Dear community,
my fiber bridge does have a second IP for local configuration web interface: 192.168.33.1
For this I configured a virtual IP (IP alias) on the WAN interface. Ok - this works.
From the LAN side I can only reach it when doing a port forwarding using ssh (ssh -L 88:192.168.33.1:80 root@opnsense).
When configuring a Firewall-NAT-Port forwarding I am failing:
LAN1 TCP * * This Firewall 88 192.168.33.1 80 (HTTP)
Also tried a firewall rule:
IPv4 TCP LAN1 net * * 88 * * Glasfaser Modem
But nothing helps.
Any ideas welcome. Thx!
You only need an outbound NAT rule on the WAN interface:
destination: 192.168.33.1/32
translation: virtual WAN IP
Configured it:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN LAN1 net tcp/ * This Firewall tcp/ 88 192.168.33.1/32 80 NO
But getting a timeout when opening http://opensense:88
This is not, what I suggested.
Your rule translates the source address to the modems IP (192.168.33.1) and the source port to 80?
Quote from: teclab on January 15, 2026, 08:37:33 PMBut getting a timeout when opening http://opensense:88
So this is expected.
Just obey the suggestion and access the device by its IP then.
Quote from: viragomann on January 15, 2026, 08:43:36 PM... and access the device by its IP then.
I am not accessing the modem by its IP. I need to http to OpenSense on port 88, and from there forward to the modem 192.168.33.1 on port 80.
That's why I gave this example:
From my desktop PC I do:
ssh -L 88:192.168.33.1:80 root@opnsenseAnd then doing
http://opnsense:88 I get forwarded to the modem.
Sorry, but I did not want to "disobey" you
*lol* ... I might not understood it better ...
But if you correctly NAT on the interface you can just use http://<ip of modem> without SSH or anything.
Quote from: teclab on January 15, 2026, 10:24:04 PMfrom there forward to the modem 192.168.33.1 on port 80.
And what's the sense of forwarding the traffic?
Quote from: Patrick M. Hausen on January 15, 2026, 10:26:49 PMBut if you correctly NAT ...
Yes that's what I was trying, but failing (as written in my initial post).
Quote from: viragomann on January 15, 2026, 10:34:09 PMAnd what's the sense of forwarding the traffic?
As posted in my first message, my fiber bridge does have a local IP for maintenance - on the same physical port.
This is on the WAN side:
FiberBridge <-> WAN <-> OpenSense <-> LAN
So from LAN I wanted to NAT to the Fiber Bridge.
Quote from: teclab on January 15, 2026, 10:24:04 PMFrom my desktop PC I do:
Code Select Expand
ssh -L 88:192.168.33.1:80 root@opnsense
And then doing http://opnsense:88 I get forwarded to the modem.
I see. So you want to tunnel the traffic through SSH for security reasons or whatever.
But I don't think that this will be doable. I don't think that OPNsense gets the tunneld traffic in on any interface, which can be used for port forwarding. I assume, it enters the machine on localhost, but this is not available in a port forwarding rule.
You investigate this by running packet capture on the LAN and on loopback.
Quote from: viragomann on January 17, 2026, 07:54:26 PM... you want to tunnel the traffic through SSH for security reasons or whatever.
No, this is only the workaround.
Quote from: viragomann on January 17, 2026, 07:54:26 PMI don't think that OPNsense gets the tunneld traffic in on any interface, which can be used for port forwarding. I assume, it enters the machine on localhost, but this is not available in a port forwarding rule.
Not quite sure if we are on the same page? Every connection enters on the localhost, that's what port forwarding is for.
I already setup NAT from WAN to a local machine behind. This works OK.
But now I thought about setting up NAT from LAN to WAN (but on the IP alias).
Quote from: teclab on January 18, 2026, 05:04:08 PMQuote... you want to tunnel the traffic through SSH for security reasons or whatever.
No, this is only the workaround.
Not quite sure if we are on the same page?
No. Then I don't get why you want to forward the traffic to the modem.
Just access it using its IP. OPNsense is a router and will route the traffic properly.
