Messages

I attached the screens of my config. Maybe you spot the problem... 192.168.188.1 is the IP of the Speedport.

Gateway, VLAN config etc. is fine. Everything works from the LAN/VLANs as intended. The only issue I have is that the port forward does not work. It actually does work in the sense that requests are forwarded to the server but the reply of the server is not travelling back through the Firewall. So the client just times out. If a client from LAN connects to the server in VLANx it works perfectly fine. But then this is simple routing and not DNAT.

Yes I did. Sorry, my reply was not intended for you...

As I said, I don't think we understand each other. And if it is true what you say/suggest these dropped packets should show up in the firewall log. They don't.

I really appreciate your effort to try and help me with my problem. But I fail to relate your answers to my setup or problem. I have 5 sites running OPNsense. This works on all other sites but the one I upgraded to 20.7. None needs this extra rule you are talking about and which does not make any sense to me.

As I said, the setup is as simple as it gets:

Internet -> TCP 993 -> Speedport (10.0.1.1) -> TCP 993 -> OPNsense (WAN 10.0.1.254) -> TCP 993 -> OPNsense (LAN 10.0.2.254) -> TCP 993 -> Server (10.0.2.10)

There is masquerading towards WAN because this stupid Speedport cannot do anything.

TCP packages arrive on WAN port 993 of the OPNsense, get forwarded to LAN and the Server. The reply from the server arrives at LAN of the OPNsense and is NOT forwarded back to WAN. IMHO this reply is part of an established/related connection of initial connection from outside. There is absolutely no need for me to open all ports from Server to WAN.

As said before this works on all other OPNsense installations I have, running 20.1.x though.

Maybe just wait for 20.7.1 to arrive the next days and see if it is fixed.

Maybe I'm missing something but isn't the reply an established/related connection? Why would I need an extra rule for that? Also the reply is straight to the clients public IP, so I fail to understand why I would need to allow all traffic to WAN net from VLAN net...

It is a simple straightforward port forward. Nothing fancy here. Every 50,- € router can do that...

Well my setup is like this:

1. Speedport Router of Deutsche Telekom (so double NAT)

2. OPNsense with 1 WAN port (static) in Subnet of Speedport

3. OPNsense with 1 LAN port (static, several VLANs)

• EVERYTHING from inside LAN/VLAN works perfectly fine.
• Port forwards from Speedport to OPNsense works fine and I can access ALL services hosted on the OPNsense (WireGuard, OpenVPN, IPsec).
• Port forwards from OPNsense to host in a LAN/VLAN does not work (port doesn't matter).

I run a mail server behind OPNsense. I have a simple port forward to the host which worked fine in 20.1.x. Now the clients receive a timeout. I did a packet capture and and the request hits the OPNsense just fine and it forwards it to the correct host. However, the reply (SYN) from the host hits the OPNsense which does not forward it to the client! It does not reach the WAN interface.

I tried deleting all port forwards, rebooting, re-creating them but to no avail. How to fix this?

I run the HAProxy plugin to do SSL termination for a Bitwarden_rs container and SSL passthrough for a MailStore server. So far the experience has been terrible. The first connection nearly ALWAYS fails with the following entries in the log:

haproxy[27090]: x.x.x.x:50621 [11/Aug/2020:10:12:05.146] https_tcp https_tcp/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0

Firefox doesn't work at all and other Browsers need a lot of reloads to start working. Contacting these servers internally, bypassing the proxy, works flawlessly.

I wonder if someone has had a similar experience or even a fix. Config is pretty basic, at least for MailStore, just a TCP frontend/backend that checks SNI and forwards accordingly.

For now I solved it by using a Linux box and the avahi package. Any chance of getting an avahi package to OPNsense similar to pfsense?

Two weeks ago I upgraded an OPNsense installation from 19.7 to the latest 20.1.3. Since then printers cannot be found using Bonjour/mDNS anymore if they are in a different network. mDNS repeater plugin is installed and appears to be running fine (there is nothing in the logs that suggests otherwise) but the devices don't appear on the clients.

Any idea how to troubleshoot/fix this?

Ein Port-Forward verändert aber nicht die Source-IP... aber genau das wird ja benötigt, so dass eine andere Route als die Default-Route greift.

Ich werde mal folgendes probieren:

- WG-Instanz auf 51821
- Port Forward von WAN2:51820 auf 127.0.0.1:51821
- Outbound NAT auf WAN2 von nicht-privaten IPs auf 127.0.0.1:51821

Anderer/besserer Vorschlag?

Habe nur leider keine Ahnung wie man das in OPNsense macht, da ich nur Outbound-NAT gefunden habe. In dem Fall wäre es ja ein Inbound-NAT, oder?

Und könnte man etwas mit NAT probieren, so dass eine andere Route zum Zug kommt? Evtl. bei den ankommenden Verbindungen auf WAN2 die Source-IP auf die Interface-IP ändern?

In unserem Fall kann man leider die Uploadrate von WAN1 vergessen... Könnte man evtl. mit der Option "fwmark" arbeiten?