OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: theiceman on June 20, 2022, 06:56:11 pm

Title: Why is port forwarding not easier?
Post by: theiceman on June 20, 2022, 06:56:11 pm
I've spent...more hours in the last 2 days than I'd like to admit trying to get port forwarding to work, specifically for games as an example game I've been trying to get the ports forwarded for Destiny 2 as these ports are well documented by bungie on what needs to be forwarded.  I have a simple setup with one dynamic public ip on fiber to the home, a 24 port switch and a couple of wifi access points.
I spent hours and hours creating nat port forwarding rules and then opening the game and watching the firewall live view block every port I need under the "Default deny / state violation rule".  I even installed os-upnp thinking this might work even though I truly believed this shouldn't have to be on and I don't like it.  But at this point I was willing to try anything. 
Then I found what I think might have worked here: https://forum.opnsense.org/index.php?topic=8812.0 where a guy called "the forum troll" advised to set nat mode to hybrid and then add an outbound rule with a provided screenshot.
After I did this everything just magically worked.  The source address field asks for single host or network, I entered the IP I've been creating nat rules for and it seems to have applied this outbound rule to the entire subnet.
I now open Destiny 2 and I have "open" nat type, I open my wife's stupid tablet games and everything in there loads up like it should as well (last night the game would load but some things within the games wouldn't load).
So currently I'm still running upnp, I still have all of my port forward rules created for destiny 2, and I have that outbound rule setup.
So can I turn off upnp now?  Do I even need the nat rules in the screenshot attached, or is the outbound rule enough?
Also shouldn't the default allow all from lan be enough to have overcome this issue, why is the outbound nat rule needed?  And if it's needed with nat why isn't the default subnet added as an automatic rule?
Also is there anything wrong with the nat rules I've created here?  I've included the rule set and opened one as an example.
Title: Re: Why is port forwarding not easier?
Post by: theiceman on June 20, 2022, 08:22:42 pm
adding outbound rule screenshot for reference
Title: Re: Why is port forwarding not easier?
Post by: Supermule on June 20, 2022, 08:58:59 pm
Make sure the rules are above the default deny rule.
Title: Re: Why is port forwarding not easier?
Post by: theiceman on June 20, 2022, 09:11:33 pm
is the default deny rule even movable?
Title: Re: Why is port forwarding not easier?
Post by: pmhausen on June 20, 2022, 09:19:19 pm
For inbound port forwarding you don't need anything in Firewall > Rules. Just add an entry in Firewall > NAT > Port Forwarding like this:

Interface: WAN
Source: any
Destination: WAN address
TCP/UDP and ports: as needed for application
Redirect server: your internal host, ports as needed for application

And then, a couple of lines below:

Associated firewall rule: Pass

And that's it!


HTH,
Patrick
Title: Re: Why is port forwarding not easier?
Post by: theiceman on June 20, 2022, 11:01:15 pm
For inbound port forwarding you don't need anything in Firewall > Rules. Just add an entry in Firewall > NAT > Port Forwarding like this:

Interface: WAN
Source: any
Destination: WAN address
TCP/UDP and ports: as needed for application
Redirect server: your internal host, ports as needed for application

And then, a couple of lines below:

Associated firewall rule: Pass

And that's it!


HTH,
Patrick

Thank you, the port forwarding is working, it just wasn't working in my specific case.  I can open rdp and connect no problem over lte so it's not that.  Thank you for the reply.
Title: Re: Why is port forwarding not easier?
Post by: flac_rules on June 22, 2022, 08:30:37 am
I do agree that port forwarding is somewhat confusing in opnSense, I think the instructions on the setup-page should have been a bot more verbose, and the defaults have been changed.
Title: Re: Why is port forwarding not easier?
Post by: pmhausen on June 22, 2022, 04:28:19 pm
I don't get what's confusing about NAT > Port Forwarding ... can you explain in a bit more detail?
Title: Re: Why is port forwarding not easier?
Post by: Demusman on June 22, 2022, 06:33:13 pm
I can give you my opinion on it.
It's not NAT> Port Forwarding that's the issue, it's the whole interface. It's just a mess. Very sloppy and confusing.

I currently use pfSense and have been since it was released, and used M0n0wall before that.
With all the uncertainty about pfSense CE, I've been thinking about making a switch.
Three times I've tried to make OPNsense my permanent firewall and I just can't make the switch to it because of the interface.
Now, this you may say this is because I'm so used to pfSense and I'm not giving this a chance but I do. I know there are differences and I'm trying to adapt the way OPNsense does things but there doesn't seem to be any real thought in the appearance.

