OPNsense Forum

Hi,

I think its simple, but i can get it to work, i on ly want to root a port through my modem and through my firewall to an internal ip with a really simple way, but i can get it to work.

goal : routing external port 3375 to internal computer on port 7533
external ip:3375 -> modem (nat to firewall ip:3375) -> firewall ( nat to internal ip: 7533) -> internal ip server


I try to do it in firewall / NAT / port forward, add :
Disabled:uncheck
No RDR : uncheck
interface : Opt1 (modem)
tcp/ip : ipv4
protocol tcp/udp
source : (simple)
destination : any
destination range from/to : 3375/3375
redir target ip : single host / 192.168.201.xxx
redir target port : other / 7533
XMLRPC : unchecked
nat reflection : disable
filter rule : add associated filter rule


what's my mistake ??  :-[

Thanks for your help

Hi,

i've look in the log of the firewall and i get this message on the blocked connection : @0 block drop in log inet all label "Default deny rule IPv4"

What's this default deny rule, where can i change it  ?

Thanks

Looks like you added the rule below the "Default deny rule IPv4".
Try placing it above that line.

Hi,

Tks  ;)
That was exaclty what i try to do, but the "Default deny rule IPv4" rule is not visible in the firewall rule, and i don't create this rule previously.... ???

That rule should be there by default. Otherwise you have an open gate...

The default deny doesn't show in the GUI rules, it's an implicit default.

Since it's not hitting the NAT/pass rule it may

(A) be coming from a different interface
(B) does not match the rule parameters (port, protocol)


Cheers,
Franco

Hi Franco, and thanks too for your feedback,

I think (A) is not the problem because i got an inbound connection, i think it's come from B, but i can't see / find my error.

What i try to Do :
internet----------Modem------------firewall OPT1 > LAN-------------internal Server


internet:
request comme from any external ip:3375

Modem (gateway internal ip = 192.168.1.254/24)
it send icoming port (anyIp:3375) to OPT1 (192.168.1.222:3375) 

firewall (OPT1 ip is 192.168.1.222/24 and LAN ip is 192.168.200/20)
it send incoming port from 192.168.254:3375 to internal serveur listing on 192.168.201.18:7533

just for information, at the origin, OPT1 was not my default gateway

My rule is very simple, but some thing is wrong .... below the extration of the configuration showing my firewall config. (No additionnal change from stock nano install)

And i got this error when logking in the monitor (Log file) :

Act : block (cross)
If: OPT1 ( but without the little icon with cloud)
Source: xxx.xxx.xxx.xxx:48043
desti : 192.168.1.222:3375
Proto : TCP:S
and in the detail : @0 block drop in log inet all label "Default deny rule IPv4"




  <nat>
    <outbound>
      <mode>automatic</mode>
    </outbound>   
    <rule>
      <protocol>tcp/udp</protocol>
      <interface>opt1</interface>
      <ipprotocol>inet</ipprotocol>
      <descr>nt83</descr>
      <associated-rule-id>nat_585184f53aed85.09056949</associated-rule-id>
      <target>192.168.201.18</target>
      <local-port>7533</local-port>
      <source>
        <any>1</any>
        <port>3375</port>
      </source>
      <destination>
        <any>1</any>
        <port>3375</port>
      </destination>     
    </rule>
  </nat>
  <filter>
    <rule>
      <type>pass</type>
      <ipprotocol>inet</ipprotocol>
      <descr>Default allow LAN to any rule</descr>
      <interface>lan</interface>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any/>
      </destination>
    </rule>
    <rule>
      <type>pass</type>
      <ipprotocol>inet6</ipprotocol>
      <descr>Default allow LAN IPv6 to any rule</descr>
      <interface>lan</interface>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any/>
      </destination>
    </rule>
    <rule>
      <source>
        <any>1</any>
        <port>3375</port>
      </source>
      <interface>opt1</interface>
      <protocol>tcp/udp</protocol>
      <ipprotocol>inet</ipprotocol>
      <destination>
        <address>192.168.201.18</address>
        <port>7533</port>
      </destination>
      <descr>NAT nt83</descr>
      <associated-rule-id>nat_585184f53aed85.09056949</associated-rule-id>     
    </rule>
  </filter>


Is my mistake visible ?
Thanks for your help

I don't fully understand this:

=========
firewall (OPT1 ip is 192.168.1.222/24 and LAN ip is 192.168.200/20)

it send incoming port from 192.168.1.254:3375
=========

Is this a typo? If not, what is the difference of 222 and 254?


Cheers,
Franco

Hi Franco,

Thanks for your feedback and no, it's not a typo  ;) between 222 and 254 but i make a mistake in the lan ip because i forgot last octet  :-[ LAN is 192.168.200.166/20

But you're right my config is not so clear.

network between modem and firewall is a 255.255.255.0 subnet, modem ip is 192.168.1.254 and firewall ip (on 3td  NIC with name OPT1) is 192.168.1.222. so modem and firewall can exchange without trouble.

On the other side ( internal network ) we have a 255.255.240.0 subnet, the firewall have the ip 192.168.200.166 and i try to send port to the internal serveur 192.168.201.18.

In the error returned by firewall, it's look than the inbound connection arrived from external modem to the OPT1 NIC (192.168.1.222) of the firewall, But dont pass trought the firewall to come to the internal server...

Thanks
Mr

Hi,

Just an idea ...
is it possible the problem come from the default configuration of the OPT1 interface configuration that is not by default a gateway ? do i need to make something special on this interface ?

Thanks

Mr