Hello,
As a newbie, I don't want to mess up the default configuration. I have a simpleton understanding of port forwarding having used it successfully with consumer level SOHO routers. I would appreciate it very much if someone could review the following settings to forward unsolicited inbound HTTPS requests to a LAN web server (before I click the Save button):
Firewall
NAT
Port Forward
Interface WAN
TCP/IP Version IPv4+IPv6
Protocol TCP
Source any
Source port range:
from: to:
HTTPS HTTPS
Destination:
Single host or Network
192.168.11.12 24
Destination port range:
from: to:
HTTPS HTTPS
Redirect target IP
no selection
Redirect target port: no selection
Pool Options: Default
Log unchecked
Description Unsolicited inbound web server traffic
Set local tag no entry
Match local tag no entry
No XMLRPC Sync no entry
NAT reflection Use system default
Filter rule association Add associated filter rule
Is this the only rule that I need to set for the stated objective to host a web server (albeit with a static page) for viewing from the Internet? Anything else I need to be aware of in terms of locking down other unsolicited inbound traffic?
I'm requesting a review simply because I made a mess with my initial attempt and had to resort to restoring factory defaults. Hence, this tread is being done gingerly hoping that the broader community will help a newbie to start using OPNsense in a fairly simple but robust way. Many thanks for any advice.
Kind regards.
Source, any. Destination should be WAN address. Target IP /port should be host within your network. Check the port where your host is listening for web traffic.
Nothing wrong with saving and testing. It is easy to delete or disable the rule at any time.
Thx, @Northguy. Appreciate the feedback. Your explanation helps me understand the difference between Destination and Target IP since my prior experience with SOHO routers did not require the WAN address explicitly.
Will follow your suggestion to test one step at a time.
Kind regards.
Please note that Port on WAN address might be port 80 for http traffic, but your server in the internal network might be listinging on a completely different port.
Following might shed some light also:
https://docs.opnsense.org/manual/nat.html
https://forum.opnsense.org/index.php?topic=8783.0
I would not change reflection to something other than standard settings (as suggested in 2nd link) unless specifically necessary. I don't have much knowledge on it, but never seemed to have the need for it in my setup.