OPNsense Forum

English Forums => General Discussion => Topic started by: balubeto on November 28, 2018, 10:34:24 am

Title: Rules for use Torrent service
Post by: balubeto on November 28, 2018, 10:34:24 am
Hi

Since I would like to use the Torrent service to download and share some files on the Internet, I would like to know what is the correct procedure for creating the rules that allow you to use this service.

I am currently using OPNsense 18.7.8 64 bit.

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on November 29, 2018, 05:04:41 pm
I'm still waiting for your answer.

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: tofaz on November 29, 2018, 09:05:48 pm
Hi,

if you do not have IDS/IPS in place, I would say that you have to create a rule that allow traffic on torrent standard ports (6881-6889 TCP) from LAN network to any on WAN.
Title: Re: Rules for use Torrent service
Post by: balubeto on November 30, 2018, 10:08:43 am
Hi,

if you do not have IDS/IPS in place, I would say that you have to create a rule that allow traffic on torrent standard ports (6881-6889 TCP) from LAN network to any on WAN.


What is the correct procedure for creating this rule?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on December 01, 2018, 05:01:37 pm
Could someone please give me an answer?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: GDixon on December 01, 2018, 05:20:05 pm
What works for me is UPnP. I don't like to use it but the ports close after they are not needed or I can close them myself.
I don't have to search for the correct ports and I can have my torrent program change it's port everytime it starts up.
Title: Re: Rules for use Torrent service
Post by: balubeto on December 01, 2018, 06:21:54 pm
What works for me is UPnP. I don't like to use it but the ports close after they are not needed or I can close them myself.
I don't have to search for the correct ports and I can have my torrent program change it's port everytime it starts up.


If I disabled the UPnP function, in which sections of OPNsense should I go to create the rules that allow the opening of the ports that serve the various Internet services (such as Torrent) to work properly?

When I will create the rules for using the Torrent service, which fields should I use?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on December 03, 2018, 08:50:52 am
Could someone please give me an answer?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: Ciprian on December 03, 2018, 11:18:43 am
Hi!

Sorry I would not come with a tutorial explaining in details and with pictures what should be done (lack of time), but until somebody else will (maybe) do that, I will point you to the following 2 scenarios:


For how to do it for each of these cases please wait for someone else with more available time than me to write a step-by-step tutorial, or read the docs and search the forum for "upnp", "NAT" and/ or "Port Forwarding" - even if you can't find your exact case in particular, those search keywords will bring up posts describing how uPnP and NAT Rules work and examples of Port Forwarding done for alike scenarios, for other services.

Hope it helps... :)
Good luck!
Title: Re: Rules for use Torrent service
Post by: balubeto on December 03, 2018, 11:53:00 am
Hi!

Sorry I would not come with a tutorial explaining in details and with pictures what should be done (lack of time), but until somebody else will (maybe) do that, I will point you to the following 2 scenarios:

  • Use uPnP plugin - Find it in System: Firmware: Plugins - especially if your torrent client is uPnP compatible
  • Use NAT, Port Forwarding Rule - Firewall: NAT: Port Forward - Chose a range of ephemeral ports (typically between 1024 and 65535) in your torrent client, and then create a new NAT (Port Forwarding) rule in your firewall for those chosen ports towards your torrent machine. (For that sake, it is possible to use a single port, but this requires the torrent client to use that particular port every time it restarts)

For how to do it for each of these cases please wait for someone else with more available time than me to write a step-by-step tutorial, or read the docs and search the forum for "upnp", "NAT" and/ or "Port Forwarding" - even if you can't find your exact case in particular, those search keywords will bring up posts describing how uPnP and NAT Rules work and examples of Port Forwarding done for alike scenarios, for other services.

Hope it helps... :)
Good luck!

