Hello, good afternoon. Currently, my router has three different interfaces for different work areas. I'm trying to open a specific port for the network called "NPL" from the Firewall>NAT>Port Forwarding section, but I'm not configuring some of them correctly, and I can't access it from the outside. Could any of you help me? Here are some screenshots.
I'm using the most up-to-date version of OPNsense 25.1.7_4
Change the from ports "rango de puertos destino" from 55432 to 55432 TO any to any UNLESS you know the requests will come from those ports.
Quote from: cookiemonster on June 11, 2025, 11:15:04 PMChange the from ports "rango de puertos destino"
I assume, this is the destination port. So it might be desired to be specific.
The source port might be hidden behind Orígen in his GUI.
@Robertomcat
I assume, you have filter rule association enabled in the NAT rule.
But does your backend server even allow access from outside?
You can sniff the traffic in the server side interface using the packet capture tool, to see if the traffic is forwarded and if the server responds.
Quote from: viragomann on June 11, 2025, 11:45:07 PMQuote from: cookiemonster on June 11, 2025, 11:15:04 PMChange the from ports "rango de puertos destino"
I assume, this is the destination port. So it might be desired to be specific.
The source port might be hidden behind Orígen in his GUI.
@Robertomcat
I assume, you have filter rule association enabled in the NAT rule.
But does your backend server even allow access from outside?
You can sniff the traffic in the server side interface using the packet capture tool, to see if the traffic is forwarded and if the server responds.
Thanks for your responses.
I've been using OpnSense for a while, but it turns out I had the server installed in a different location on an Edge router, and now I can't open the ports.
In this case, it's a basic port rule for P2P traffic. Regarding the filter rule association, the box automatically says "rule Qbittorrent," which is the name of the description I gave it. I'm also not sure if what I'm doing by using the same external and internal port is very secure.
Could some firewall rule be preventing the ports from being opened? Currently, within this same network, there are eight computers that I've specified cannot access the router's management IP address, another so they cannot access the main home LAN, and finally, I've specified that the IP address 192.168.10.55 can access the main home LAN.
In case you are unfamiliar and the GUI being in a different language makes it a little hard to help quickly, the port forwarding rules usually have any source ports because the outside calling port is usually unknown. The destination port is what you want to forward to, so that one is defined.
That's what we're both hinting at.
If it was working before it should work now, assuming that when you say "different location" you mean different physical but still the same network setup in which case it might only be sessions that need re-establishing.
Quote from: Robertomcat on June 11, 2025, 07:10:11 PMHello, good afternoon. Currently, my router has three different interfaces for different work areas. I'm trying to open a specific port for the network called "NPL" from the Firewall>NAT>Port Forwarding section, but I'm not configuring some of them correctly, and I can't access it from the outside. Could any of you help me? Here are some screenshots.
Wacky Flip (https://wacky-flip.org/)
I'm using the most up-to-date version of OPNsense 25.1.7_4
Have you tried checking the auto-generated rule in Firewall > Rules for the "NPL" interface after configuring NAT? I had the same error because there was no corresponding firewall rule, even though the port forwarding was correct.
Quote from: cookiemonster on June 12, 2025, 02:59:16 PMIn case you are unfamiliar and the GUI being in a different language makes it a little hard to help quickly, the port forwarding rules usually have any source ports because the outside calling port is usually unknown. The destination port is what you want to forward to, so that one is defined.
That's what we're both hinting at.
If it was working before it should work now, assuming that when you say "different location" you mean different physical but still the same network setup in which case it might only be sessions that need re-establishing.
I've tried changing the language of the graphical interface to make it easier to read, but it still appears in Spanish, even after restarting the firewall.
Regarding the different location, I mean the server was in a different location and another Ubiquiti router, on which the ports were also open.
Quote from: Trannie on June 12, 2025, 03:07:04 PMQuote from: Robertomcat on June 11, 2025, 07:10:11 PMHello, good afternoon. Currently, my router has three different interfaces for different work areas. I'm trying to open a specific port for the network called "NPL" from the Firewall>NAT>Port Forwarding section, but I'm not configuring some of them correctly, and I can't access it from the outside. Could any of you help me? Here are some screenshots.
Wacky Flip (https://wacky-flip.org/)
I'm using the most up-to-date version of OPNsense 25.1.7_4
Have you tried checking the auto-generated rule in Firewall > Rules for the "NPL" interface after configuring NAT? I had the same error because there was no corresponding firewall rule, even though the port forwarding was correct.
Yes, the rules appear created in the WAN section in the firewall.
looks like it should be working. The NAT port forward looks right and you've confirmed there is an associated pass rule (which should be on the WAN).
