On top of that I have a second public static IP which I want to use, however if I add that as a virtual IP it kills my network.
I had that working at one point too and then one day it shat the bed, and no longer worked so I had to move all my hosting back onto the first static IP.
I'm at my wits end with this and have made a couple other topics about this with loads of screenshots and no solutions have been found so I'm hoping posting my whole damn config will maybe get someone who knows more about this to spot why the hell it isn't working.
Frankly I would switch over to pfsense since every google search is overloaded with results for that instead of opnsense but my hardware is too old for the newest versions.
Firstly, lets look at your 2nd WAN IP, the mask is wrong. Your primary IP is shown as having a 24 bit mask, yet you have put a 32 bit mask on your second IP - you only want it to talk to itself? Here's one of my aliases, my mask is set to 28 bit as that's what my ISP wants, I have use of up to 6 static IP's, this is one of them. This is all you need to enter.
(https://i.ibb.co/6XsmLY0/IP-Alias-Settings.png) (https://ibb.co/dmKrxB4)
Port forwarding works fine, I suggest you read this:
https://www.techrepublic.com/article/how-to-create-a-firewall-rule-with-opnsense/ (https://www.techrepublic.com/article/how-to-create-a-firewall-rule-with-opnsense/)
Finally, you can still download on old version of pfsense if you wish:
http://mirror.transip.net/pfsense/downloads/ (http://mirror.transip.net/pfsense/downloads/)
I've looked at a dozen or so different guides on port forwarding and made rules completely from scratch following them and the ports refuse to open, and I can't see them on the live firewall feed. That's why this is so frustrating, I made this rule following that link, as well as taking other rules for this exact same machine (dl380-g6) and simply changing the port and they don't work. It makes zero sense. I've even also set manual floating rules for these same ranges and they work for some that have been active for ages but new ones won't work. Rebooting doesn't help either.
Also I I noticed after posting that virtual ip was set to /32, and when I change it over to /24 it kills my internet connection.
I tried setting a one to one NAT rule to push everything through the .190 address but that didn't seem to help. I'm basically wanting everything to default to that, but for a couple select machines to be manually set to use .189 instead.
It was working at some point and then I'm not sure what happened but it stopped so I set everything back.
Honestly right now the port forwarding is the main thing. I know my firewalls are all set properly and these things work on the internal network but the ports just never open up to be visible from test pages or to other people.
Also I like open source stuff and I'm aware that the pfsense guys pulled some shady shit against opnsense so that's why I chose opnsense in the first place, and I like it, it's just that it's so frustrating right now.
Your Destination on port forwarding is wrong. In the link below he is using a VLAN, but the same applies to a normal LAN.
https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#allow-remote-access-to-web-server-on-vlan-10-using-nat-port-forwarding (https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#allow-remote-access-to-web-server-on-vlan-10-using-nat-port-forwarding)