OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: theogravity on May 29, 2018, 03:21:51 am
-
Hi there!
After going through quite a few guides on the forums on how to port forward, I felt I was not getting anywhere with getting my port forwards to work.
The following is a guide on how to set up a port forward, as if you were doing it from a consumer grade router using IPv4 on v18.1 of opnsense.
Firewall settings
Firewall -> Settings -> Advanced:
- Reflection for port forwards: Enabled
- Reflection for 1:1: Disabled
- Automatic outbound NAT for Reflection: Enabled
Save.
Port Forwarding:
- You have a host with IP 192.168.1.200, with port 3100 open TCP.
- You want to port forward from the outside 3200 to 3100.
Step 1: Set up aliases
Too simple explanation: Aliases are friendly names to IP addresses. If you're managing a bunch of IPs to forward, it's best to give the IP address a label.
Under firewall > aliases > add a new alias
- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"
- type: Host(s)
- Aliases: Input 192.168.1.200
Save.
Step 2: Register the port forward
Firewall > NAT > Port forward > add
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: TCP
Under Source > Advanced:
- Source / Invert: Unchecked
- Source: Any
- Source Port Range: any to any
- Destination / Invert: Unchecked
- Destination: WAN address
- Destination Port range: (other) 3200 to (other) 3200
- Redirect target IP: Alias "media-server"
- Redirect target Port: (other) 3100
- Pool Options: Default
- NAT reflection: Enable
- Filter rule association: Rule NAT
Save, and you now should be able to forward an incoming 3200 to 3100.
Feel free to respond if I should make any corrections or have comments. I'm not an expert at this, BTW.
-
I tried setting up my dvr following this method and still cannot access it. Any ideas what I may be doing wrong?
-
can you verify that you are not sitting behind a CGN (carrier grade nat)?
-
:) :)
good job. I can access my server now. thanks
-
Thanks for the Reflection settings, which made all the difference here. Nicely done.
-
Apparently the reflection setting did the trick. I did select reflection on the bottom of my port forward, but it didn't seem to work until I did it in the global place. I don't really get why that option would not be enabled by default.
I really found this tutorial helpful, thank you for taking the time to publish it.
-
Does something special need to be done for port 80? I'm hosting a website and I've already changed the admin ui to port 440, and disabled the web gui redirect rule, but I just time out any time I try to connect to it, my dns is already set to the public ip, and I can access all my other stuff that's forwarded just fine.
edit: I changed it from being port 80 in the destination port range to any, redirecting to port 80 and now I can access the site, but for some reason when I click a hyperlink back to the home page it times out, whereas it didn't when I was forwarding port 80 tcp/udp on the isp provided router, hmm
The hyperlink is just set to the same address you type in the url bar, this makes no sense.
edit 2: Ok, it's when you put http:// in front of the url that it times out, any ideas on why opnsense is stopping that from working?
edit 3: now it seems to be working fine. Weird. The only annoying thing is previously I could type the address into a web browser and the site would pull up in my browser just fine while I was on the lan, however now I have to type in the IP instead. Any ideas on getting that to work again? I'd much rather just type the website name as I had been doing.
-
Used hidemyass to try and connect from another country through a vpn and it looks like it's just timing out so it's still not set up right, but it does work if I use the ip address. Uhg.
-
If im gonna use portforward under OpenVPN that all my clients under DHCP are getting now should i just change the WAN for VPN in this tutorial ?
Dont get it to work.
-
Hi , I have some days of struggling to run a port forward rdp for a windows machine, look my screenshot
any idea?
-
Hi.
I exactly did what you described, because I think this way is obvious. And it works, so thanks for clarification.
But: The packets are forwarded with a SNAT, that is, the source ip will be changed to the OpnSense-IP. That is problematic if you try to analyse the packet source or simply print the source ip adress. How can this behavior be disabled? I did not find any solution or help by searching the internet.
Thanks in advance, Philipp
-- edit: disabling "NAT reflection" did not help
-
I am doing port forwards with multiwan on 19.7. On my side, I didn't have to change "Reflection for port forwards" and "Automatic outbound NAT for Reflection" at rules level or global level (in Firewall -> Settings -> Advanced). I only unchecked "sticky connections" but this is mostly because I am using multiwan in a failover mode. The trick was to select all my WAN interfaces as "Interface" and "This Firewall" as "Destination" in all rules.
I understand reflection is necessary if you try to connect through your WAN public IP from your LAN, but it's not necessary if you connect from a different completely different network (from your cell phone on 4G for example). Also, I realized the "Automatic outbound NAT for Reflection" option breaks a multiwan failover configuration (if tier1 is off, it doesn't switch to tier2 automatically).
-
I tried setting up my dvr following this method and still cannot access it. Any ideas what I may be doing wrong?
