OPNsense Forum

I know this topic has already been tackled, but none of the tutorials/threads/posts worked for me.
It's probably my fault, I'm objectively a newb.

My ISP uses PPPoE, no CGNAT; port forwarding for the P2P clients worked perfectly with the FritzBox I've just dismissed.

My current settings in OpnSense:

- Firewall -> Settings -> Advanced:
    > Reflection for port forwards

    > Reflection for 1:1 [_]
    > Automatic outbound NAT for Reflection

    > Disable reply-to WAN rules

- Firewall -> NAT -> Port Forward -> Rule named after the P2P client:
    > Interface: WAN
    > TCP/IP Version: IPv4
    > Protocol: TCP/UDP
    > Destination: WAN address (what's the difference from "WAN net"?)
    > Destination port range: (other), from/to according to the used P2P net (from 6881 to 6889 for Torrent, 4662 and 4672 for eMule)
    > Redirect target IP: my PC's IP, in this case
    > Redirect target port: (other), according to the setting in the P2P client
    > Filter rule association: Add association filter rule (firewall rule created automatically according to the port forwarding settings)


I've also tried deleting the firewall rule that gets automatically generated when setting up the port forwarding and making it manually:

- Firewall -> Rules -> WAN
    > Action: Pass
    > Quick

    > Interface: WAN
    > Direction: in
    > TCP/IP Version: IPv4
    > Protocol: depending on the P2P client, "TCP/UPD" for Torrent
    > Source: WAN net (or WAN address?!)
    > Source port range: same as "Destination port range" from NAT -> Port Forward
    > Destination: my PC's IP
    > Destination port range: same as "Reedirect target port" from NAT -> Port Forward


It's highly probable the manually generated rule is completely wrong; but I'm a newb, so I feel excused

Anyway, none of this works.

Help!!

[SOLVED]

Ok, so, it's my fault for misunderstanding how the P2P clients manage their ports and their communications with servers.

First of all, here's how to set up a generic port forwarding rule for a P2P client:

- Firewall -> NAT -> Port Forward -> Add a new rule:
    > Interface: WAN
    > TCP/IP Version: IPv4
    > Protocol: TCP/UDP (in Torrent's case)
    > Destination: WAN address
    > Destination port range: (other), use the port that you set in the P2P client
    > Redirect target IP: the IP of the computer that hosts the P2P client
    > Redirect target port: (other), use the port that you set in the P2P client
    > Description: name this rule in a relevant way so to recognise it at a glance
    > Filter rule association: Add association filter rule (firewall rule that will be created automatically according to this port forwarding)

To be NOTED: while Torrent lets you set a single port number for both TCP and UDP, eMule allows you to pick two separate ones; hence you're supposed to set two forwarding rules, one for TCP and one for UDP.
Alternatively, you can fill the two fields with the same port number and make a single TCP/UDP rule; actually, I'm just relaying what I've picked up from a single post among the tens I perused: I'm not 100% sure this would work, maybe there's a reason why they built the interface with two separate fields.
You can test it yourself, if you wish, it's not like you're gonna break the Internet ("IT Crowd" reference).


My mistake was assuming that P2P clients use specific, pre-established ports on the WAN side that must be NAT'd toward the port(s) declared in the client itself.
In my defence, I have a fever, a sore throat and I feel absolutely wasted because of all the coughing of the last week. ^^'

My most sincere gratitude to the two users of the "homelab." Discord server that showed an outstanding patience in helping me to achieve englightenment.