Quote from: viragomann on January 18, 2026, 05:09:23 PMJust access it using its IP. OPNsense is a router and will route the traffic properly.
This does not work. No it does not.
LAN and IP Bridge are on different network.
I made a drawing to help make things more clear.
If you did the suggested configuration it should work, presupposed OPNsense is the default gateway on the PC.
Again the steps.
Virtual IP:
You added a virtual IP (IP alias) to the OPNsense WAN, say 192.168.33.10.
Outbound NAT rule:
Firewall: NAT: Outbound > "Hybrid outbound NAT rule generation" enabled
Add a rule:
Interface: WAN
Source: LAN net
destination: 192.168.33.1 (modem)
translation: virtual IP
This changes the outbound NAT behavior only for the stated destination. All other traffic will be natted to the primary WAN IP.
Access the modem by http:192.168.33.1 or whatever protocol it supports.
OPNsense will normally route the traffic to the modem. Due to the outbound NAT, the modem sees access coming from the virtual IP and responses to it properly.
I tried two versions, both failing.
(I am having difficutly understanding translation/destination).
You need an OUTBOUND NAT rule on your WAN interface not a port forward. No destination port, no translation port, just NAT all outbound traffic towards the modem to the alias address.
Guys, I appreciate your support. But searching for 'outbound' I find:
QuoteOutbound NAT (Network Address Translation) changes the source IP address of traffic leaving a private local network (like your home or business network) to a public IP address as it goes out to the internet, allowing multiple devices to share one public IP and enabling internet access.
Why do I want to change (hide) the source IP?
I only wanted to
reach a single IP on a single port on the WAN side. What's wrong with port mapping?
Quote from: teclab on January 18, 2026, 06:45:12 PMWhy do I want to change (hide) the source IP?
Because your modem does not know how to reach your source IP. So you NAT to an IP in the same network.
Quote from: teclab on January 18, 2026, 06:45:12 PMWhat's wrong with port mapping?
It doesn't work the way you think it works. With outbound NAT you can reach your modem.
Or spend more pointless hours. You do you.
Quote from: teclab on January 18, 2026, 06:45:12 PMWhy do I want to change (hide) the source IP?
The origin source IP is from your PC in the LAN. So it'S something in 10.x.x.x.
When you access the modem from this IP, it will send responses back to it.
However, as Patrick mentioned, your modem doesn't know, that this is behind the OPNsense and therefore it will send the respond to its default gateway, which might be somewhere on your ISPs site.
With the suggested outbound NAT rule, OPNsense translates the source IP of the respective traffic into its own virtual IP, which is in the same subnet as the modem and hence it can send back responses properly.
deleted
I did what Patrick suggested and could reach my modem. Unfort. there are two side effects:
- The WAN network 192.168.33.x was exposed to my private local 10.10.x.x network.
- Internet did not work any more!!
That's not what I was trying to achive. I do not want to expose 192.168.x.x in my 10.10.x.x network.
Quote from: teclab on January 18, 2026, 08:33:33 PMThe WAN network 192.168.33.x was exposed to my private local 10.10.x.x network.
You want to access it from 10.x.x.. So yes, it's accessible.
However, you can ever limit the access to certain LANs or IP addresses by firewall rules.
Just add a rule on the respective internal interface to allow the desired access, followed by a block rule for destination of modem subnet.
Quote from: teclab on January 18, 2026, 08:33:33 PMInternet did not work any more!!
So you might have done something wrong.
Is the outbound NAT in hybrid mode?
Did you limit the destination in the NAT rule to the modem IP or subnet?
Quote from: viragomann on January 18, 2026, 08:40:52 PMDid you limit the destination in the NAT rule to the modem IP or subnet?
I did it as Patrick suggested without destination and translation.
But now I tried 192.168.33.1/32 as Destination and have both working! Hurray!
Thank you All for your help and patience!!
Quote from: teclab on January 18, 2026, 08:50:52 PMI did it as Patrick suggested without destination and translation.
You didn't read his post carefully. He just suggested to not state ports.
Indeed, I am sorry Patrick.
Today I learned a lot!