Next is to show screenshot of all the rules then, both NAT and the interfaces.
Quote from: cookiemonster on June 12, 2025, 11:22:02 PMlooks like it should be working. The NAT port forward looks right and you've confirmed there is an associated pass rule (which should be on the WAN).
Next is to show screenshot of all the rules then, both NAT and the interfaces.
I'm leaving some screenshots to see if they can help you, although I haven't been able to change the interface language. Thanks.
can't see them but thanks. I can't get to linked hosting sites. Can you re-add them to this thread? We need to see them all, that is to say the WAN and LAN but we need to see the NATs too. I can't tell, sorry if you have included them.
This is the missing screenshot, as it exceeded the limit in the previous post. Sorry.
Quote from: cookiemonster on June 13, 2025, 07:11:02 PMcan't see them but thanks. I can't get to linked hosting sites. Can you re-add them to this thread? We need to see them all, that is to say the WAN and LAN but we need to see the NATs too. I can't tell, sorry if you have included them.
I just uploaded all the screenshots, and now you can see them. Thanks.
thanks - those attachment are very small, you're killing my eyes! :)
Can you show the Rules on WAN please, those are the linked ones from the port forwards that we need to check.
Quote from: cookiemonster on June 13, 2025, 11:56:34 PMthanks - those attachment are very small, you're killing my eyes! :)
Can you show the Rules on WAN please, those are the linked ones from the port forwards that we need to check.
Hello, good morning. It's probably because I open the screenshots from a 4K monitor and they look fine, but they may appear smaller on other computers. Sorry. I'm attaching the screenshot of the WAN rules.
All seems as it should.
As viragomann said, see in the live logs of the firewall that they are blocked or allowed. Then be sure the receiving server is not blocking the traffic.
Last resort is to recreate the NAT rule, and verifying the setting from Firewall: Settings: Advanced that you have automatic reflection for port forwards (which I think you have).
Quote from: cookiemonster on June 15, 2025, 12:10:40 AMAll seems as it should.
As viragomann said, see in the live logs of the firewall that they are blocked or allowed. Then be sure the receiving server is not blocking the traffic.
Last resort is to recreate the NAT rule, and verifying the setting from Firewall: Settings: Advanced that you have automatic reflection for port forwards (which I think you have).
Hello, good morning. You're referring to the first checkbox in this setting, and in my case, it's disabled by default. I haven't touched anything in this section. Should I enable it then?
Some folks really prefer full control of their rules and that means having these disabled as you have. These are the defaults: https://docs.opnsense.org/manual/firewall_settings.html#network-address-translation
The "best" course of action would be to use that document to identify the problem.
Alternatively you could consider recreating them but with the first checkbox enabled.
I suggest if you do, to make a note of exactly how you have them setup, both NAT and pass/block rules.
Then enable (tick) the first one of this list. Then recreate the NAT rules, which will create the required associated rules, unless you specifically disable it when recreating the port forward rule.
p.s. What do you have in your port forward rule for association?
NAT reflection and Filter rule association - note please I might not understand what it says if in another language.
Mine are "Use system default" which in my case is "Reflection for port forwards" = ticked; "Automatic outbound NAT for Reflection" = ticked.
These are not what you have at the moment. Yours are disabled as per your screenshot.
Quote from: cookiemonster on June 15, 2025, 10:20:20 PMSome folks really prefer full control of their rules and that means having these disabled as you have. These are the defaults: https://docs.opnsense.org/manual/firewall_settings.html#network-address-translation
The "best" course of action would be to use that document to identify the problem.
Alternatively you could consider recreating them but with the first checkbox enabled.
I suggest if you do, to make a note of exactly how you have them setup, both NAT and pass/block rules.
Then enable (tick) the first one of this list. Then recreate the NAT rules, which will create the required associated rules, unless you specifically disable it when recreating the port forward rule.
p.s. What do you have in your port forward rule for association?
NAT reflection and Filter rule association - note please I might not understand what it says if in another language.
Mine are "Use system default" which in my case is "Reflection for port forwards" = ticked; "Automatic outbound NAT for Reflection" = ticked.
These are not what you have at the moment. Yours are disabled as per your screenshot.
Hello, good afternoon. I've checked the two boxes you mentioned in Advanced, and I've deleted and recreated the rule. Then, within the diagnostics, there's a section I can't understand when I open the drop-down menu. Several options appear that I'm not familiar with, and I don't know if they indicate whether the rule is working or not. Although I think it's still not working.
Ok, a couple of things for this diagnostic.