By default, does OPNsense 18.7.8 have the UPnP function enabled? If yes, how do I disable it?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: Ciprian on December 03, 2018, 12:08:50 pm
No, uPnP is not enabled - as I said, it's a plugin, you can find it in ”Plugins” section, then install it. It's not installed (hence not enabled) by default.
Title: Re: Rules for use Torrent service
Post by: balubeto on December 04, 2018, 11:29:46 am

I can't open port 36603 on the firewall towards the Pippo computer that doesn't have a firewall/antivirus because, when I try to use services, such as https://ping.eu/port-chk (https://ping.eu/port-chk), that check the status of a port, they indicate that this port is closed. How come?


My OPNsense configuration (the VDSL2+ router has been put in Bridged mode):


(http://i63.tinypic.com/dgqyr9.jpg)
(http://i68.tinypic.com/5yaq35.jpg)
(http://i67.tinypic.com/v2yd8x.jpg)
(http://i67.tinypic.com/141jsd2.jpg)

(http://i65.tinypic.com/j9ouuh.jpg)


So, where did I go wrong?


Thanks


Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on December 05, 2018, 07:59:18 pm
Could someone please give me an answer?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: GDixon on December 06, 2018, 12:32:30 am
I may be wrong but even with a port forward or uPnP I get all ports closed when I do an outside the wan scan. The ISP may be the one doing that.

I use a cable modem thats just a bridge through Spectrum, has no router functions.

I can still connect and use any port forwards and uPnP works as expected. Have you tried  connecting or running your torrent program?

I use https://www.grc.com/x/ne.dll?bh0bkyd2 to check ports
Title: Re: Rules for use Torrent service
Post by: balubeto on December 06, 2018, 06:29:19 pm
I tried to do a scan of my torrent port with the above service and I noticed that my port is in Stealth status with the green background. What does this mean? What can I do to make sure that this service indicates that the status of this port was opened?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: Ciprian on December 07, 2018, 09:52:38 am
OK, but what about your torrent client, what does it say about the port?
Title: Re: Rules for use Torrent service
Post by: balubeto on December 07, 2018, 12:20:15 pm
OK, but what about your torrent client, what does it say about the port?

For my convenience, to do a test I ran eMule using the torrent port and noticed that this client connects to the various servers with low IDs and to the Kad network under the firewall (Connected:(firewalled)). So, how should I ensure that P2P clients don't see my hardware firewall?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on December 08, 2018, 07:48:05 pm
So, how would I be able to properly open the ports of the firewall hardware?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on December 10, 2018, 05:30:49 pm
I'm still waiting for an answer.

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: miruoy on December 10, 2018, 06:59:44 pm
Looking at your NAT rule it looks like you are not forwarding correctly. Destination should be the WAN if address, not the server you are redirecting to. Your live FW log should show you that is the if where the packets are being dropped.

If this does not resolve the issue you should verify the live FW logs and/or run a packet capture on your WAN if to verify the packets are coming through to your end and are not being intercepted/blocked by the ISP.

Keep seeding!
Title: Re: Rules for use Torrent service
Post by: balubeto on December 11, 2018, 09:01:23 am
Looking at your NAT rule it looks like you are not forwarding correctly. Destination should be the WAN if address, not the server you are redirecting to. Your live FW log should show you that is the if where the packets are being dropped.

If this does not resolve the issue you should verify the live FW logs and/or run a packet capture on your WAN if to verify the packets are coming through to your end and are not being intercepted/blocked by the ISP.

Keep seeding!

In which destination field should I put WAN?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: miruoy on December 11, 2018, 09:40:50 am
There is only 1 field named "Destination" in the port forwarding config. Study the screenshot below to be spoon fed.

(https://i.imgur.com/mA72EO7.png)

Do note though that this should really be obvious if you have any experience with networking. Study this small diagram and It should become clear on why we are using the WAN as the "Destination" in the PAT rules.

Code: [Select]
External User/App ==> WAN ==> Your opnSense ==> Your Torrent Box
Also read up on this (https://stevessmarthomeguide.com/understanding-port-forwarding/) article to clarify what you are configuring.

