Hello,
I have a dual wan setup with both of the wans tier 1 for load balancing, i disabled sticky connections as well as websites i use doesn't care which ip is used, with the dual wan setup i used a offical documentation by opnsense.
WAN1 is dhcp and WAN2 is pppoe, port forwarding works like charm on the pppoe (wan2) with setup below.
However on dhcp (wan1) the port forwarding does not work.
My current setup is:
firewall -> group:
added both wan interfaces into a "wan_group" group
firewall -> settings -> advanced:
Reflection for port forwards - turned on
Automatic outbound NAT for Reflection - turned on
(Sticky connections - turned off as mentioned above)
firewall -> NAT -> port forward:
port forward rule:
interface - wan_group
destination - wan_group net
pool options - round robin
NAT reflections - use system default
filter rule association - rule (can confirm these rules are generated in firewall -> rules -> wan_group)
I also tried making a new port forward rule same as the one above but with:
interface - WAN1
destination - WAN1 address or "Single host or Network" with IP received by ISP's dhcp but it didn't work.
I also tried changing the round robin to default, disabling Reflection for port forwards and Automatic outbound NAT for Reflection and that also didn't help.
I tried enabling logging on said rule in firewall -> rules -> wan_group and tried it with external port test website:
- WAN2 did appear in log and port forwarded successfully
- WAN1 did not appear in log and did not port forward
I did manage to port forward on WAN1 on mikrotik before i switched to opnsense.
If hardware is relevant i use HP EliteDesk 800 G2 SFF (i7-6700 version with 16gb ram, 2x 256gb SSDs in zfs mirror) and LAN + WANs are plugged into IBM Intel I340-T4 NIC (all hardware offloads disabled due to suricata on LAN interface and yes i checked suricata alerts and there are none for the server i am trying to port forward to)
This is my first time using a bsd based router (about 4 days now), previously i used mikrotik where everything worked but there was barely any ways to use ids/ips and opnsense already has ET telemetry version which i am using.
Sorry if i am missing something i am still studying networking (mainly cisco and other platforms i learn by myself + documentation)
Thanks for help :D
Just out of curiosity, does this setup work WITH sticky connections enabled?
As sticky connections were on by default, first i was looking around in settings with it turned on and trying to troubleshoot it with no luck, for sake of your question, i turned it back on with same setup as described in first post and it still didn't work
I don't know if it's faux pas to do this, so don't kill me but given the common roots with PFsense I thought this may help:
https://docs.netgate.com/pfsense/en/latest/multiwan/nat.html
Haven't tested the guidance myself yet but I'm in a similar situation.
Yep, i already read that
So I just re-read your setup and I think I'm confused now:
1. You have it listed that you created a port forward with the interface "wan_group"? I assume you meaning you manually selected each WAN? (i.e. my wan group doesn't show int he interface list)
2. Your destination is the WAN group net? Wouldn't you be forwarding to a host behind the WAN? Not to itself?
1. If you go to firewall group you can add a interface by adding multiple interfaces.
2. To my knowledge wan group net is the subnet that is provided by ISPs and the pppoe wan works with this setup.
1. Gotcha, so you created a group.
2. If the WAN group, is the same group you created of interfaces, wouldn't "net" be the addresses within that same subnet? For port FORWARDING, the point is to forward requests to port "X" on the WAN IP's and forward that to a specific machine behind the WAN, within your LAN.
From the sounds of it, you're forwarding Port forwarding on the WAN Interfaces, which does NOT include LAN addresses, to itself. Which would not work.
Can you change/add a forward and point the destination to the specific LAN address of the server/host you're forwarding to?
2. Only the Destination field is using wan group net,
Destination port range + Redirect target port are using an alias (type -> Port(s)) with ports as values
Redirect target IP is using an alias (type -> Host(s)) with machine's LAN IP
Port forwards are for hosting something on your network and publishing it on the internet.
Example, you have a web server inside your network on your LAN, on IP address say 192.168.1.1
I would make 2 NAT port forwards, one for each WAN, if you wanted HTTP traffic inbound like this and enable sticky connections:
firewall -> NAT -> port forward:
port forward rule:
interface - wan1
Proto - TCP
Source - any
Source port - any
destination - This Firewall
Destination port - HTTP
Redirect target IP - IP address of the LAN device you want to forward HTTP traffic to (say 192.168.1.1)
Redirect target port - HTTP
NAT reflections - use system default
Filter rule association - Add associated filter rule
firewall -> NAT -> port forward:
port forward rule:
interface - wan2
Proto - TCP
Source - any
Source port - any
destination - This Firewall
Destination port - HTTP
Redirect target IP - IP address of the LAN device you want to forward HTTP traffic to (say 192.168.1.1)
Redirect target port - HTTP
NAT reflections - use system default
Filter rule association - Add associated filter rule
Quote from: KILLERMANTV on August 16, 2022, 07:59:44 PM
2. Only the Destination field is using wan group net,
Destination port range + Redirect target port are using an alias (type -> Port(s)) with ports as values
Redirect target IP is using an alias (type -> Host(s)) with machine's LAN IP
Why would the directed IP be an alias? That port can only be forwarded to one IP.
Quote from: axsdenied on August 17, 2022, 05:43:18 AM
Quote from: KILLERMANTV on August 16, 2022, 07:59:44 PM
2. Only the Destination field is using wan group net,
Destination port range + Redirect target port are using an alias (type -> Port(s)) with ports as values
Redirect target IP is using an alias (type -> Host(s)) with machine's LAN IP
Why would the directed IP be an alias? That port can only be forwarded to one IP.
It's an alias if i ever had to change my machine's IP, the alias only
contains 1 IP address
Quote from: nzkiwi68 on August 17, 2022, 01:05:06 AM
Port forwards are for hosting something on your network and publishing it on the internet.
Example, you have a web server inside your network on your LAN, on IP address say 192.168.1.1
I would make 2 NAT port forwards, one for each WAN, if you wanted HTTP traffic inbound like this and enable sticky connections:
firewall -> NAT -> port forward:
port forward rule:
interface - wan1
Proto - TCP
Source - any
Source port - any
destination - This Firewall
Destination port - HTTP
Redirect target IP - IP address of the LAN device you want to forward HTTP traffic to (say 192.168.1.1)
Redirect target port - HTTP
NAT reflections - use system default
Filter rule association - Add associated filter rule
firewall -> NAT -> port forward:
port forward rule:
interface - wan2
Proto - TCP
Source - any
Source port - any
destination - This Firewall
Destination port - HTTP
Redirect target IP - IP address of the LAN device you want to forward HTTP traffic to (say 192.168.1.1)
Redirect target port - HTTP
NAT reflections - use system default
Filter rule association - Add associated filter rule
Thank you for your post, it solved my problem.
The trick was setting the
Destination to This Firewall, wan_group net somehow
only worked for the pppoe wan AND interface to wan1 + wan2,
not wan_group.
I have set up the portforward rule with:
interface -> wan1 wan2
destination -> this firewall
the rest is the same
My question is if having 2 rules for each wan is best practice/more secure than having one rule ?
It's less relying on builtin "magic" and in my opinion easier to understand when reviewed. So I would prefer two separate rules with the "XYZ address", too.
Quote from: pmhausen on August 17, 2022, 03:30:41 PM
It's less relying on builtin "magic" and in my opinion easier to understand when reviewed. So I would prefer two separate rules with the "XYZ address", too.
Thank you for your response, i changed it to separate rules.
Glad it got resolved for you!