First, the general logging of rules, including NAT:
Screenshot from 2025-06-17 22-09-49.png
Second, these settings can be overriden on a per-rule basis. So you need to check if your NAT rule has enabled or disabled logging:
Screenshot from 2025-06-17 22-06-36.png
With logging enabled for these NAT rules, you can see the Live view if they appear and are blocked/dropped/allowed. That is Firewall > Log files > Live View.
Quote from: cookiemonster on June 17, 2025, 11:14:49 PMOk, a couple of things for this diagnostic.
First, the general logging of rules, including NAT:
Second, these settings can be overriden on a per-rule basis. So you need to check if your NAT rule has enabled or disabled logging:
With logging enabled for these NAT rules, you can see the Live view if they appear and are blocked/dropped/allowed. That is Firewall > Log files > Live View.
In the live view, everything seems to be fine, although I don't know how to apply the block or pass filters. The problem is that the Qbittorrent software keeps showing me the orange symbol, indicating that there are no open ports.
These seem internal when you say seem fine. You said WAN so far when taking about port forwarding "from outside". I'm beginning to wonder:
1) is your WAN on a public IP, routable on the internet, or is your WAN on an RFC1918 ip?
2) are you trying to port forward between internal networks i.e from LAN1 to LAN2 ?
Quote from: cookiemonster on June 18, 2025, 12:49:00 PMThese seem internal when you say seem fine. You said WAN so far when taking about port forwarding "from outside". I'm beginning to wonder:
1) is your WAN on a public IP, routable on the internet, or is your WAN on an RFC1918 ip?
2) are you trying to port forward between internal networks i.e from LAN1 to LAN2 ?
My IP address is public, provided by my Internet Service Provider. And regarding the port forwarding you mentioned, I only want to open the ports to the outside, not between internal networks.
ok that clears that. Right back where we were then. Is good.
So, are the rules now working correctly and the traffic hitting your server?
Edit: if you aren't sure about this question, how about you create a separate port-forward rule to a different port that you can verify. Say ssh for instance so you can hit it with a laptop from a mobile phone connection. Something like that. The idea being to verify the port forward rules "work" when setup, and the problem gets to focus on the application side.
Quote from: cookiemonster on June 18, 2025, 12:57:03 PMok that clears that. Right back where we were then. Is good.
So, are the rules now working correctly and the traffic hitting your server?
I can see it's not working because qbittorrent keeps telling me the ports aren't open, and I've restarted the software and the server. Like PLEX, it still tells me there's no external access. I don't know where the real solution is.
See my edit. You want to see where the problem is along the network path. Elimination process.
Quote from: Robertomcat on June 18, 2025, 01:01:37 PMQuote from: cookiemonster on June 18, 2025, 12:57:03 PMok that clears that. Right back where we were then. Is good.
So, are the rules now working correctly and the traffic hitting your server?
I can see it's not working because qbittorrent keeps telling me the ports aren't open, and I've restarted the software and the server. Like PLEX, it still tells me there's no external access. I don't know where the real solution is.
Well, I've disabled all the rules I created in the MQL5 network (except the one created by default when the network is created) and I still don't have access. The WAN rules were created correctly when the NATs were created. Something higher up couldn't access them. I've tried it with PowerShell, but it won't let me. I've also used an online service to test the port, but it says it's closed, and I've tried 80 and 8080, and it says they're also closed. I'm not sure I can trust this online test, but hey... It might indicate something.
Ok - you can test with 80 and 8080 on the same destination server then, good.
PLease use that traffic to check logs on your OPN firewall. If you port forward port 80 or 8080 for instance and enable logging in the rule, you must be able to see it on the Live view. The point is to be sure you are able to see it (the traffic), then see if if it gets blocked or passed.
I don't know if I'm the one confused with your tests to be honest.
Your goal: to reach ports 55432 and plex(plex_port) from the WAN through OPN to the LAN server hosting those ports. That part I get.
Screenshot above. You seem to have tested from 192.168.1.200. Your target is 192.168.10.55 so that is not a test _through_ the WAN, so it won't test the NAT port forward. So unless you are trying to test another intra-interface flow, I'm not sure it helps.
The screenshot with the Live view with most blue lines. Those are all OUT flows from 192.168.10.55 and others. They suggest going out to WAN, that's expected. You haven't included or I can't see more than that i.e. destination. However, they seem to be redirected. I was not expecting that. Why would the flow OUT be redirected? Do you have other NAT or outbound rules perhaps?
Quote from: cookiemonster on June 18, 2025, 06:30:21 PMYour goal: to reach ports 55432 and plex(plex_port) from the WAN through OPN to the LAN server hosting those ports. That part I get.
