OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: cranky on March 27, 2021, 03:10:35 pm
-
So i searched and tried a number of things on these forums, but i still can't get my port fowards to work.
First let me list my settings :
Network Address Translation
Reflection for port forwards ✔
Reflection for 1:1 x
Automatic outbound NAT for Reflection ✔
Outbound :
Hybrid
Forwards are in the screenshot, what am i doing wrong here?
Is this even working, cause as soon as i set these aliasses as forwards, i get an error message (below)
PHP Warning: implode(): Invalid arguments passed in /usr/local/www/firewall_nat_edit.php on line 216
So it seems the rules are not being loaded cause of the implode error?
-
So i removed the aliasses and just entered the ports manually.
Ports are still closed/not being forwarded.
Can anyone tell me what im doing wrong?
-
Hi
Could you please use one rule as an example (eg tcp3074 rule) to describe what you want to achieve, what you did, what is in the logs when you try to connect?
PHP Warning: implode(): Invalid arguments passed in /usr/local/www/firewall_nat_edit.php on line 216
this is interesting, although it may not be relevant to the problem. don't remember what you specified as a Category for a rule?
-
Are the port forward rules set to create associated firewall rules (check Filter rule association in the port forwards)?
-
Can you elaborate more about this?
It is set to rule, and I see rules being set on wan
-
That’s what I meant
-
That’s what I meant
Yeah , then it was good, i set it to rule.
So i see rules on WAN, i see them on forward, yet ports are not being forwarded.
Can this be because of the destination being in a vlan? (10.0.1.x = vlan15)
-
Won’t make a difference. I have several port forwards going to VLANs. Checked firewall on the endpoint of the port forward?
-
Won’t make a difference. I have several port forwards going to VLANs. Checked firewall on the endpoint of the port forward?
I'm ashamed to admit that I haven't checked the firewall on the endpoint, I'm such an idiot, let me check that and report back
-
Won’t make a difference. I have several port forwards going to VLANs. Checked firewall on the endpoint of the port forward?
I'm ashamed to admit that I haven't checked the firewall on the endpoint, I'm such an idiot, let me check that and report back
Checked the endpoint, there is no filtering active, ill investigate further, any other ideas?
I can see the port being hit on the fw, and i see traffic to VLAN15, how is it still closed lol, im lost. (see screenshot)
-
noone here that can tell me what im doing wrong?
I searched high and low, and can only find the solutions i already applied.
Ports are not being forwarded, endpoint has no fw.
-
Can’t see anything obviously wrong on the OPNsense side - in fact the firewall logs suggest the problem is elsewhere. For example, maybe there is a binding issue with the services that you are trying to reach on the endpoint? Maybe they are only configured to allow local connections?
-
The ports are for battle.net (Cod Warzone) , there is no such setting on that service.
If i remove the opensense, the ports are opened.... So its something within opensense i think, i just cant pinpoint it.
-
I think you need to share a bit more about your network setup. You’ve obviously got another router in the mix?
-
@cranky
looks like port forward works. something with reply (routes, reply-to or some)
I join @Greelan's question about routes and another question: where is the connection checked from?
-
I think you need to share a bit more about your network setup. You’ve obviously got another router in the mix?
how is that obviously? there is nothing pointing to that info?
i have no other routing in the network. Opnsense(10.0.0.1) <vlan15(10.0.1.x)> - switch - <vlan15> - client. (10.0.1.200)
@cranky
looks like port forward works. something with reply (routes, reply-to or some)
I join @Greelan's question about routes and another question: where is the connection checked from?
No, no other routing in the network. only opnsense and switch to client.
ISP -> MODEM(Bridge) -> Opnsense -> Switch -> Client.
Switch Setup :
Port 1 - Cable to Opnsense
Port 3/5 Cables to Clients.
VLAN1 Untagged (all ports)
VLAN 15 Tagged 1,3,5.
If i remove opnsense, and replace it with dd-wrt, problem is gone. (same setup, without vlan)
So im thinking its in the vlan setup?
-
ISP -> MODEM(Bridge) -> Opnsense -> Switch -> Client
ok. from what point you testing this connections? between Opnsense and ISP or from internet?
-
From internet. (VPS in datacenter) also Bnet just shows all ports are closed too (from outside).
As im reading it now, my switch is setup wrong.
Im rusty in vlan configuring. and confused cause all ports are standard vlan1 untagged? (so all are access port on vlan1?) (can i remove the untagged vlan1? i mean im not using vlan1, or is the switch depending on vlan1 for the switching?)
Im also getting confused by the PVID setup, they are all set to PVID 1.
So the switch is standard ootb untagged VLAN1 all ports, and PVID 1 on all ports.
From opnsense i just use LAN, and one VLAN(15) (to begin with).
So setup now :
PORT 1 = PVID 1 / UNTAGGED 1 / TAGGED 15
PORT 2 = PVID 1 / UNTAGGED 1
PORT 3 = PVID 15 / UNTAGGED 15
PORT 4 = PVID 1 / UNTAGGED 1
PORT 5 = PVID 15 / UNTAGGED 15
PORT 6 = PVID 1 / UNTAGGED 1
PORT 7 = PVID 1 / UNTAGGED 1
PORT 8 = PVID 1 / UNTAGGED 1
PORT 9 = PVID 1 / UNTAGGED 1
PORT 10 = PVID 1 / UNTAGGED 1
PORT 11 = PVID 1 / UNTAGGED 1
PORT 12 = PVID 1 / UNTAGGED 1
PORT 13 = PVID 1 / UNTAGGED 1
PORT 14 = PVID 1 / UNTAGGED 1
PORT 15 = PVID 1 / UNTAGGED 1
PORT 16 = PVID 1 / UNTAGGED 1
Port 3/5 = cable to clients (this should be untagged 15 with PVID 15 right?)
