Good day everyone and thank you in advance for reading.
Yes, I have searched these forums but I haven't found a post that has a problem similar to mine. I am new to OPNSense, but have worked in computers and networking for a long time. I am migrating off of a Cisco RV340 home router to a new OPNSense implementation. I have everything working except for two items, one of which I will describe here.
The scenario is that I have several servers that I need to expose externally. I've managed to do this for all servers except one. The difference is that this all the others use non-HTTP ports (465, 587, and ports in the 30000 range). These all work. I can not, however, get port 80 to successfully forward inbound.
Here is what I have done:
1. I know the OPNSense admin web page is usually externally accessible. I have disabled this by going to System -> Settings -> Admin and I have set "Listen Interfaces" to only LAN and I have checked the "Disable web GUI redirect rule" for HTTP redirect.
2. On the firewall side I have gone to Firewall -> Settings -> Advanced and checked "reflection for port forwards" and "automatic outbound NAT for reflection".
3. I created an alias for my web server.
4. Then I went to Firewall -> NAT -> Port Forward and created a new rule with the following:
Interface - WAN
TCP/IP version - IPv4
Protocol - TCP
Source - any
Source port range - any to any
Destination - WAN Address
Destination port range - HTTP to HTTP
Redirect target - my server alias
Redirect target port - HTTP
5. I set dynamic DNS to point to my WAN interface. This is confirmed working successfully.
The results are interesting...
From the LAN - The web server is up and I can see it from the LAN without problems.
From the WAN - Access always times out. I can not access via Dynamic DNS name, nor by straight IP address. In Firewall -> Log files -> Live View I can see at least some of the packets pass correctly from the correct external address to the internal destination (screen capture attached)...yet still the web page will not display on the device trying to access it. I've tried multiple browsers including Firefox, Chrome, Edge. I've tried desktop and Android phone access. All of them time out.
Any thoughts on what else could be going on here? I'm pulling my hair out with this. It is only port 80 that have not been able to get working successfully. Someone else must be doing it...
Thank you in advance for any insight or guidance you can provide.
Quote1. I know the OPNSense admin web page is usually externally accessible. I have disabled this by going to System -> Settings -> Admin and I have set "Listen Interfaces" to only LAN and I have checked the "Disable web GUI redirect rule" for HTTP redirect.
Not quite. Is not usually externally accessible because although there is a listener on all interfaces, the default firewall that blocks requests in on the WAN will prevent it.
Suggest to re-enable it to prevent the pitfalls of this non-recommended configuration. Plenty of examples on the forum of what can happen.
Disable the web redirect is fine and needed for your case.
Have you moved the Web UI to another port away from TCP 80 ?
Thank you for the response.
As far as I can tell the webUI should be on TCP port 443 only. That is the setting in System -> Settings -> Administration. I even manually entered it although it was the default. The "Protocol" button at the top has HTTPS selected as well.
I re-enabled the WAN for the Listen interface.
No change in the result, though. I still get the time out.
> Redirect target - my server alias
No idea what you're doing there. Can you change to the LAN ip of it and retest?
Edit: I have an idea now, having seen the dropdown options.
I created Firewall Aliases for my servers so in the firewall rules it is something more easily readable than an IP address... this was step #3 in what I documented in the original post.
I did change it to the IP address of the internal server for testing. No change. I still get the timeouts.
Yes re-read and now clear, sorry about that.
You set the Automatic outbound NAT for Reflection, so you should see the rule on WAN. Can you verify and check on the live view again?
The screenshot doesn't show those only some success on inbound LAN.
The two highlighted entries in the screen shot do show a source of 108.179.33.133 to a destination of 192.168.1.77...this is indeed from the WAN inbound passing successfully. The red entry was just to show that the firewall is working as expected and blocking other ports that are not forwarded.
I do see the rule on WAN...
IPv4 TCP * * 192.168.1.77 80 (HTTP) * *
so it would appear as though the outbound Automatic NAT for reflection is working as expected.