I hope this helps you in better understanding your configuration.
Title: Re: Rules for use Torrent service
Post by: balubeto on December 11, 2018, 05:02:21 pm

I don't have any WAN logical interface having configured the firewall in order to use the PPPoE protocol for the Internet connection, as you can see from the attachments. The VDSL2+ router, connected to the WAN physical interface of the firewall, is in Bridged mode.


So, how can I solve the problem of the opened ports?


Thanks


Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on December 14, 2018, 11:59:31 am
Does anyone have a solution to my problem?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on December 17, 2018, 05:38:29 pm
Am I still waiting for your tip?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on December 23, 2018, 09:45:36 am
Could someone help me?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on December 27, 2018, 12:02:33 pm
I reset the firewall and configured it in a standard mode with the PPPoE protocol but my problem remained.

How do I view all packets blocked by NAT?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: fabian on December 27, 2018, 12:06:52 pm
How do I view all packets blocked by NAT?
NAT cannot block, it is NOT A FIREWALL. It just looks like one because the packets won't find the real destination.
Title: Re: Rules for use Torrent service
Post by: balubeto on December 27, 2018, 12:32:17 pm
How do I view all packets blocked by NAT?
NAT cannot block, it is NOT A FIREWALL. It just looks like one because the packets won't find the real destination.

How do I find out where these packages end up?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on December 30, 2018, 11:20:18 am
In OPNsense, how do I analyze the firewall traffic to understand which packets pass and which not?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: bartjsmit on December 30, 2018, 12:34:57 pm
Firewall, Log Files, Live View

Bart...
Title: Re: Rules for use Torrent service
Post by: balubeto on January 02, 2019, 09:16:17 am
This is my current configuration:

(http://i66.tinypic.com/2n8amo4.jpg)
(http://i66.tinypic.com/1rrpkm.jpg)
(http://i67.tinypic.com/29dwff9.jpg)
(http://i64.tinypic.com/fcn3ax.jpg)
(http://i67.tinypic.com/jfkcw2.jpg)
(http://i65.tinypic.com/rh9947.jpg)
(http://i65.tinypic.com/mtrwad.jpg)
(http://i67.tinypic.com/2ak02l5.jpg)
(http://i63.tinypic.com/jsedsp.jpg)
(http://i63.tinypic.com/2cmvsj5.jpg)

The next two images represent the various port blocks:

(http://i67.tinypic.com/300che1.jpg)
(http://i65.tinypic.com/9k6n46.jpg)

How come? Is this normal?

While these images show the block of port 36603 analyzed by the service https://www.grc.com that reports the status Stealth on this port:

(http://i66.tinypic.com/dqov89.jpg)
(http://i66.tinypic.com/33lnw45.jpg)

So, how do I remove all these blocks so that I can use the Torrent network without any problems?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on January 04, 2019, 10:04:51 am
Anybody understand what I'm doing wrong?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on January 06, 2019, 10:39:32 am
Can you help me solve this problem?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on January 07, 2019, 10:24:14 am
I have noticed that, when I create and apply the Torrent rule, an error appears (see attachment). Where am I wrong?

Thanks


Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on January 07, 2019, 05:32:41 pm
Help!!!
Title: Re: Rules for use Torrent service
Post by: MrB on January 07, 2019, 06:06:08 pm
You could start by trying with actual port number & ip instead of aliases and see if that makes any difference.
Title: Re: Rules for use Torrent service
Post by: balubeto on January 07, 2019, 07:09:22 pm
Now, no error appears but, when I check the port, the Internet service indicates that its status is closed. How come?


Thanks


Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on January 08, 2019, 05:22:10 pm
So, how do I open the ports? In other words, why doesn't my NAT rule, which should open the Torrent port, work?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: Ciprian on January 09, 2019, 03:23:05 pm
I don't know, sorry... It seems to be fine, but it isn't... Even your PC firewall might be interfering, or even the modem, if the bridge mode is not quite a bridge... I don't really know.