With that said, yes, port forwarding is not hard at all, but if some common sense was put into the interface it would be easier.

Feel free to bash away!
Title: Re: Why is port forwarding not easier?
Post by: Supermule on June 22, 2022, 06:59:10 pm
I use pfsense for the exact reason. Control over the processes and configuration.

Suricata is one of them. Lots more options in the interface in pfsense and I dont trust that OS actually works since I havent been caught in Suricata like I have in pfsense when I test it.

Currently using OS to toy around and to see how mature it is becoming.

And yes... M0n0Wall was great. Sorry to see it go back in the days. Manuel was awesome....
Title: Re: Why is port forwarding not easier?
Post by: Demusman on June 22, 2022, 07:37:57 pm
And yes... M0n0Wall was great. Sorry to see it go back in the days. Manuel was awesome....

Couldn't agree more on M0n0wall and Manuel!
In fact, the only reason I switched to pfSense was NAT redirection (called it NAT Reflection at the time).
M0n0wall was, and probably still is, the most secure firewall on the planet! And Manuel refused to add any features that would compromise that. Good for him, but I needed NAT redirection so I switched.

Also, I agree on the options... even OpenVPN, probably has half the options pfSense has. (I didn't count, just an estimate.)
Title: Re: Why is port forwarding not easier?
Post by: pmhausen on June 22, 2022, 08:27:34 pm
@Demusman I feel exactly the other way round. I never find things in pfSense. I run OPNsense because to me the interface is a huge improvement.

Still puzzled about the port forwarding issue. You need a Source address or network, a destination address, a port or port range, and the an internal redirect host. I don't see how that dialog could be improved. But then I manage firewalls for 30 years, now ...
Title: Re: Why is port forwarding not easier?
Post by: flac_rules on June 22, 2022, 11:02:15 pm
I don't get what's confusing about NAT > Port Forwarding ... can you explain in a bit more detail?

This is what is confusing to me, the most normal port forwarding task I think (at least for me) is to forward a port directly from "the outside" to a machine on you LAN. The 3 most important settings is thus the incoming port(s) the ports they are to be sent to and which ip to send it.

First option - disable the rule why is this first? Why isn't this at the bottom?
Second option - NO RDR - another option that should be at the bottom, the helt even says it is rarely needed and shouldn't be used unless you really know what you are doing.
Interface: Fair enough
TCP-IPverson fair enough
Protocol - fair enough.
Source Advanced - seems to me like this should be moved down, what if you press advanced, and want to go back to "basic"? Impossible?
Destination-invert, should be moved down but up for debate.
Destination: Help says nothing, destination for what? The destination machine on my LAN perhaps? No, but not very clear, and why isn' WAN the default, and why is there no help-text?
Destination port range: This seems to be useful, but what does it say HTTP? Is this some kind of weird protocol-choice? What does HTTP have to do with port-forwarding? Ah, they mean port 80, why isn' the default to input the port number? And why doesn't it at least say HTTP (Port 80) or something so it is actually clear that this is the input of the ports?
- Redirect target ip: Why can't i choose from a pulldown-list of the leases here?

The rest is fine enough, but I really think the interface makes a simple task like "forward port 42101 to port 42101 on machine X" more confusing than it needs to be.
Title: Re: Why is port forwarding not easier?
Post by: pmhausen on June 22, 2022, 11:20:18 pm
Partly agree to the ordering issue and the help texts csn definitely be improved. Destination ... well ... systems outside can't talk to your internal private address hosts. That's why you need a port forwarding NAT in the first place. So drom the point of view of the systems outside they talk to one WAN address of the firewall. And there might be a couple of them, so the admin needs to pick one.

Every firewall product I used in the last decades worked exactly this way.

Pick from leases ..  well, that's a matter that has the potential to lead to heated debate. Common consumer routers like the ubiquitous (in Germany) Fritzbox do this. I for one don't want any of that. Neither do I want any DHCP lease leading to an automatic DNS entry. I hate it when random devices connected to my network create artefacts in my carefully curated DNS zone or firewall policy.
Worst of all theses products create port forwards to deviced with dynamic leases and are completely intransparent about how they address and track those devices. Device gets new IP address - does the port forward follow? New device gets old IP address - what now?

I really want the thought process

- ok so my son wants to run Minecraft and open it up for his friends
- that means static IP address internally
- that means DNS entry for bookkeeping
- that means firewall object (alias in OPNsense) with that IP address
- and finally port forwarding rule

That's exactly how it should be in my book. Magic automatic things like assigning a firewall rule to a dynamic lease tend to explode and make a mess at some time in the future.

Thanks for the feedback!

