OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: ddqloo on November 10, 2017, 08:03:08 am

Title: port forwarding
Post by: ddqloo on November 10, 2017, 08:03:08 am
Hi,all
    My port forwarding for 80 and 443 doesn't work! But other ports like 22 and 8443 work well. Anyone can help? Thanks!
Title: Re: port forwarding
Post by: ChrisH on November 10, 2017, 10:00:59 am
Is the Web GUI bound to your WAN interface? Have you enabled HAProxy or some other plugin that might use those ports?
Title: Re: port forwarding
Post by: ddqloo on November 10, 2017, 10:27:30 am
Is the Web GUI bound to your WAN interface? Have you enabled HAProxy or some other plugin that might use those ports?
I have not changed another options except port fording. where could I check those options which you said?
Title: Re: port forwarding
Post by: hutiucip on November 10, 2017, 12:17:16 pm
Is the Web GUI bound to your WAN interface? Have you enabled HAProxy or some other plugin that might use those ports?
I have not changed another options except port fording. where could I check those options which you said?

Might be because of the default, non-editable and non-lower-placeable rule "Anti-lockout rule"?...  :-\

I never tried to port-forward 80 and/ or 443, didn't need it, but it would make sense that, as long as you don't disable the Anti-lockout Rule, which by default is enabled and works on 80 and 443, to not be able to access any other IP addr., than of the OPNsense itself?!?! :-\
Title: Re: port forwarding
Post by: comet on November 10, 2017, 08:22:37 pm
Might be because of the default, non-editable and non-lower-placeable rule "Anti-lockout rule"?...  :-\

I never tried to port-forward 80 and/ or 443, didn't need it, but it would make sense that, as long as you don't disable the Anti-lockout Rule, which by default is enabled and works on 80 and 443, to not be able to access any other IP addr., than of the OPNsense itself?!?! :-\
I thought that rule only applied to LAN side traffic but anyway, I have found you can get port 80 out of the Anti-lockout rule by going to System: Settings: Administration and selecting HTTPS as the Protocol, and then for WebGUI redirect check the box for "Disable web GUI redirect rule".  That should remove port 80 from the anti-lockout rule, but you will then need to use https only to access the OPNsense GUI.
Title: Re: port forwarding
Post by: BertM on November 10, 2017, 10:01:37 pm
ddqloo

You should change the port for the webgui if you intend to forward port 443.
A good description of portforwarding port 80 and 443 can be found in this topic:
https://forum.opnsense.org/index.php?topic=6356.0

@ChrisH: The web gui can be accessed via any interface of the OPNsense, provided firewall rules allow you in. That is why you want to change the port for the web gui. If you don't do that, WAN port 443 will be in use for the web gui.

@hutiucip: The anti-lockout rule is just there to prevent you accidentally lock yourself out of the web gui by blocking the port that the web gui listens on. That is why the anti lockout rule always allows the port for the web gui from the LAN interface.

Kind regards,
Bert
Title: Re: port forwarding
Post by: ddqloo on November 13, 2017, 02:17:30 am
ddqloo

You should change the port for the webgui if you intend to forward port 443.
A good description of portforwarding port 80 and 443 can be found in this topic:
https://forum.opnsense.org/index.php?topic=6356.0

@ChrisH: The web gui can be accessed via any interface of the OPNsense, provided firewall rules allow you in. That is why you want to change the port for the web gui. If you don't do that, WAN port 443 will be in use for the web gui.

@hutiucip: The anti-lockout rule is just there to prevent you accidentally lock yourself out of the web gui by blocking the port that the web gui listens on. That is why the anti lockout rule always allows the port for the web gui from the LAN interface.

Kind regards,
Bert
I have changed the port of webUI to 8080, but it couldn't work anyway!
Title: Re: port forwarding
Post by: comet on November 13, 2017, 07:34:51 pm
If you are trying to get to the web GUI from the WAN side, what I found when I did this (temporarily) was that I had to change the filter rule association to "Pass" rather than the default.  Didn't matter if the source and destination ports were the same (in other words, I could use port 443 a.k.a. HTTPS for both source and destination) but the filter rule association had to be "Pass" before it would work.

Now, this may or may not work for you, because my situation was that my WAN port was connected to the LAN side of another router, and I was only trying to do this temporarily so I could get to the interfaces of both routers during configuration of OPNsense.  This may not be the solution if the WAN port of OPNsense is connected to the Internet.  But still, it's worth a try, I suppose.

If you are trying to get to something else on port 443 (not your router's GUI, but another web server) I still don't think you'd have to change the ports because the web GUI normally only listens on the LAN side, thus WAN side traffic coming to 443 should still be able to be forwarded to port 443 on a specific internal IP address.

In that case there are a couple of things, you may need to set a static outbound route for the web server, similar to what I had to do to get an XBOX to work (see https://www.youtube.com/watch?v=Q5U0nj9oaZY), and/or if you are using a Dynamic DNS address, make sure you go to System: Settings: Administration and put that dynamic DNS address in the "Alternate Hostnames" field (assuming you're not using that as your primary hostname).

Just shots in the dark here, no guarantees.
Title: Re: port forwarding
Post by: ddqloo on November 15, 2017, 03:32:12 am
My configuration for port forwarding:
WAN    TCP    *    *    *    *    192.168.1.115    443 (HTTPS)
firewall rule (WAN):
IPv4 TCP    *    *    *    443 (HTTPS)    *

I can access my webserver of 192.168.1.115 from any port of wan address except 80 and 443 on internet!
Title: Re: port forwarding
Post by: ddqloo on November 16, 2017, 04:05:39 am
My ISP is responsible for this problem!