The goal is to be able to access an HP ML110 server from the outside, which has the IP address 192.168.10.55, within the internal network called MQL5 (I have other internal networks called LAN and Wifi). And to open the specific port 55432 for qbittorrent and 46837 for plex. These two rules are created in the NAT and automatically on the WAN.
Quote from: cookiemonster on June 18, 2025, 06:30:21 PMScreenshot above. You seem to have tested from 192.168.1.200. Your target is 192.168.10.55 so that is not a test _through_ the WAN, so it won't test the NAT port forward. So unless you are trying to test another intra-interface flow, I'm not sure it helps.
What's shaded in the screenshot is my IP address provided by my ISP, and I've run the command with that IP address along with port 55432, but since I'm no expert, I've probably done it wrong.
Quote from: cookiemonster on June 18, 2025, 06:30:21 PMThe screenshot with the Live view with most blue lines. Those are all OUT flows from 192.168.10.55 and others. They suggest going out to WAN, that's expected. You haven't included or I can't see more than that i.e. destination. However, they seem to be redirected. I was not expecting that. Why would the flow OUT be redirected? Do you have other NAT or outbound rules perhaps?
And regarding this last question, as I indicated in the first answer, there are two NAT rules created; I have no other rules. I've also disabled the DNS Blacklist, but I don't think this affects the problem I'm having. I'm attaching another screenshot of the live view, in case you can glean anything. Thank you.
QuoteThe goal is to be able to access an HP ML110 server from the outside, which has the IP address 192.168.10.55, within the internal network called MQL5 (I have other internal networks called LAN and Wifi). And to open the specific port 55432 for qbittorrent and 46837 for plex. These two rules are created in the NAT and automatically on the WAN.
Right or wrong, looks a bit like this in my head. If yes, that's OK, all clear.
ISP -- WAN --- MQL5 --- ML110 (192.168.10.55)
--- MACHINE 2 (192.168.10.AA - port 55432)
--- MACHINE 3 (192.168.10.BB - port 46837)
Quote from: cookiemonster on Today at 06:30:21 PM
Screenshot above. You seem to have tested from 192.168.1.200. Your target is 192.168.10.55 so that is not a test _through_ the WAN, so it won't test the NAT port forward. So unless you are trying to test another intra-interface flow, I'm not sure it helps.
QuoteWhat's shaded in the screenshot is my IP address provided by my ISP, and I've run the command with that IP address along with port 55432, but since I'm no expert, I've probably done it wrong.
Respectfully, this makes no sense yet. Your ISP can not give you an ip of 192.168.1.200; that is an internal ip address, one in your network(s). You will be able to see this in Interfaces > Overview. There you'll have the actual ip issued by your ISP assigned to WAN.
Can you share those assignments with a screenshot? Mask your WAN ip if you're uncomfortable showing it.
To reiterate: port forward from WAN to an internal LAN (regardless of its name) can only be tested from outside.
What I am trying to do is to help you not verify why your torrenting or whatever is not working, but to first verify that your port forward nat and associated rule works. When that happens, you can concentrate in the torrent or whatever.
Why? Because it can be your seeding thing can block your client, can block your ip address, etc.
To this end, I am suggesting to test the port forwards by putting some traffic across the rules to see where they stop. Makes sense?
So if you test NOT from the outside, you haven't proven the rules are the problem.
Quote from: cookiemonster on June 18, 2025, 11:44:29 PMRespectfully, this makes no sense yet. Your ISP can not give you an ip of 192.168.1.200; that is an internal ip address, one in your network(s). You will be able to see this in Interfaces > Overview. There you'll have the actual ip issued by your ISP assigned to WAN.
Can you share those assignments with a screenshot? Mask your WAN ip if you're uncomfortable showing it.
To reiterate: port forward from WAN to an internal LAN (regardless of its name) can only be tested from outside.
What I am trying to do is to help you not verify why your torrenting or whatever is not working, but to first verify that your port forward nat and associated rule works. When that happens, you can concentrate in the torrent or whatever.
Why? Because it can be your seeding thing can block your client, can block your ip address, etc.
To this end, I am suggesting to test the port forwards by putting some traffic across the rules to see where they stop. Makes sense?
So if you test NOT from the outside, you haven't proven the rules are the problem.
Hello, good morning.
The IP address 192.168.1.200 is the fixed IP address I assigned to my personal computer, and my ISP provides public IP addresses via DHCP, and I currently have 85.XXX.XX.86. The same company that provides internet also provided me with an OPNsense ONT in front of OPNsense, so OPNsense has an internal IP address on the WAN. But I've always had an ONT regardless of which router I've been using.
Good morning.