Patrick
Title: Re: Why is port forwarding not easier?
Post by: Demusman on June 22, 2022, 11:27:39 pm
It should be this easy.
Title: Re: Why is port forwarding not easier?
Post by: pmhausen on June 22, 2022, 11:30:15 pm
But that is no different ???

Interface, destination address, protocols, ports, ... all required just the same.

I don't get it this time  ;)
Title: Re: Why is port forwarding not easier?
Post by: Demusman on June 23, 2022, 12:57:17 am
Look at the picture he posted of the NAT page then look at the one I posted... You really don't get it??

Also, I would love to know what you can't give in pfSense.
Title: Re: Why is port forwarding not easier?
Post by: pmhausen on June 23, 2022, 07:27:41 am
I'll take the time to do a visual comparison with comments this evening.

My problem with pfSense is not the config dialogs. One can argue they have a better structure and more helpful texts. But it always takes me an eternity to find things in that mess of a menu. It's the menu structure (or the lack of structure) that's bothering me where for me OPNsense does it way better. Once I'm on a config page, I know what I want to do and what all these fields mean, so ...

Kind regards,
Patrick
Title: Re: Why is port forwarding not easier?
Post by: franco on June 23, 2022, 08:09:10 am
Look at the picture he posted of the NAT page then look at the one I posted... You really don't get it??

No, which is part of the issue. Conceptually a software once written by the same authors cannot be all that fundamentally and conceptually different. The only difference is representation and your brain will fool you to think it knows everything and everyone else must be blind to see. Don't trust your brain. Explain what explicit change you seek.


Cheers,
Franco
Title: Re: Why is port forwarding not easier?
Post by: pmhausen on June 23, 2022, 01:32:00 pm
As far as I'm concerned the dialogs are 100% identical and the OPNsense one has got a much nicer and easier to read left-aligned layout. See attachment, please. I really don't understand what's preferable about the pfSense version.
Title: Re: Why is port forwarding not easier?
Post by: Demusman on June 23, 2022, 02:25:46 pm
Don't trust your brain. Cheers,
Franco

"It's better to sit in silence and be thought a fool, than to open your mouth and remove all doubt."
Title: Re: Why is port forwarding not easier?
Post by: Demusman on June 23, 2022, 02:28:28 pm
As far as I'm concerned the dialogs are 100% identical and the OPNsense one has got a much nicer and easier to read left-aligned layout. See attachment, please. I really don't understand what's preferable about the pfSense version.

Yeah, like we both already eluded to, it comes down to personal preference and there's no way to please everyone.
To me, the OPN version just all blurs together. There's no real "separation" between fields.
Title: Re: Why is port forwarding not easier?
Post by: pmhausen on June 23, 2022, 02:31:50 pm
The initial claim - and I really appreciate how we can debate potential UI issues in a civilised manner here - was that the dialog should be easier to use, especially for the novice user. I am still not sure how this can be achieved given the complexity of the task. Minor reordering and improvement of help texts - of course, if it helps.
Title: Re: Why is port forwarding not easier?
Post by: Demusman on June 23, 2022, 03:08:02 pm
The initial claim - and I really appreciate how we can debate potential UI issues in a civilised manner here - was that the dialog should be easier to use, especially for the novice user. I am still not sure how this can be achieved given the complexity of the task. Minor reordering and improvement of help texts - of course, if it helps.

Agreed that we're probably getting off topic but I think it's still related.
As I said previously, NAT isn't he problem in my opinion. IOW, it is what it is, you have to know what you're doing to do it. But looking at your image, don't you think if it wasn't a big white page with some text and boxes on it, which really does just blur together, the "flow" would be much easier?
Could be just putting some dark lines between field to differentiate them would help.

I'm not saying I have all the answers and "my way is best", but I can guarantee you I'm not the only one who says the interface needs improvements. Just speaking from people I personally know who've pointed out the same things I'm saying.
Title: Re: Why is port forwarding not easier?
Post by: franco on June 23, 2022, 03:16:06 pm
Hmm, I think there are multiple "dark" themes to install if that helps improve the experience already.


Cheers,
Franco
Title: Re: Why is port forwarding not easier?
Post by: lilsense on June 23, 2022, 04:00:20 pm
Hmm, I think there are multiple "dark" themes to install if that helps improve the experience already.


Cheers,
Franco
   I wish there were a bunch of themes like freshtomato... :)

https://tomatothemebase.eu/
Title: Re: Why is port forwarding not easier?
Post by: flac_rules on June 24, 2022, 11:06:43 am
Partly agree to the ordering issue and the help texts csn definitely be improved. Destination ... well ... systems outside can't talk to your internal private address hosts. That's why you need a port forwarding NAT in the first place. So drom the point of view of the systems outside they talk to one WAN address of the firewall. And there might be a couple of them, so the admin needs to pick one.

