Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: tantkomo on September 28, 2023, 12:42:49 PM

Title: Port forward not working on VPN WAN interface despite firewall logging packets
Post by: tantkomo on September 28, 2023, 12:42:49 PM
Hello,

I have a problem that has been driving me crazy for a week now. I had a very similar setup before and due to moving I had to redo it on a different machine.

Long story short I use AirVPN as a second WAN, I used to use the old OpenVPN client but I now switched to instances [new], client connects perfectly fine, hosts I want to go out over the VPN gateway go through it, but port forwarding through it simply isn't working no matter what I do.
The weirdest thing of all is that I see packets being logged by both the port forward rule and the firewall rule created by it.

To further test this I made a local Nginx site which I can access perfectly fine locally, but when I try to access it over my AirVPN WAN IP, both the firewall rules log the traffic as allowed which is expected, but I cannot load the page.

(https://imageupload.io/ib/uHMCBzRgjrgJN9y_1695897702.png)

(https://imageupload.io/ib/S6M7laOzypPYv9c_1695897702.png)

(https://imageupload.io/ib/zzEXFvNR5ouom9C_1695897702.jpg)

Any help would be greatly appreciated because I don't know what else to try here.
Title: Re: Port forward not working on VPN WAN interface despite firewall logging packets
Post by: Monviech (Cedrik) on September 28, 2023, 12:57:02 PM
I remember this:

(its german)
https://forum.opnsense.org/index.php?topic=35920.0

The solution was to enable "Advanced features: reply-to" with the VPN interface in the firewall rule that allows this port forward.
Title: Re: Port forward not working on VPN WAN interface despite firewall logging packets
Post by: tantkomo on September 28, 2023, 10:34:23 PM
Quote from: Monviech on September 28, 2023, 12:57:02 PM
I remember this:

(its german)
https://forum.opnsense.org/index.php?topic=35920.0

The solution was to enable "Advanced features: reply-to" with the VPN interface in the firewall rule that allows this port forward.

If I understand this right, I should enable the reply-to setting in the firewall rule on the VPN WAN interface that is generated by the port forward rule.

Issue is I don't have the option to edit the firewall rules generated by port forward rules and the port forward rule does not have such an option.

(https://imageupload.io/ib/0gmiPfOr8lk85jn_1695933154.png)

(https://imageupload.io/ib/9JZfN7HCCtmzgNV_1695933155.png)

Unless I misunderstood where this option should be set.
Title: Re: Port forward not working on VPN WAN interface despite firewall logging packets
Post by: Monviech (Cedrik) on September 28, 2023, 10:46:55 PM
You could disable the linked firewall rule and recreate it manually with the advanced option set.

Also if you set "Filter rule association: none" in the Port Forward rule, no linked firewall rule will be made.

Title: Re: Port forward not working on VPN WAN interface despite firewall logging packets
Post by: tantkomo on October 01, 2023, 12:34:10 PM
That was it, what weird default behavior, oddly enough I didn't have to ever use that setting before. I guess it has to be a new addition to the firewall.
Text only | Text with Images