I had everything set up for forward a few ports and everything had been fine for months. I got a new modem so xfinity would give me 200mbps upload instead of only 35mbps (Hitron CODA, one of only 5 modems approved even though my Arris S33 is actually better) and right after setting up the new modem, I installed a few plugins.
I installed CrowdSec, WOL, ACME and ntopng, then enabled WireGuard.
I have uninstalled CrowdSec and disabled WireGuard and double checked all my port forwards and everything seems to be as it was before. I doubt the new modem is blocking the ports but figured I'd mention it just in case.
The only ports that seem to work are 80 and 443
Edit: SOLUTION
reinstall opnsense...
Check live view in firewall for blocked packets, identify malicious rule or if unsuccessful, check with packet capture whether there even is some traffic coming in. Or try it the other way round. Guessing a possible issue is not the choice to make
yea, looks like it says label 'default deny / state violation rule'
how do I get rid of this
(https://i.gyazo.com/0cbd0c519da047d1ba44934e877cf4ff.png)
Sorry, I don't understand neither your expected result nor your actual result.
Which port forwards do no longer work? What ports are expected to be forwarded? Which traffic causes the default deny rule to trigger? Did you change your WAN's interface behaviour during replacement of the modem?
So it looks like everyone has a default deny all auto generated entry and the manual entries are supposed to override it. That doesn't seem to be happening anymore for me and I don't know why
Alright, so I did too many changes at around the same time. The issue is that my manual port forward rules that were working stopped working and my connection attempts are hitting the Default Deny rule based on what I see in the live log.
I installed the packages at the top as mentioned but I forgot I also upgraded to a new version of OPNSense the same day. I don't know which action actually broke the port forwarding.
(https://gyazo.com/9427d01e68d16f0d10ad406f0e46411e.png)
(https://gyazo.com/f465c9aeb31305ccbca580410d2b06eb.png)
(https://gyazo.com/d4588a409daa847cd65d13b7d215c1ab.png)
I've tried so many times to edit these rules to see if anything worked and nothing seems to be getting past the default deny. I know the aliases are set correctly as then were working before and when I hover over them, they display the correct values.
I also tried: Firewall: Diagnostics: States: reset state table
and nothing changed
And the aliases are?
The aliases are set correctly. They were working before and I double checked them. HTPCip is literally just the local ip of the computer and jellyfin default port.
I think something is majorly broken that no one will be able to diagnose so I think I'm just going to wipe and fresh install opnsense.
So, I haven't reinstalled yet but I did notice something.
I temporarily Disabled DNS Rebinding Checks
and now when I try to load my website from the web, it prompts me to log into opnsense!
If you port-forward or otherwise redirect web sites from WAN for public access it is recommended to move your OPNsense UI to a different port, e.g. 4443, and also disable the HTTP --> HTTPS redirect.
Just changed the web ui port and now I just get address not found issues, still says in the firewall log it's being blocked by the default deny all rule
I also tried switching everything to a reverse proxy, nothing was working.
The solution to all my problems, just reinstalling opnsense. This time I installed as a vm in proxmox and will have automated backups so if some weird shit breaks again I can just roll back and try again.