OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: raind0wn388 on April 30, 2018, 12:12:08 am

Title: Strange Port-Fowarding Issue
Post by: raind0wn388 on April 30, 2018, 12:12:08 am
Hey all,

I got a question about port forwarding I need help with in this situation. I have all my VLANs routed via a Cisco 4948, and using a VLANfor transit between the opnsense and switch. Port forwarding is acting strange, the port checker is seeing every port as open from the internet, I set up the PF rules, but still cannot connect to a server I have here.

Here is what I did:
Src IF: LAN, SRC Proto: TCP, SRC Address: *, SRC Ports *, Dest Address: WAN Address, Dest Ports: *, NAT IP: 10.3.240.244,  NAT Ports: 4433

Not sure if the transit network I have setup comes into play here, any ideas??
Title: Re: Strange Port-Fowarding Issue
Post by: Animosity022 on April 30, 2018, 01:06:12 am
What does your screenshot of the Port Forward look like?

I can't figure out what you are trying to forward as your normally forward something from WAN interface to your internal networks.

That's my HTTPS forward to my internal server:

(https://i.imgur.com/TdnyRc9.png)
Title: Re: Strange Port-Fowarding Issue
Post by: raind0wn388 on May 01, 2018, 03:43:59 pm
Since I have all my VLANs routed on the Layer 3 switch, I have a transit VLAN setup to connect to the opnsense box. Would I port-forwarding as normal or would I need to do anything different since my networks don't reside on the box?
Title: Re: Strange Port-Fowarding Issue
Post by: Animosity022 on May 01, 2018, 03:52:50 pm
Without a picture, it makes it really tough to understand what your network looks like and what you are trying to accomplish.

Are you trying to forward external port from the internet through the OPNSense firewall or are you trying to just route internal traffic?
Title: Re: Strange Port-Fowarding Issue
Post by: raind0wn388 on May 01, 2018, 04:00:17 pm
Here is a small diagram:

OPNSENSE (10.1.1.254 TRANSIT) ----> Cisco 4948(10.1.1.253 TRANSIT) [ALL VLANS ROUTED here]

So yes you are right, just want to port-forward through the opnsense box to a server that lives on a VLAN on the 4948.
Title: Re: Strange Port-Fowarding Issue
Post by: Animosity022 on May 01, 2018, 04:14:41 pm
What's your interface setup? You have a .240 address listed below so I'm not sure where that is in the scheme of things.

Normal flow:

External IP on your WAN -> OPNSense with a port forward on the WAN interface coming into an Internal Network.

If you are going Internal to Internal, you wouldn't forward, you'd just making sure you a firewall rule on the internal interface to allow the traffic as you aren't NAT'ing anything.
Title: Re: Strange Port-Fowarding Issue
Post by: raind0wn388 on May 01, 2018, 04:20:06 pm
I think I'm making things more complicated than I should. The 240 address is a server I'm trying to port-forward to. The 10.1.1.254 & 10.1.1.253 is a /30 just to connect the 4948 to the opnsense box for internet.

If I understand correctly, the only NAT'ing that's happening is between the WAN and the 10.1.1.254 (LAN TRANSIT IP of the opnsense box). So any other remote networks beyond that don't need to be NATT'd, just a FW rule to allow 443?
Title: Re: Strange Port-Fowarding Issue
Post by: Animosity022 on May 01, 2018, 04:34:29 pm
If it's all internal traffic, you don't need to NAT.

The assumption is that the OPNSense box can talk to all the internal networks. Without some specifics on the the VLANs, it's hard to give a specific answer.

Let's say I had a 192.168.1.0/24 and 192.168.2.0/24. My OPNSense is configured on a LAN interface for 192.168.1.1 and and I can stack 192.168.2.1 on the same interface or if I wanted, I could use another physical port and call that say OPT1.

My goal would be to make sure routing works between the networks through OPNSense as I think that's your goal. If routing is working, you can decide to do an allow all rule from OPT1 -> LAN and LAN -> OPT1 or get specific on what you want to allow through the firewall.

In that case, you are just routing and no NAT needed. The only time you need NAT is when you are expecting to hide the internal network addresses coming in from the WAN side. If you had routable public IPs, you wouldn't need to NAT and you could just use a firewall rule to allow the traffic.

In my NAT rule above that I shared, I'm allowing port 443 on my WAN Address via the firewall rules and NAT'ing that address to my internal IP of 192.168.1.30 which runs a web server SSL on port 443.