Every firewall product I used in the last decades worked exactly this way.

Pick from leases ..  well, that's a matter that has the potential to lead to heated debate. Common consumer routers like the ubiquitous (in Germany) Fritzbox do this. I for one don't want any of that. Neither do I want any DHCP lease leading to an automatic DNS entry. I hate it when random devices connected to my network create artefacts in my carefully curated DNS zone or firewall policy.
Worst of all theses products create port forwards to deviced with dynamic leases and are completely intransparent about how they address and track those devices. Device gets new IP address - does the port forward follow? New device gets old IP address - what now?

I really want the thought process

- ok so my son wants to run Minecraft and open it up for his friends
- that means static IP address internally
- that means DNS entry for bookkeeping
- that means firewall object (alias in OPNsense) with that IP address
- and finally port forwarding rule

That's exactly how it should be in my book. Magic automatic things like assigning a firewall rule to a dynamic lease tend to explode and make a mess at some time in the future.

Thanks for the feedback!

Patrick

I know why it is needed, but it is imho not clearly worded. What is the "destination", destination of what? It could just as well be the destination on the LAN.

I don't think a list is complicated, you choose some suggested ips from the list, because (at least me) you don't rember every single IP on your network. The port forwarding goes to the IP. If people don't understand dynamic and static leases they certainly won't understand the rest of the dialogue imho.

I like the other suggestion for the setup as well, it groups related things together in a more understandable manner.
Title: Re: Why is port forwarding not easier?
Post by: franco on June 24, 2022, 11:16:37 am
It's rather simple really. Destination is the address of the packet in the destination address field at the time of the rule evaluation. This is basic matching on IP header information. Not magic.

I understand the motivation to make it simple, but without basic networking knowledge port forwarding makes no sense whatsoever.


Cheers,
Franco
Title: Re: Why is port forwarding not easier?
Post by: flac_rules on June 24, 2022, 01:25:09 pm
It's rather simple really. Destination is the address of the packet in the destination address field at the time of the rule evaluation. This is basic matching on IP header information. Not magic.

I understand the motivation to make it simple, but without basic networking knowledge port forwarding makes no sense whatsoever.


Cheers,
Franco

I have basic networking knowledge. I know what port forwarding does. That doesn't make "destination" non-ambiguous in a network setting. The machine you are sending to on the LAN is also a destination address with an IP in the header. Understanding the concept of the address in the incoming packet isn't the problem, the problem is that it is not clear enough that "destination" talks about this particular thing. (and that the default isn't the "most normal" choice.)
Title: Re: Why is port forwarding not easier?
Post by: franco on June 24, 2022, 01:33:24 pm
I would tend to disagree, unless you want to imply the concept of "source" and "destination" in all NAT types and firewall rules is ambiguous. I might agree, but I haven't witnessed a single discussion that brought that particular argument.

You may think this qualifies as a strawman, but I'm simply wondering why nobody brought this up before in clarity after decades of this code existing. It's strange.


Cheers,
Franco
Title: Re: Why is port forwarding not easier?
Post by: pmhausen on June 24, 2022, 01:55:54 pm
Destination is what is in the destination field of the IP header of the packet in question. Same for source.
Title: Re: Why is port forwarding not easier?
Post by: franco on June 24, 2022, 02:37:04 pm
My good colleague pointed out the help labels are missing (ironically similar to pfSense). We could change that, but again to reiterate it would be best to change all NAT types and firewall rules labels for source /destination options and update the documentation accordingly to avoid future reports about the same thing.


Cheers,
Franco
Title: Re: Why is port forwarding not easier?
Post by: flac_rules on June 24, 2022, 03:45:50 pm
I would tend to disagree, unless you want to imply the concept of "source" and "destination" in all NAT types and firewall rules is ambiguous. I might agree, but I haven't witnessed a single discussion that brought that particular argument.

You may think this qualifies as a strawman, but I'm simply wondering why nobody brought this up before in clarity after decades of this code existing. It's strange.


Cheers,
Franco

I can only speak for myself, I am just a guy answering what i personally found less clear than it could be in the interface. I have never used pfsense.
Title: Re: Why is port forwarding not easier?
Post by: SecCon on June 28, 2022, 09:38:52 am
Since I have an SFTP server running and need that Port Forward to work transferring encrypted files from my web server (Internet) to my backup server (LocalLan) I do have some pointers in regards to this.

