Messages

Cheers, a reboot did unstick it, now I just have base, kernel and opnsense packages left to update. We'll see how it goes later tonight!

Hi,

My upgrade to 20.7.4 has been at it all night trying to upgrade. It's currently stuck at something related to reloading plugins. See log below.

Otherwise the firewall is fully operational and I can do whatever I like through the GUI.

What should I do, reboot and try again?

Code Select Expand


***GOT REQUEST TO UPGRADE: all***
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (52 candidates): .......... done
Processing candidates (52 candidates): .......... done
The following 53 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
syslog-ng329: 3.29.1_2

Installed packages to be UPGRADED:
ca_root_nss: 3.55 -> 3.58
curl: 7.71.1 -> 7.73.0
gettext-runtime: 0.20.2 -> 0.21
glib: 2.56.3_9,1 -> 2.66.2,1
isc-dhcp44-relay: 4.4.2 -> 4.4.2_1
isc-dhcp44-server: 4.4.2 -> 4.4.2_1
json-c: 0.14 -> 0.15_1
libffi: 3.3 -> 3.3_1
libxml2: 2.9.10 -> 2.9.10_1
mpd5: 5.8_10 -> 5.9
nspr: 4.27 -> 4.29
nss: 3.55 -> 3.58
openldap-sasl-client: 2.4.50 -> 2.4.51
openssl: 1.1.1g,1 -> 1.1.1h_1,1
opnsense: 20.7 -> 20.7.4
opnsense-update: 20.7 -> 20.7.4
os-dyndns: 1.22 -> 1.23
perl5: 5.30.3 -> 5.32.0
php73: 7.3.20 -> 7.3.23
php73-ctype: 7.3.20 -> 7.3.23
php73-curl: 7.3.20 -> 7.3.23
php73-dom: 7.3.20 -> 7.3.23
php73-filter: 7.3.20 -> 7.3.23
php73-gettext: 7.3.20 -> 7.3.23
php73-hash: 7.3.20 -> 7.3.23
php73-json: 7.3.20 -> 7.3.23
php73-ldap: 7.3.20 -> 7.3.23
php73-openssl: 7.3.20 -> 7.3.23
php73-pdo: 7.3.20 -> 7.3.23
php73-session: 7.3.20 -> 7.3.23
php73-simplexml: 7.3.20 -> 7.3.23
php73-sockets: 7.3.20 -> 7.3.23
php73-sqlite3: 7.3.20 -> 7.3.23
php73-xml: 7.3.20 -> 7.3.23
php73-zlib: 7.3.20 -> 7.3.23
py37-Jinja2: 2.10.1 -> 2.11.2
py37-cffi: 1.14.0_1 -> 1.14.3
py37-idna: 2.8 -> 2.10
py37-requests: 2.22.0 -> 2.22.0_2
py37-six: 1.14.0 -> 1.15.0
py37-sqlite3: 3.7.8_7 -> 3.7.9_7
py37-urllib3: 1.25.7,1 -> 1.25.10,1
python37: 3.7.8_1 -> 3.7.9_1
radvd: 2.18_1 -> 2.18_2
rate: 0.9_1 -> 0.9_2
sqlite3: 3.32.3_1,1 -> 3.33.0,1
squid: 4.11_2 -> 4.13
sudo: 1.9.2 -> 1.9.3p1
suricata: 5.0.3 -> 5.0.4
unbound: 1.10.1 -> 1.12.0

Installed packages to be REINSTALLED:
ntp-4.2.8p15 (direct dependency changed: perl5)
rrdtool-1.7.2_4 (direct dependency changed: perl5)

Number of packages to be installed: 1
Number of packages to be upgraded: 50
Number of packages to be reinstalled: 2

