OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: vocatus on April 03, 2017, 04:07:30 am
-
Hi there,
Running v17.1.4 nano x64.
The following port forwarding rules are configured (see attached images). Created various NAT port forwards and associated firewall rules.
None of the forwards work. Especially tested were the RDP/RDC rules.
Information:
- Hardware is Netgate SG-2440
- ISP is not doing carrier-grade NAT; router has a public IP address
- Router responds to ICMP echo requests on the WAN interface
- This configuration worked 100% on pfsense 2.3.3-RELEASE AMD64
Can I provide any additional information? After doing (https://forum.opnsense.org/index.php?topic=3413.0) some googling (https://forum.opnsense.org/index.php?topic=3458.0) it appears that port forwarding is likely actually broken in OPNSense v16+
-
How exactly are you testing the port forwards? From inside the LAN or externally?
-
How exactly are you testing the port forwards? From inside the LAN or externally?
Externally from four clients:
1. Windows 7 machine on corporate network
2. Android device using RDP client over T-Mobile network and coffee shop wifi
3. Linux Mint 17.3 x64 laptop over coffee shop wifi, tethered cell, and at a neighbors house
4. Using this online tool (https://www.yougetsignal.com/tools/open-ports/)
5. Using this other online tool (http://www.networkappers.com/tools/open-port-checker)
Internally from one client:
1. Port forward check in Resilio Sync on LAN server
Like I said in OP: very recently the same configuration worked in pfSense. The problem is with OPNsense.
-
When you say "router has a public IP address", are you refering to the OPNsense, or a separate device?
-
When you say "router has a public IP address", are you refering to the OPNsense, or a separate device?
OPNsense
-
Can you show a screencap of the Firewall > Settings > Advanced page?
-
Can you show a screencap of the Firewall > Settings > Advanced page?
Sure thing, attached.
-
I was having this same problem, but with pppoe it was resolved by letting all the links make OPNsense in a DMZ...
-
Can you show a screencap of the Firewall > Settings > Advanced page?
Sure thing, attached.
Try enabling reflection for port forwards (set to pure nat) and "automatic outbond nat for port forward"
This should allow your LAN to connect to the external ports properly, and test if port forwarding is working in general.
-
Can you show a screencap of the Firewall > Settings > Advanced page?
Sure thing, attached.
Try enabling reflection for port forwards (set to pure nat) and "automatic outbond nat for port forward"
This should allow your LAN to connect to the external ports properly, and test if port forwarding is working in general.
After enabling NAT reflection for port forwards and enabling automatic outbound NAT for port forward, attempting from externally still fails immediately, while attempting from the same network as the target simply times out then fails.
I seems likely port forwarding is broken and a bug report needs to be filed. How do I get in touch with the dev team? This is a pretty major feature to be broken.
-
I seems likely port forwarding is broken and a bug report needs to be filed. How do I get in touch with the dev team? This is a pretty major feature to be broken.
It's not broken just not working for you and hopefully it's just a config problem - all my NAT port forwards are working perfectly (IPv4 public IP and PPPoE).
Are there any errors logged in the System and/or Firewall logs? Blocked connections showing etc. Also, check in the Firewall, Diagnostics and do a Filter Reload, see if anything appears there.
-
I seems likely port forwarding is broken and a bug report needs to be filed. How do I get in touch with the dev team? This is a pretty major feature to be broken.
It's not broken just not working for you and hopefully it's just a config problem - all my NAT port forwards are working perfectly (IPv4 public IP and PPPoE).
Are there any errors logged in the System and/or Firewall logs? Blocked connections showing etc. Also, check in the Firewall, Diagnostics and do a Filter Reload, see if anything appears there.
That's good to hear, I think.
Checked the log, no errors about any connections getting dropped on the destination ports.
I do notice something really strange though.
When I do an nslookup on the LAN for my Dynamic DNS, I get one IP address (xx.xx.221.144). But when I go to whatismyip.com or similar sites, I get a completely different IP (xx.xx.209.192). Both are public IP addresses. What is going on??
The OPNSense box is the DNS server for the LAN.
EDIT
So, after doing some "dig"ing (literally...using dig) it appears the Dynamic DNS domain was seized or hijacked by a Google adwords domain. After registering a new DynDNS and flushing all caches, RDP port forwarding is working as intended from the LAN and WAN interfaces.
I suspect that was the issue all along, since my connection profiles are all saved using the Dynamic DNS name instead of the IP.
Thanks to everyone who contributed to the thread, I'll mark it resolved.
-
Good to hear it's resolved