Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: danieloff on February 02, 2025, 03:21:06 AM

Title: portforwarding just does not want to work, been trying for days
Post by: danieloff on February 02, 2025, 03:21:06 AM
Hi!

My network looks like this:

ISP router LAN1 port (10.0.0.1) -> ESXi server NIC1 (10.0.0.254) with a virtualized OPNsense which also uses NIC2 of the ESXi for LAN (192.168.100.254) -> LAN switch
I also have a computer (10.0.0.231) connected to the "ISP router LAN2 port".

I want a portforward for 10.0.0.254:3389 -> 192.168.100.180:3389 (192.168.100.180 is on the LAN switch too)
And I want this to work from 10.0.0.231 computer, so I can connect with RDP to 10.0.0.254:3389 address ("nmap 10.0.0.254 -p 3389" from 10.0.0.231 should show me "open")

This is really not working, I have been diagnosing for days now. I have portforwarding setup,firewall rule setup, tried NAT reflection too and of course blocking private networks is disabled. Nothing interesting in the firewall logs either.

Any suggestions what could go wrong or what I should try?
I am really getting crazy :-(
Title: Re: portforwarding just does not want to work, been trying for days
Post by: meyergru on February 02, 2025, 09:12:46 AM
1. You need outbound NAT from 192.168.100.0/24 to 10.0.0.254 for this to work too.
2. If your OpnSense log shows nothing, then obviously the problem is on the ESXI side, see this (https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/6-7/vsphere-security-6-7/securing-esxi-hosts/customizing-hosts-with-the-security-profile/esxi-firewall-configuration.html).
Title: Re: portforwarding just does not want to work, been trying for days
Post by: FraLem on February 02, 2025, 09:47:04 AM
I would suggest to check firewall configuration on WAN interafce as well as port forwarding rule.

I would use tcpdump on interfaces WAN/LAN  interfaces to try to sort out the issue.

Hope this helps

Regards
Title: Re: portforwarding just does not want to work, been trying for days
Post by: dseven on February 02, 2025, 10:04:50 AM
Try [Firewall > Settings > Advanced > Miscellaneous > Disable reply-to]
Title: Re: portforwarding just does not want to work, been trying for days
Post by: danieloff on February 02, 2025, 12:19:36 PM
Thank you all for the answers!!!

Some more info:
- I send you screenshots: https://imgur.com/a/Ql6fL7z
- I tried to create a manual outbound NAT with hybrid and manual configuration, but no change (included in screenshots).
- I have disabled ESXi firewall completely, but since this is s VM running under ESXi, I don't think it is related.
- pinging 10.0.0.254 works from 10.0.0.231 if I disable packet filtering, so this is another point why ESXi is probably not the culprit
- I have created screenshots of tcpdump too
- Also tried "Disable reply-to" but no change. Should I keep it that way when testing in the future?

Do you see anything that is wrong or what I should try?
Title: Re: portforwarding just does not want to work, been trying for days
Post by: Bob.Dig on February 02, 2025, 03:44:00 PM
It is working for everybody else, so it could be anything with your setup, not an OPNsense problem. 
Title: Re: portforwarding just does not want to work, been trying for days
Post by: danieloff on February 02, 2025, 05:45:16 PM
I know, but I need some pointers where to start :-(
It is so weird, should be working... I just can't figure it out :-(
Text only | Text with Images