The process will require 8 MiB more space.
63 MiB to be downloaded.
[1/53] Fetching unbound-1.12.0.txz: .......... done
[2/53] Fetching suricata-5.0.4.txz: .......... done
[3/53] Fetching sudo-1.9.3p1.txz: .......... done
[4/53] Fetching squid-4.13.txz: .......... done
[5/53] Fetching sqlite3-3.33.0,1.txz: .......... done
[6/53] Fetching rrdtool-1.7.2_4.txz: .......... done
[7/53] Fetching rate-0.9_2.txz: ....... done
[8/53] Fetching radvd-2.18_2.txz: .......... done
[9/53] Fetching python37-3.7.9_1.txz: .......... done
[10/53] Fetching py37-urllib3-1.25.10,1.txz: .......... done
[11/53] Fetching py37-sqlite3-3.7.9_7.txz: .... done
[12/53] Fetching py37-six-1.15.0.txz: ... done
[13/53] Fetching py37-requests-2.22.0_2.txz: .......... done
[14/53] Fetching py37-idna-2.10.txz: ........ done
[15/53] Fetching py37-cffi-1.14.3.txz: .......... done
[16/53] Fetching py37-Jinja2-2.11.2.txz: .......... done
[17/53] Fetching php73-zlib-7.3.23.txz: ... done
[18/53] Fetching php73-xml-7.3.23.txz: ... done
[19/53] Fetching php73-sqlite3-7.3.23.txz: ... done
[20/53] Fetching php73-sockets-7.3.23.txz: ..... done
[21/53] Fetching php73-simplexml-7.3.23.txz: ... done
[22/53] Fetching php73-session-7.3.23.txz: ..... done
[23/53] Fetching php73-pdo-7.3.23.txz: ...... done
[24/53] Fetching php73-openssl-7.3.23.txz: ........ done
[25/53] Fetching php73-ldap-7.3.23.txz: .... done
[26/53] Fetching php73-json-7.3.23.txz: ... done
[27/53] Fetching php73-hash-7.3.23.txz: .......... done
[28/53] Fetching php73-gettext-7.3.23.txz: . done
[29/53] Fetching php73-filter-7.3.23.txz: ... done
[30/53] Fetching php73-dom-7.3.23.txz: ........ done
[31/53] Fetching php73-curl-7.3.23.txz: .... done
[32/53] Fetching php73-ctype-7.3.23.txz: . done
[33/53] Fetching php73-7.3.23.txz: .......... done
[34/53] Fetching perl5-5.32.0.txz: .......... done
[35/53] Fetching os-dyndns-1.23.txz: .... done
[36/53] Fetching opnsense-update-20.7.4.txz: ........ done
[37/53] Fetching opnsense-20.7.4.txz: .......... done
[38/53] Fetching openssl-1.1.1h_1,1.txz: .......... done
[39/53] Fetching openldap-sasl-client-2.4.51.txz: .......... done
[40/53] Fetching ntp-4.2.8p15.txz: .......... done
[41/53] Fetching nss-3.58.txz: .......... done
[42/53] Fetching nspr-4.29.txz: .......... done
[43/53] Fetching mpd5-5.9.txz: .......... done
[44/53] Fetching libxml2-2.9.10_1.txz: .......... done
[45/53] Fetching libffi-3.3_1.txz: ..... done
[46/53] Fetching json-c-0.15_1.txz: ........ done
[47/53] Fetching isc-dhcp44-server-4.4.2_1.txz: .......... done
[48/53] Fetching isc-dhcp44-relay-4.4.2_1.txz: .......... done
[49/53] Fetching glib-2.66.2,1.txz: .......... done
[50/53] Fetching gettext-runtime-0.21.txz: .......... done
[51/53] Fetching curl-7.73.0.txz: .......... done
[52/53] Fetching ca_root_nss-3.58.txz: .......... done
[53/53] Fetching syslog-ng329-3.29.1_2.txz: .......... done
Checking integrity... done (1 conflicting)
  - syslog-ng329-3.29.1_2 conflicts with syslog-ng327-3.27.1_1 on /usr/local/bin/dqtool
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 54 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
syslog-ng327: 3.27.1_1