It's difficult to find an answer having jut bits, and just from one single link in the chain.
Title: Re: Rules for use Torrent service
Post by: balubeto on January 09, 2019, 06:23:34 pm
There is no firewall enabled on the LAN computers.

The VDSL2 router should be set up correctly in Bridge mode because, a few months ago, I had a firewall hardware with pfSense and I did not have this problem. How come?

One thing I never understood: If I turn off NAT on the router, I can no longer access the Internet from the LAN computers. This happens with the old and the new firewall hardware. How come?

With OPNSense, is it possible to configure it so that it also acts as a full NAT for the entire LAN so that I can completely disable the router's firewall?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: balubeto on January 12, 2019, 08:48:14 am
Anybody still want to help me?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: Ciprian on January 14, 2019, 11:56:48 am
There is no firewall enabled on the LAN computers.

The VDSL2 router should be set up correctly in Bridge mode because, a few months ago, I had a firewall hardware with pfSense and I did not have this problem. How come?

I never used pfSense, but I have a NAS (FreeNAS) and multiple services (like FTP) and plugins (like Transmission - a torrent client, Plex, Emby, NextCloud etc.) behind OPNsense and everything works like a charm accessed from both LAN and from WAN. I so conclude that your problem is not a "works with that, but not with this" problem.

One thing I never understood: If I turn off NAT on the router, I can no longer access the Internet from the LAN computers. This happens with the old and the new firewall hardware. How come?

A very expected behavior: your IPs set for LAN are not routable, so you can't access internet without a NAT device.

With OPNSense, is it possible to configure it so that it also acts as a full NAT for the entire LAN so that I can completely disable the router's firewall?

OPNsense already does that, full NAT, but NAT is a FW function. Can't really turn off FW, in it's entirety, without turning off NAT. There are settings and/ or rules for completely "avoiding" one or the other (as in, allow everything from anywhere to anywhere, and/ or translate everything from this WAN address to this LAN address, or the other way around, or no NAT at all), but otherwise you either have it as a router only, or as a router + FW (and with or without NAT).

I say it again: without directly seeing every link in the chain, every device on the path of your internet connection, I declare myself unable to help.

I truly hope you'll figure it out.
A good day to you!
Title: Re: Rules for use Torrent service
Post by: balubeto on January 14, 2019, 05:52:48 pm
How do I enable the OPNSense NAT to make the dynamic IP, provided by my ISP, routable for the LAN? In other words, I would like to disable the NAT of the VDSL2 router using this Internet service with the computers on the LAN.

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: bartjsmit on January 14, 2019, 06:09:29 pm
Enable bridge mode in your router/modem configuration. If it doesn't offer it, look for one that does (e.g. https://www.draytek.co.uk/products/business/vigor-130)

Bart...
Title: Re: Rules for use Torrent service
Post by: balubeto on January 14, 2019, 06:58:47 pm
Enable bridge mode in your router/modem configuration. If it doesn't offer it, look for one that does (e.g. https://www.draytek.co.uk/products/business/vigor-130)

Bart...

Sorry but my router is already in Bridged mode also because I use the PPPoE protocol of the firewall to use the Internet. So, my firewall hardware knows my public dynamic IP and the various DNS used by my provider.

So, how do I set OPNSense to do what I want to do?

Thanks

Bye
Title: Re: Rules for use Torrent service
Post by: Ciprian on January 17, 2019, 10:17:40 am
So, how do I set OPNSense to do what I want to do?

Thanks

Bye

The answer, actually the answers, were all given in previous replies here. At least, all the answers regarding exactly that, OPNsense config. As I stated before, something is amiss and not necessarily on OPNsense config... So I kindly ask you to allow me to say that keeping asking here what you should do is not enough any more... This is the most anyone limited to forum can help.

Good luck!