(I come from Asus Consumer Routers and latest from Mikrotik, that I dumped because of too much "details and cli" dependencies. I can't work with that. Currently running a standalone OPNSense on a vMachine as a kinda test bed. I intend for the OPNSense to handle "everything" on my network.)

1. Automation is not bad, provided you can control what it did and see all the details of it. It is synonym to simplification and removing error sources.
2. Looking at NAT > Port Forward interface in OPNSense there are to many "optional" things you just don't know if they are required or not. There is not much to tell you what fields are the mandatory required ones. I find myself wondering what these do, despite getting some basic info about them:

I don't need an explanation of them, I will just ignore them. I wish the Interface could hide them behind an "advance for nerdy geeks options" or some such.

3. You list well known ports, but I can not find SFTP in that. Regardless I am using a custom non-default port so I am not even looking at that menu and I have over time (30 years in the business) many recommendations against using well known ports. Always use custom, if possible. (Perhaps another discussion)

All in all there are room for improvements. You can have a BASIC selection that is a no nonsense THIS IS NEEDED and then an advanced selection for those who might wanna dig in to that. I am not among the diggers, just want it to work and have the basic stuff to edit. Everything else is just toppings.
Title: Re: Why is port forwarding not easier?
Post by: somniture on July 16, 2022, 05:23:12 pm
May I ask why SFTP should be in the well-known port list when SSH is already there?

FWIW I found the port forwarding configuration interface a little confusing, too. You couldn't pay me to go back to pfSense but I think the configuration there was a little clearer.
Title: Re: Why is port forwarding not easier?
Post by: SecCon on July 28, 2022, 02:07:26 pm
May I ask why SFTP should be in the well-known port list when SSH is already there?
Not everyone knows that SFTP is FTP over SSH. Could perhaps be written SSH/SFTP instead, but that may be another can of worms.
Title: Re: Why is port forwarding not easier?
Post by: cookiemonster on July 28, 2022, 11:38:44 pm
Since I have an SFTP server running and need that Port Forward to work transferring encrypted files from my web server (Internet) to my backup server (LocalLan) I do have some pointers in regards to this.

(I come from Asus Consumer Routers and latest from Mikrotik, that I dumped because of too much "details and cli" dependencies. I can't work with that. Currently running a standalone OPNSense on a vMachine as a kinda test bed. I intend for the OPNSense to handle "everything" on my network.)

1. Automation is not bad, provided you can control what it did and see all the details of it. It is synonym to simplification and removing error sources.
2. Looking at NAT > Port Forward interface in OPNSense there are to many "optional" things you just don't know if they are required or not. There is not much to tell you what fields are the mandatory required ones. I find myself wondering what these do, despite getting some basic info about them:
  • No RDR
  • Source / Invert
  • Destination / Invert
  • Category
  • Set local tag
  • Match local tag
  • No XMLRPC Sync
  • NAT reflection
  • Filter rule association

I don't need an explanation of them, I will just ignore them. I wish the Interface could hide them behind an "advance for nerdy geeks options" or some such.

3. You list well known ports, but I can not find SFTP in that. Regardless I am using a custom non-default port so I am not even looking at that menu and I have over time (30 years in the business) many recommendations against using well known ports. Always use custom, if possible. (Perhaps another discussion)

All in all there are room for improvements. You can have a BASIC selection that is a no nonsense THIS IS NEEDED and then an advanced selection for those who might wanna dig in to that. I am not among the diggers, just want it to work and have the basic stuff to edit. Everything else is just toppings.
Respectfully I disagree.
The options are not just for geeks but for users that have a need or want to have the power and flexibility a business-grade firewall is expected to provide as opposed to a consumer-grade one.
OPN is the closest we can get to it without having to manage most over a terminal with or without proprietary OS. To top it all, it has very good documentation for instance here https://github.com/opnsense/docs/blob/master/source/manual/firewall.rst
Title: Re: Why is port forwarding not easier?
Post by: SecCon on July 29, 2022, 08:55:52 am
Respectfully I disagree.
The options are not just for geeks but for users that have a need or want to have the power and flexibility a business-grade firewall is expected to provide as opposed to a consumer-grade one.
OPN is the closest we can get to it without having to manage most over a terminal with or without proprietary OS. To top it all, it has very good documentation for instance here https://github.com/opnsense/docs/blob/master/source/manual/firewall.rst

That's ok, I never said get rid of it, but categorize it in another way. I do not handle FW for a business so what may be relevant for a large organization may not be for home office users. As with most of this tech it's a learning threshold and I choose OPNSense because I believe in the way it is being developed and the strength of a community of developers.