Thanks. Been looking for a simple tutorial and this one helped.
-
Hey,
I have no such thing:
Under firewall > aliases > add a new alias
use 20.7.7
-
Click “+” near the bottom right of the page
-
Thanks for the thread, Been trying all day to get a vpn working, and Just used the port forward for my vpn into my synology router (which is just as AP now)
8)
-
First of all I dont have that + sign in aliases.
I seem to be unable to get port forwarding to work. I forwarded 80 and 443 to an internal nginx proxy manager but it doesnt seem to reach this
Am I doing this the right way?
-
Hi, thanx for the guide.
Got a question though, as its not fully working for my end.
when i try to connect from the internet (through ddns) i get a pass outgoing rule (?) and thats it, it stops there. Locally, the machine accepts (ssh) connections.
__timestamp__ Oct 12 04:07:05
ack
action [pass]
anchorname
datalen 0
dir [out]
dst 192.168.1.91
dstport 22
ecn
id 30776
interface em0
interface_name lan
ipflags DF
ipversion 4
label let out anything from firewall host itself
length 60
offset 0
protoname tcp
protonum 6
reason match
rid 1232f88e5fac29a32501e3f051020cac
rulenr 70
seq 342642971
src 71.120.21.331
srcport 54264
subrulenr
tcpflags S
tcpopts
tos 0x0
ttl 62
urp 64240
I dont understand though, why there it shows thats a connection is being made with direction to the outside.. Shouldn't it say incoming instead? The local IP im trying to connect to is 192.168.1.91.
-
THANK YOU!!! I have spent hours trying to get port forwarding to work. Nobody ever mentions the bit about "reflections for port forwards" and "automatic outbound NAT for reflection". After checking these boxes, my port forwards work!
-
This post solved my 3-day headache. THANKS! <3 NAT Reflection did the trick..
-
Is this still the best guide for newbies? I literally only will need to forward one port nowadays.
-
i've tried this tutorial and others and the official how to but i cannot get any of my port forwarding to work. i've done port forwarding in the past on regular wifi routers but never anything like opnsense.
i use a noip domain to rdp into my windows machine at home.
internally i can rdp into any machine in my network in my lan.
the problem i have is can't RDP from the wan.
before my setup was westdallas.ddns.net:9999 from the router i would forward the 9999 port to win rdp ports in my lan to my server. then i would use 9989 to connect to my desktop or another machine.
now i can't port forward anything i need to set my truenas and my plex and my nextcloud but none of the port forward options are working.
i enabled nat reflection
i've spent a few hours on this can't get it to work.
I opened up the ports on the firewall for 9999 and 9989 and WIN RDP and in the firewall log i can see request hitting the firewall on port 9999 but it's not being routed to the internal ip i need it to go to.
i did set up the nat port forwarding as well .
-
Hi there ans Thanks a lot for that manual, it works great. But how can I specify that only special hosts can access this ports, like a whitelisting.
-
When creating a Port Forward Rule, the only options I see for Filter rule association are:
None
Pass
Did I skip a step where a NAT rule was created?
Also, when I enable Reflection for port forwards and Automatic outbound NAT for Reflection, something breaks my rule to forward all DNS traffic to PiHole. As soon as I enable those settings I am unable to perform name resolution via DNS.
Note: I am running OPNsense 21.7.8-amd64
-
Hi there ans Thanks a lot for that manual, it works great. But how can I specify that only special hosts can access this ports, like a whitelisting.
By using a "Source" setting in the port forward. E.g. a group of host/network aliases ...
See sceenshot:
(https://forum.opnsense.org/index.php?action=dlattach;topic=8783.0;attach=23554;image)
HTH
Patrick
-
Thank you! This just saved my life ;D
-
I've been looking for a few hours at this issue and couldn't see how to make the last step. Whilst not directly solving my problem (coudn't see how to enter a single IPv4 source address), it did confirm I was on the right lines - now sorted - many thanks.
My excuse is that I am a newbie, had OPNsense running for just under 2 days, with a new mini-PC (first PC in decades) and FreeBSD is new to me (unless you count macOS). Working well, complete with a few plugins installed.
-
Hi all,
I'm trying to setup a reverse proxy in order to expose some services on to the web.
for test purposes I'm currently only exposing a uptime-kuma container, I can access it no problem internally but not getting access when coming from outside my network, this is what I've currently have setup as port forwarding rule pointing to swag my reverse proxy:
(https://i58.servimg.com/u/f58/12/50/83/75/captur12.png)
what I have in the firewall rules section:
(https://i58.servimg.com/u/f58/12/50/83/75/captur14.png)
and this is what I get as result when accessing using the domain:
(https://i58.servimg.com/u/f58/12/50/83/75/captur13.png)
I'm not seeing what may be wrong here, any idea of what I may have done wrong here?
