OPNsense Forum

English Forums => General Discussion => Topic started by: woxfi on July 20, 2022, 08:07:37 AM

Title: PORT FORWARD NOT WORKING PROPERLY
Post by: woxfi on July 20, 2022, 08:07:37 AM
So I have one Main IP (Public) assigned to the firewall , And added two public ip is the virtual ip's .
I setup port forward port 222  on x.x.x.4/27(public IP)  to forward it to port 22 on 10.10.2.2 . It works pretty good
Again added similar rule forward 223 on x.x.x.4/27 to port 22 on 10.10.2.3 , and it works too .

Then i created another VM , gave it IP 10.10.2.4  and created a new rule x.x.x.5/27 (Public IP already in Virtual IP ) incoming requests on port 222 on this IP x.x.x.5 forward to port 22 on 10.10.2.4 VM , but it forwards me to 10.10.2.2 .

Any insights would be nice thank you .
Title: Re: PORT FORWARD NOT WORKING PROPERLY
Post by: Patrick M. Hausen on July 20, 2022, 09:09:45 AM
You need to set the netmasks for the external addresses to /32 in your rules.
Title: Re: PORT FORWARD NOT WORKING PROPERLY
Post by: woxfi on July 20, 2022, 09:55:46 AM
you mean in virtual IP Addresses ?

i have set two IP in Virtual IP
X.X.X.4/32
X.X.X.5/32

Then updated the rules

Firewall -> NAT -> Port Forward

SSH to X.X.X.4 on port 222 goes to 10.10.2.2
SSH to X.X.X.4 on port 223 goes to 10.10.2.3
SSH to X.X.X.5 on port 222 also goes to 10.10.2.2  , it should have gone to 10.10.2.4
Title: Re: PORT FORWARD NOT WORKING PROPERLY
Post by: Patrick M. Hausen on July 20, 2022, 11:14:41 AM
In your port forwarding rules. In your first post you wrote e.g. "x.x.x.4/27" - that needs to be x.x.x.4/32.
Title: Re: PORT FORWARD NOT WORKING PROPERLY
Post by: woxfi on July 20, 2022, 11:23:13 AM
its working after Virtual IP were set to each ip/32 , ssh port is working , i will do some more forwardings and will post results

thank you so much for helping
Title: Re: PORT FORWARD NOT WORKING PROPERLY
Post by: Patrick M. Hausen on July 20, 2022, 01:26:47 PM
In Interfaces > Virtual IPs > Settings keep the same netmask as for your primary IP address, probably /27.
In Firewall > NAT > Port Forwarding (and all firewall rules where you want to do something with a single VIP) use a /32 netmask, meaning "only a single address".