Quote from: Robertomcat on June 19, 2025, 10:40:18 AMQuote from: cookiemonster on June 18, 2025, 11:44:29 PMRespectfully, this makes no sense yet. Your ISP can not give you an ip of 192.168.1.200; that is an internal ip address, one in your network(s). You will be able to see this in Interfaces > Overview. There you'll have the actual ip issued by your ISP assigned to WAN.
Can you share those assignments with a screenshot? Mask your WAN ip if you're uncomfortable showing it.
To reiterate: port forward from WAN to an internal LAN (regardless of its name) can only be tested from outside.
What I am trying to do is to help you not verify why your torrenting or whatever is not working, but to first verify that your port forward nat and associated rule works. When that happens, you can concentrate in the torrent or whatever.
Why? Because it can be your seeding thing can block your client, can block your ip address, etc.
To this end, I am suggesting to test the port forwards by putting some traffic across the rules to see where they stop. Makes sense?
So if you test NOT from the outside, you haven't proven the rules are the problem.
Hello, good morning.
The IP address 192.168.1.200 is the fixed IP address I assigned to my personal computer, and my ISP provides public IP addresses via DHCP, and I currently have 85.XXX.XX.86. The same company that provides internet also provided me with an OPNsense ONT in front of OPNsense, so OPNsense has an internal IP address on the WAN. But I've always had an ONT regardless of which router I've been using.
Oh wow, you left this very important part out. I've been suspecting and asking you and you gave incorrect and/or incomplete information.
QuoteJune 18, 2025, 12:49:00 PM #20
These seem internal when you say seem fine. You said WAN so far when taking about port forwarding "from outside". I'm beginning to wonder:
1) is your WAN on a public IP, routable on the internet, or is your WAN on an RFC1918 ip?
2) are you trying to port forward between internal networks i.e from LAN1 to LAN2 ?
QuoteJune 18, 2025, 12:55:26 PM #21
Quote from: cookiemonster on June 18, 2025, 12:49:00 PM
These seem internal when you say seem fine. You said WAN so far when taking about port forwarding "from outside". I'm beginning to wonder:
1) is your WAN on a public IP, routable on the internet, or is your WAN on an RFC1918 ip?
2) are you trying to port forward between internal networks i.e from LAN1 to LAN2 ?
My IP address is public, provided by my Internet Service Provider. And regarding the port forwarding you mentioned, I only want to open the ports to the outside, not between internal networks.
Unless I read this wrong, you seem to be in a double NAT scenario AND you have two OPN routers in series i.e. one behind another.
I'm going to let someone else chime in but in short, you need to then read up on double NAT, see if your second OPN has blocked private networks on the WAN interface settings at the minimum. Is it possible to have only one OPN in place?
p.s. I'm not going to be able to help much in a OPN behind OPN scenario.
Quote from: cookiemonster on June 19, 2025, 11:54:10 AMUnless I read this wrong, you seem to be in a double NAT scenario AND you have two OPN routers in series i.e. one behind another.
I'm going to let someone else chime in but in short, you need to then read up on double NAT, see if your second OPN has blocked private networks on the WAN interface settings at the minimum. Is it possible to have only one OPN in place?
p.s. I'm not going to be able to help much in a OPN behind OPN scenario
Oh no, I only have an opnsense and the ONT. And yes, it has been a lack of information on my part, because at no time had I reported that I had an ONT AND OPNsens, I had automatically deduced that it was something unimportant. Sorry for all this time.
Quote from: Robertomcat on June 18, 2025, 12:55:26 PMMy IP address is public, provided by my Internet Service Provider.
Yes, but your public IP is assigned to the ONT, while OPNsense behind it has a private IP as your screenshots show.
So your ONT is a router in fact.
This is an essential information.
So first of all you have to forward the traffic on the outer router (ONT) to OPNsense. Have you even done this?
Quote from: viragomann on June 19, 2025, 07:28:33 PMYes, but your public IP is assigned to the ONT, while OPNsense behind it has a private IP as your screenshots show.
So your ONT is a router in fact.
This is an essential information.
So first of all you have to forward the traffic on the outer router (ONT) to OPNsense. Have you even done this?
The router/ONT It has a specific configuration to put it in bridge mode which is how it currently is, and all traffic is redirected to opnsense. It will be a year or so now that it has been running like this.
Quote from: Robertomcat on June 19, 2025, 07:44:49 PMThe router/ONT It has a specific configuration to put it in bridge mode which is how it currently is
Bridge mode means, that the device behind it (OPNsense) gets the public IP. But your OPNsense has 192.168.18.2 on the WAN, which is far away from a public IP.
So again, forward the traffic to OPNsense on the ONT or put it really in bridge mode to get further with this.