OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: theogravity on May 29, 2018, 03:21:51 am

Title: [Tutorial] How I do port forwarding - simple and straightforward
Post by: theogravity on May 29, 2018, 03:21:51 am
Hi there!

After going through quite a few guides on the forums on how to port forward, I felt I was not getting anywhere with getting my port forwards to work.

The following is a guide on how to set up a port forward, as if you were doing it from a consumer grade router using IPv4 on v18.1 of opnsense.

Firewall settings

Firewall -> Settings -> Advanced:

Code: [Select]
- Reflection for port forwards: Enabled
- Reflection for 1:1: Disabled
- Automatic outbound NAT for Reflection: Enabled

Save.

Port Forwarding:

- You have a host with IP 192.168.1.200, with port 3100 open TCP.

- You want to port forward from the outside 3200 to 3100.

Step 1: Set up aliases

Too simple explanation: Aliases are friendly names to IP addresses. If you're managing a bunch of IPs to forward, it's best to give the IP address a label.

Under firewall > aliases > add a new alias

Code: [Select]
- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"
- type: Host(s)
- Aliases: Input 192.168.1.200

Save.

Step 2: Register the port forward

Firewall > NAT > Port forward > add

Code: [Select]
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: TCP

Under Source > Advanced:

- Source / Invert: Unchecked
- Source: Any
- Source Port Range: any to any

- Destination / Invert: Unchecked
- Destination: WAN address
- Destination Port range: (other) 3200 to (other) 3200

- Redirect target IP: Alias "media-server"
- Redirect target Port: (other) 3100

- Pool Options: Default
- NAT reflection: Enable
- Filter rule association: Rule NAT

Save, and you now should be able to forward an incoming 3200 to 3100.

Feel free to respond if I should make any corrections or have comments. I'm not an expert at this, BTW.
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: zanib on October 05, 2018, 06:05:15 am
I tried setting up my dvr following this method and still cannot access it.  Any ideas what I may be doing wrong?
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: the-mk on October 05, 2018, 12:10:39 pm
can you verify that you are not sitting behind a CGN (carrier grade nat)?
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: cumtbio on October 16, 2018, 07:15:02 pm
 :) :)

good job. I can access my server now. thanks

Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: Dougle on October 20, 2018, 05:47:19 pm
Thanks for the Reflection settings, which made all the difference here. Nicely done.
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: floydian on October 30, 2018, 03:57:21 am
Apparently the reflection setting did the trick.  I did select reflection on the bottom of my port forward, but it didn't seem to work until I did it in the global place.  I don't really get why that option would not be enabled by default.

I really found this tutorial helpful, thank you for taking the time to publish it.
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: XOIIO on November 05, 2018, 07:48:48 am
Does something special need to be done for port 80? I'm hosting a website and I've already changed the admin ui to port 440, and disabled the web gui redirect rule, but I just time out any time I try to connect to it, my dns is already set to the public ip, and I can access all my other stuff that's forwarded just fine.

edit: I changed it from being port 80 in the destination port range to any, redirecting to port 80 and now I can access the site, but for some reason when I click a hyperlink back to the home page it times out, whereas it didn't when I was forwarding port 80 tcp/udp on the isp provided router, hmm

The hyperlink is just set to the same address you type in the url bar, this makes no sense.

edit 2: Ok, it's when you put http:// in front of the url that it times out, any ideas on why opnsense is stopping that from working?

edit 3: now it seems to be working fine. Weird. The only annoying thing is previously I could type the address into a web browser and the site would pull up in my browser just fine while I was on the lan, however now I have to type in the IP instead. Any ideas on getting that to work again? I'd much rather just type the website name as I had been doing.
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: XOIIO on November 05, 2018, 11:05:30 am
Used hidemyass to try and connect from another country through a vpn and it looks like it's just timing out so it's still not set up right, but it does work if I use the ip address. Uhg.
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: HA4g3n on January 09, 2019, 09:16:43 pm
If im gonna use portforward under OpenVPN that all my clients under DHCP are getting now should i just change the WAN for VPN in this tutorial ?

Dont get it to work.
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: rickygm on April 24, 2019, 05:05:59 am
Hi , I have some days of struggling to run a port forward rdp for a windows machine, look  my screenshot

any idea?
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: vielleicht on June 15, 2019, 08:48:23 pm
Hi.

I exactly did what you described, because I think this way is obvious. And it works, so thanks for clarification.

But: The packets are forwarded with a SNAT, that is, the source ip will be changed to the OpnSense-IP. That is problematic if you try to analyse the packet source or simply print the source ip adress. How can this behavior be disabled? I did not find any solution or help by searching the internet.

Thanks in advance, Philipp

-- edit: disabling "NAT reflection" did not help
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: zibloon on August 06, 2019, 08:59:46 pm
I am doing port forwards with multiwan on 19.7. On my side, I didn't have to change "Reflection for port forwards" and "Automatic outbound NAT for Reflection" at rules level or global level (in Firewall -> Settings -> Advanced). I only unchecked "sticky connections" but this is mostly because I am using multiwan in a failover mode. The trick was to select all my WAN interfaces as "Interface" and "This Firewall" as "Destination" in all rules.