Port 1 = cable to opnsense (this should be tagged 15 right?) (what to do with the standard VLAN1?)
I did not setup VLAN PVID 1 , its native in the switch.
-
1 = cable to opnsense (this should be tagged 15 right?)
trunk native vlan 1
trunk allowed vlan add 1,15
-
1 = cable to opnsense (this should be tagged 15 right?)
trunk native vlan 1
trunk allowed vlan add 1,15
haha sadly i dont have console (its a netgear web gui).
So on port1 i get tagged 1+15? if i change the untagged 1 to tagged it drops the LAN traffic :/
-
@cranky "native VLAN" means untagged. So you get untagged frames for VLAN 1 and tagged ones for VLAN 15 on that port. For OPNsense/FreeBSD that means VLAN 1 is in the parent interface and VLAN 15 on the VLAN interface.
Unfortunately from what I read on the forum some things don't quite work as intended when you mix untagged and tagged frames on the same interface and try to use different firewall rules or DHCP server settings on both.
IMHO (30 years of practice as a network engineer) the concept of a "native VLAN" and untagged frames on a trunk port at all is a huge design mistake and I always avoid them. In my data centre as well as at home. If I implement VLANs then on the trunks everything is tagged and the "native VLAN" - if the switch in question insists on using that concept like e.g. Cisco does - is set to some dummy value that is not used anywhere else.
HTH,
Patrick
-
@cranky "native VLAN" means untagged. So you get untagged frames for VLAN 1 and tagged ones for VLAN 15 on that port. For OPNsense/FreeBSD that means VLAN 1 is in the parent interface and VLAN 15 on the VLAN interface.
Unfortunately from what I read on the forum some things don't quite work as intended when you mix untagged and tagged frames on the same interface and try to use different firewall rules or DHCP server settings on both.
IMHO (30 years of practice as a network engineer) the concept of a "native VLAN" and untagged frames on a trunk port at all is a huge design mistake and I always avoid them. In my data centre as well as at home. If I implement VLANs then on the trunks everything is tagged and the "native VLAN" - if the switch in question insists on using that concept like e.g. Cisco does - is set to some dummy value that is not used anywhere else.
HTH,
Patrick
So if i read this correctly, i should ignore VLAN1 at all? remove all the untagged on all ports?
Then make a vlan for normal LAN? lets say 16? and then tag 16 and 15 on port 1? (trunk to opnsense)
-
On the trunk I would run everything as tagged and not use VLAN 1 at all - correct. That's exactly what I do in my setup here.
But "remove untagged on all ports" as you put it won't work for end systems that do not participate in trunking. A port based VLAN 15 port will still be untagged so you can connect a system you want in that particular VLAN and nowhere else.
"Remove untagged for all trunk ports" is what I recommend.
-
On the trunk I would run everything as tagged and not use VLAN 1 at all - correct. That's exactly what I do in my setup here.
But "remove untagged on all ports" as you put it won't work for end systems that do not participate in trunking. A port based VLAN 15 port will still be untagged so you can connect a system you want in that particular VLAN and nowhere else.
"Remove untagged for all trunk ports" is what I recommend.
i meant remove all untagged vlan1 on all ports...?
So then i only have vlan15 tagged on port 1 , untagged on port 3+5
What i did now is remove all untagged 1 on all ports.
Made a new vlan (16) and tagged port 1, and untagged all other ports (except 3+5 (untagged vlan15).
This seems to work.
However my native lan (10.0.0.1) is now not in use.
Im going to test if forwards are working now. :)
-
Exactly. Native VLAN not in use. It's an inconsistent and dangerous feature. My opinion, of course.
-
Agree, if its not tagged it should not be on the trunk.
-
So i just tested forwarding, im not getting anything opened, i'm going to capture local traffic on the client tomorow, see if the ports get to the client or not.
-
So i just tested forwarding, im not getting anything opened, i'm going to capture local traffic on the client tomorow, see if the ports get to the client or not.
So i tried to do a capture on my client pc, sadly the program crashes if i have wireshark running :/
if i cose wireshark, program runs fine.
What can i do to figure this forwarding out once and for all? I'm pulling my hair out over this.
Also im seeing traffic running into a default rule block, but i have rules allowing the traffic?
(see screenshot)
-
So i just removed all the forwards, installed upnp, and let that take care of it, sadly this doesnt open require ports either?
Im really lost here, maybe im running into hardware issues? maybe my nic isnt tagging vlan properly? i have no idea what to do here.
Port forwards did work when i wasnt using vlan's
-
So i just removed all the forwards, installed upnp, and let that take care of it, sadly this doesnt open require ports either?
Im really lost here, maybe im running into hardware issues? maybe my nic isnt tagging vlan properly? i have no idea what to do here.
Port forwards did work when i wasnt using vlan's
I just reinstalled the machine, and switched re0 for WAN en em0 for LAN.
This doesnt help sadly, still im getting no port forwards to work.
i reset everything back to no VLAN at all.
Still battlenet is moaining about strict nat.
-
FIXED IT?!!
Its has nothing to do with anything i tried,, i searched and searched and finally found a post that said that i needed to set a outbound rule, wan interface, source : network, nat adress : wan address, static port: yes.
This is the only thing that made the NAT go to OPEN (combined with the forwards i had before)
Is this really needed? What are the implications of this rule?