Hello Everyone,
I am new to OPNSense and has been trying to do port forwarding. I have followed several instructions and is struggling with it. I will describe the details of my setup below and would appreciate any help community can provide me on this issue.
PC Specifications:
Intel N100 based Mini PC
16GB RAM
128GB SSD
Intel I266V 2.5 GBit NICs
Proxmox 8.3 Community with the following network configuration is attached.
OPNSense Configuration is also attached.
I have assigned a dynamic dns and it is working fine. Now I want to access proxmox Command center by doing port forwarding, however it is not working fine.
I am attaching how I did the Port Forwarding as well to this thread, please let me know if I am doing anything wrong.
Thanks in advance.
Destination should be "WAN address", not LAN
BTW, exposing your proxmox to the internet with no security is not recommended - it'd be better to use a reverse proxy with TLS, at least... VPN (e.g. WireGuard) better....
Quote from: dseven on January 07, 2025, 08:02:15 PMDestination should be "WAN address", not LAN
I did this as well but still the same results. It keeps on loading. Doesn't connect to the Proxmox. It keeps on loading and then throws couldn't establish the connection as it took too long to respond.
See the updated picture below.
Quote from: dseven on January 07, 2025, 08:04:21 PMBTW, exposing your proxmox to the internet with no security is not recommended - it'd be better to use a reverse proxy with TLS, at least... VPN (e.g. WireGuard) better....
Yes I understand your point, and I am currently working on this. But just wanted to get familiar with my new router and understand things. In my old Dlink router this was really a breeze.
Thanks.
I just noticed you have source port of 8006 - change that to "any" - also should be just TCP, not UDP
Quote from: dseven on January 07, 2025, 08:15:45 PMI just noticed you have source port of 8006 - change that to "any" - also should be just TCP, not UDP
Brother this also didn't work. Would you like any logs from the firewall?
What do you get when you try now? It appears that proxmox's web server enforces HSTS, so you'll probably need a real certificate for the hostname that you're connecting to.
Quote from: dseven on January 07, 2025, 08:29:59 PMWhat do you get when you try now? It appears that proxmox's web server enforces HSTS, so you'll probably need a real certificate for the hostname that you're connecting to.
It keeps loading and then throws the below error:
The connection has timed out
An error occurred during a connection to ****.duckdns.org:8006.
Yeah but that should show a certificate warning. I was already using it with the same domain and port with my DLink router. There was no problem in it.
Make sure that you "Apply changes" after fixing the port forward - it's easy to forget (ask how I know:). If it's still not working, you could enable logging for your port-forward (and give it a description), and check the Firewall Live Log while/after attempting to connect....
Quote from: dseven on January 07, 2025, 08:37:17 PMMake sure that you "Apply changes" after fixing the port forward - it's easy to forget (ask how I know:). If it's still not working, you could enable logging for your port-forward (and give it a description), and check the Firewall Live Log while/after attempting to connect....
Hehehehe... I also learned it the hard-way, few days back. But rest assured now I click it always.
How to enable logging for port forwarding? I have already given it a category and description.
Secondly, I went into the settings of firewall and there is an option. Do you think I should enable it?
Network Address Translation Reflection for port forwards
When enabled, this automatically creates additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks. Individual rules may be configured to override this system setting on a per-rule basis.
In the port forward settings, check the box next to "Log" ;)
If you're trying to access your port-forward from your LAN, you will (probably) need reflection and maybe also "Automatic outbound NAT for Reflection". I assumed you were trying to access it from the internet....
Quote from: dseven on January 07, 2025, 09:03:51 PMIn the port forward settings, check the box next to "Log" ;)
If you're trying to access your port-forward from your LAN, you will (probably) need reflection and maybe also "Automatic outbound NAT for Reflection". I assumed you were trying to access it from the internet....
I did checked that box, but can't find anything in the logs. Should I apply any specific filters? I doesn't seem to find any filter related to providing description.
Yes I am trying to access it over the internet. That is the whole point of trying to do the port forwarding. :)
Reflection isn't pertinent, then. If you don't see it in the Live Log, maybe try a packet capture on your WAN interface for port 8006 and see if you see it there.
Maybe post a screenshot of your current port forwards too.
Quote from: dseven on January 07, 2025, 09:19:17 PMReflection isn't pertinent, then. If you don't see it in the Live Log, maybe try a packet capture on your WAN interface for port 8006 and see if you see it there.
Maybe post a screenshot of your current port forwards too.
(https://drive.google.com/file/d/1vqm8I7Bp_gF7deq5XKZKLqHlI_zMH3QU/view?usp=sharing)
Let me know if you want to see an in-depth full port forwarding rule snapshot. I will take a full screen snapshot and share it with you.
If the image doesn't load, take a look at it here: https://drive.google.com/file/d/1vqm8I7Bp_gF7deq5XKZKLqHlI_zMH3QU/view?usp=sharing
Just one like in your original post should be sufficient. Maybe also check the rules on your WAN interface - do you have any that could be explicitly blocking the connection before your port-forward-linked rule gets reached?
Quote from: dseven on January 07, 2025, 09:31:49 PMJust one like in your original post should be sufficient. Maybe also check the rules on your WAN interface - do you have any that could be explicitly blocking the connection before your port-forward-linked rule gets reached?
I checked this earlier, all are auto generated ones from OPNSense, and didn't tinker in them in anyway whatsoever, additionally online I have been trying to check so many places, for others everything seems to work fine with Lan Address selection. Not sure what is wrong with my implementation.
I will check on it more tomorrow, let me know if you find anything for me to look at it.