OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: reep on August 10, 2016, 12:26:24 pm
-
Been messing with firewall rules and some things don't quite make sense
If I create a Port Forward in the NAT section, it appears in the Firewall Rules section but cannot be edited from there. Is there any point, assuming that any rules created in NAT are just firewall rules, period? Or is there some difference somewhere that I have missed?
Wouldn't it just be simpler for me to create a Firewall rule and not bother using the Port Forward section or does a NAT rule do something different?
Under Port Forward rules you have 'Destination' and 'Redirect Target IP'. It isn't apparent what the difference is (there is no help text for 'Destination'). I presume that for a simple rule the Destination should just be the WAN address ?
It's probably all good if you know the system, but coming at it fairly blind it isn't that obvious !
B. Rgds
John
-
Hi John,
Port Forward is a DNAT (Destination NAT), where the NAT router replaces the destination IP as part of the NAT. It becomes DPNAT (Destination/Port NAT) if you set a different destination port as well.
The destination is the IP before NAT, and yes - you're right that is an IP on the WAN side. The redirect target IP is the IP after NAT, which will be somewhere on the internal network, usually an RFC 1918 range IP.
Setting the port forward creates a firewall rule for you to make things easier.
Bart...
-
Hi Bart,
thanks for replying. I'm a no-nothing on firewalls :-)
Can you explain the difference between setting up a straight forward rule, and setting up a NAT rule ?
On my current Draytek 3300 I just have some simple rules that forward various ports to a couple of internal servers e.g. IMAPS, SMTP, HTTPS, SSH etc Pic attached.
I have two WAN ports each with a public IP. Some ports get forwarded from either WAN port, and some depending on which WAN port they arrive on.
I just wanted to recreate those in Opnsense. My guess is I can just create a simple firewall forward rule and do not need to bother with NAT rules as I do not need a 'Redirect Target IP/Port ?
Funny - you get so used to something it seems second nature, and then you try a new system and it takes a while to get your head around it.
Any help gratefully received !
B. Rgds
John
-
Ok,
It seems I do need a NAT Port Forward rule and set it as follows:
Interface : WAN1
Destination : WAN1 (This is the destination IP address seen in the Logs - e.g. my WAN IPaddress)
Source Port Range: any
Dest Port Range : HTTPS - HTTPS
Redirect Target IP : my server IP
Redirect Target port : HTTPS
Pic of the result attached.
Odd that you can't set it for all WAN addresses like you can a normal port but easy enough to duplicate.
Any further info gratefully received (e.g. I did something really stupid) !
B. Rgds
John
-
Hmmm. What does Destination 'This Firewall' entail in the port forwards ?
Does it mean all WAN addresses ? Does it include LAN/IPSEC interfaces ?
B. Rgds
John