I understand reflection is necessary if you try to connect through your WAN public IP from your LAN, but it's not necessary if you connect from a different completely different network (from your cell phone on 4G for example). Also, I realized the "Automatic outbound NAT for Reflection" option breaks a multiwan failover configuration (if tier1 is off, it doesn't switch to tier2 automatically).
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: meazz1 on February 07, 2020, 04:54:29 am
I tried setting up my dvr following this method and still cannot access it.  Any ideas what I may be doing wrong?

Thanks. Been looking for a simple tutorial and this one helped.
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: gytepr65 on December 20, 2020, 03:21:10 pm
Hey,

I have no such thing:
Under firewall > aliases > add a new alias
use 20.7.7
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: Greelan on December 20, 2020, 09:31:50 pm
Click “+” near the bottom right of the page
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: bMac on March 12, 2021, 05:59:04 am
Thanks for the thread, Been trying all day to get a vpn working, and Just used the port forward for my vpn into my synology router (which is just as AP now)

 8)
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: gverbist on April 01, 2021, 02:52:39 pm
First of all I dont have that + sign in aliases.

I seem to be unable to get port forwarding to work. I forwarded 80 and 443 to an internal nginx proxy manager but it doesnt seem to reach this

Am I doing this the right way?

Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: seithan on October 12, 2021, 03:12:43 am
Hi, thanx for the guide.

Got a question though, as its not fully working for my end.

when i try to connect from the internet (through ddns) i get a pass outgoing rule (?) and thats it, it stops there. Locally, the machine accepts (ssh) connections.
Code: [Select]
__timestamp__ Oct 12 04:07:05
ack
action [pass]
anchorname
datalen 0
dir [out]
dst 192.168.1.91
dstport 22
ecn
id 30776
interface em0
interface_name lan
ipflags DF
ipversion 4
label let out anything from firewall host itself
length 60
offset 0
protoname tcp
protonum 6
reason match
rid 1232f88e5fac29a32501e3f051020cac
rulenr 70
seq 342642971
src 71.120.21.331
srcport 54264
subrulenr
tcpflags S
tcpopts
tos 0x0
ttl 62
urp 64240

I dont understand though, why there it shows thats a connection is being made with direction to the outside.. Shouldn't it say incoming instead? The local IP im trying to connect to is 192.168.1.91.
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: alexei on October 29, 2021, 11:04:19 am
THANK YOU!!! I have spent hours trying to get port forwarding to work.  Nobody ever mentions the bit about "reflections for port forwards" and "automatic outbound NAT for reflection".  After checking these boxes, my port forwards work!
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: Totte on November 08, 2021, 12:14:16 pm
This post solved my 3-day headache. THANKS! <3 NAT Reflection did the trick..
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: NetGobbler on December 19, 2021, 12:41:04 pm
Is this still the best guide for newbies? I literally only will need to forward one port nowadays.
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: mr.random on April 11, 2022, 03:13:30 pm
i've tried this tutorial and others and the official how to   but i cannot get any of my port forwarding to work.  i've done port forwarding in the past on regular wifi routers but never anything like opnsense.

 i use a  noip domain to  rdp into my windows machine at home. 

internally i can rdp into any machine in my network in my lan.

the problem i have is can't  RDP from the wan. 

before my setup was    westdallas.ddns.net:9999  from the router  i would forward the 9999 port to win rdp ports in my lan to my server.  then i would use  9989  to connect to my desktop or another machine.

now i can't port forward anything  i need to set my truenas and my plex and my nextcloud but none of the port forward options are working.

i enabled nat reflection

i've spent a few hours on this can't get it to work.

I opened up the ports on the firewall for 9999 and 9989 and  WIN RDP  and in the firewall log i can see request hitting the firewall on port 9999 but it's not being routed to the internal ip i need it to go to.

i did set up the nat port forwarding as well .
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: Olli on June 07, 2022, 02:10:05 pm
Hi there ans Thanks a lot for that manual, it works great. But how can I specify that only special hosts can access this ports, like a whitelisting.

Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: bitTwiddler on September 11, 2022, 02:33:31 am
When creating a Port Forward Rule,  the only options I see for Filter rule association are:

None
Pass

Did I skip a step where a NAT rule was created?

Also, when I enable Reflection for port forwards and Automatic outbound NAT for Reflection, something breaks my rule to forward all DNS traffic to PiHole.  As soon as I enable those settings I am unable to perform name resolution via DNS.

Note: I am running OPNsense 21.7.8-amd64
Title: Re: [Tutorial] How I do port forwarding - simple and straightforward
Post by: pmhausen on September 11, 2022, 12:44:42 pm
Hi there ans Thanks a lot for that manual, it works great. But how can I specify that only special hosts can access this ports, like a whitelisting.
By using a "Source" setting in the port forward. E.g. a group of host/network aliases ...

See sceenshot:
(https://forum.opnsense.org/index.php?action=dlattach;topic=8783.0;attach=23554;image)

HTH
Patrick