Thanks in advance for your help
-
Hi guys,
Ignore my previous post, this is working, when I try reaching any of my internal hosts/services using the mobile network or from a computer outside my network, I do reach my proxy, but when I try from inside the network, the routing does not happen, so I do have an issue but it's not related to the port forwarding, looks like my adguard or maybe the dns setup on opnsense is not correctly setup. I'll need to look into that more in depth.
-
Hi guys,
Ignore my previous post, this is working, when I try reaching any of my internal hosts/services using the mobile network or from a computer outside my network, I do reach my proxy, but when I try from inside the network, the routing does not happen, so I do have an issue but it's not related to the port forwarding, looks like my adguard or maybe the dns setup on opnsense is not correctly setup. I'll need to look into that more in depth.
Hi all,
sorry to bother you guys again, following the above message I'm trying to setup Nextcloud AIO behind swag reverse proxy but I've come into an issue where I can't get Nextcloud to validate the domain, I keep getting the error below despite having a port forwarding rule:
The server is not reachable on Port 443. You can verify this e.g. with 'https://portchecker.co/' by entering your domain there as ip-address and port 443 as port.
The forwarding rule points to the reverse proxy and seems fine as Swag is working and managed to get the certificate from let's encrypt, but when using https://portchecker.co/ or https://canyouseeme.org/ both tell me that port 443 is closed; any ideas why that is?
Do note that both swag and nextcloud AIO are both running on docker on different containers.
I'm not sure if the issue is at the Opnsense or the swag level, appreciate if anyone has an idea on this
Thanks
EDIT: Managed to sort myself out, seems like I had an issue with my internet connection, so after rebooting Opnsense and the ISP Fiber Optical interface, things got back to normal, so all good now.
-
Hi, I finally get my LAN -> WAN Port forwarding working by updating this setting (check attachment)
Version: OPNsense 23.1
Question: I read this thread hinting that it has 'Rule NAT' option (only had 'Rule' option) and some other threads that suggested 'add associated filter rule' (i have never seen this option even in this case). The issue I had earlier however was that, there were 2 Rule options in the drop down, and then when I change 80 nat's option to Pass, one of the 'Rule' option disappeared, and then when I change the 443 nat's option to pass, the other 'Rule' option disappeared.
Then I go back to 80's nat config, the only option left were 'None' and 'Pass'. So I chose pass.
Is this normal? or is it a bug?
-
Actually I have the same question. Looks that when rule is created, there is a "Rule" option. But when you try to change it - only None and Pass. Is that by design?
-
I am trying to get this to work for my video recorder as well and I have tried all kinds of different configurations with no luck. I am coming from Ubiquiti Gateway and it was working perfectly on my Ubiquiti system. Wondering also if there might be an issue with my Ubiquiti Controller interfering with the traffic? I have disabled all of the original rules but have not changed anything.
Thanks in advance,
Mark
-
Hi.
I exactly did what you described, because I think this way is obvious. And it works, so thanks for clarification.
But: The packets are forwarded with a SNAT, that is, the source ip will be changed to the OpnSense-IP. That is problematic if you try to analyse the packet source or simply print the source ip adress. How can this behavior be disabled? I did not find any solution or help by searching the internet.
Thanks in advance, Philipp
-- edit: disabling "NAT reflection" did not help
Hi Philipp, did you solve this problem?
-
I am trying to get this to work for my video recorder as well and I have tried all kinds of different configurations with no luck. I am coming from Ubiquiti Gateway and it was working perfectly on my Ubiquiti system. Wondering also if there might be an issue with my Ubiquiti Controller interfering with the traffic? I have disabled all of the original rules but have not changed anything.
Thanks in advance,
Mark
Good evening,
I was wondering if someone could help me please. I had to put the project on pause for a minute - I have been using the firewall on another network and it has been working flawlessly. My UBT Gateway has since bit the dust and I must move that network to the OPNSense device, however, I cannot get port forwarding to work to save my life. I have completed all of the entries noted in this tutorial as well as many others I have reviewed but I can never seem to get the port checkers to tell me the port is open.
Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: WAN Address
Source port range: (other) 8000 from and to
Destination: WAN Address
Destination Port range: Any Any
Redirect target IP: Single Host with IP address of recorder
Redirect target port: (other) 8000
Allowed the rule to create the associated WAN rule and checked that it is there.
Thoughts please?
Thanks in advance!
-
I've just been through this, there's no need to forward ports or change NAT reflection options, just add an alias. select host and enter the static ip of the PS4. Then set settings->outbound to hybrid and add a rule, select source as your PS4 alias and click static, that's all that's needed.