New packages to be INSTALLED:
syslog-ng329: 3.29.1_2

Installed packages to be UPGRADED:
ca_root_nss: 3.55 -> 3.58
curl: 7.71.1 -> 7.73.0
gettext-runtime: 0.20.2 -> 0.21
glib: 2.56.3_9,1 -> 2.66.2,1
isc-dhcp44-relay: 4.4.2 -> 4.4.2_1
isc-dhcp44-server: 4.4.2 -> 4.4.2_1
json-c: 0.14 -> 0.15_1
libffi: 3.3 -> 3.3_1
libxml2: 2.9.10 -> 2.9.10_1
mpd5: 5.8_10 -> 5.9
nspr: 4.27 -> 4.29
nss: 3.55 -> 3.58
openldap-sasl-client: 2.4.50 -> 2.4.51
openssl: 1.1.1g,1 -> 1.1.1h_1,1
opnsense: 20.7 -> 20.7.4
opnsense-update: 20.7 -> 20.7.4
os-dyndns: 1.22 -> 1.23
perl5: 5.30.3 -> 5.32.0
php73: 7.3.20 -> 7.3.23
php73-ctype: 7.3.20 -> 7.3.23
php73-curl: 7.3.20 -> 7.3.23
php73-dom: 7.3.20 -> 7.3.23
php73-filter: 7.3.20 -> 7.3.23
php73-gettext: 7.3.20 -> 7.3.23
php73-hash: 7.3.20 -> 7.3.23
php73-json: 7.3.20 -> 7.3.23
php73-ldap: 7.3.20 -> 7.3.23
php73-openssl: 7.3.20 -> 7.3.23
php73-pdo: 7.3.20 -> 7.3.23
php73-session: 7.3.20 -> 7.3.23
php73-simplexml: 7.3.20 -> 7.3.23
php73-sockets: 7.3.20 -> 7.3.23
php73-sqlite3: 7.3.20 -> 7.3.23
php73-xml: 7.3.20 -> 7.3.23
php73-zlib: 7.3.20 -> 7.3.23
py37-Jinja2: 2.10.1 -> 2.11.2
py37-cffi: 1.14.0_1 -> 1.14.3
py37-idna: 2.8 -> 2.10
py37-requests: 2.22.0 -> 2.22.0_2
py37-six: 1.14.0 -> 1.15.0
py37-sqlite3: 3.7.8_7 -> 3.7.9_7
py37-urllib3: 1.25.7,1 -> 1.25.10,1
python37: 3.7.8_1 -> 3.7.9_1
radvd: 2.18_1 -> 2.18_2
rate: 0.9_1 -> 0.9_2
sqlite3: 3.32.3_1,1 -> 3.33.0,1
squid: 4.11_2 -> 4.13
sudo: 1.9.2 -> 1.9.3p1
suricata: 5.0.3 -> 5.0.4
unbound: 1.10.1 -> 1.12.0

Installed packages to be REINSTALLED:
ntp-4.2.8p15 (direct dependency changed: perl5)
rrdtool-1.7.2_4 (direct dependency changed: perl5)

Number of packages to be removed: 1
Number of packages to be installed: 1
Number of packages to be upgraded: 50
Number of packages to be reinstalled: 2

The process will require 3 MiB more space.
[1/54] Upgrading openssl from 1.1.1g,1 to 1.1.1h_1,1...
[1/54] Extracting openssl-1.1.1h_1,1: .......... done
You may need to manually remove /usr/local/openssl/openssl.cnf if it is no longer needed.
[2/54] Upgrading libffi from 3.3 to 3.3_1...
[2/54] Extracting libffi-3.3_1: .......... done
[3/54] Upgrading python37 from 3.7.8_1 to 3.7.9_1...
[3/54] Extracting python37-3.7.9_1: .......... done
[4/54] Upgrading py37-six from 1.14.0 to 1.15.0...
[4/54] Extracting py37-six-1.15.0: .......... done
[5/54] Upgrading py37-cffi from 1.14.0_1 to 1.14.3...
[5/54] Extracting py37-cffi-1.14.3: .......... done
[6/54] Upgrading libxml2 from 2.9.10 to 2.9.10_1...
[6/54] Extracting libxml2-2.9.10_1: .......... done
[7/54] Upgrading sqlite3 from 3.32.3_1,1 to 3.33.0,1...
[7/54] Extracting sqlite3-3.33.0,1: .......... done
[8/54] Upgrading py37-idna from 2.8 to 2.10...
[8/54] Extracting py37-idna-2.10: .......... done
[9/54] Upgrading nspr from 4.27 to 4.29...
[9/54] Extracting nspr-4.29: .......... done
[10/54] Upgrading gettext-runtime from 0.20.2 to 0.21...
[10/54] Extracting gettext-runtime-0.21: .......... done
[11/54] Upgrading ca_root_nss from 3.55 to 3.58...
[11/54] Extracting ca_root_nss-3.58: ...... done
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/openssl/cert.pem if it is no longer needed.
[12/54] Upgrading php73 from 7.3.20 to 7.3.23...
[12/54] Extracting php73-7.3.23: .......... done
[13/54] Upgrading py37-urllib3 from 1.25.7,1 to 1.25.10,1...
[13/54] Extracting py37-urllib3-1.25.10,1: .......... done
[14/54] Upgrading perl5 from 5.30.3 to 5.32.0...
[14/54] Extracting perl5-5.32.0: .......... done
[15/54] Upgrading openldap-sasl-client from 2.4.50 to 2.4.51...
[15/54] Extracting openldap-sasl-client-2.4.51: .......... done
[16/54] Upgrading nss from 3.55 to 3.58...
[16/54] Extracting nss-3.58: .......... done
[17/54] Upgrading glib from 2.56.3_9,1 to 2.66.2,1...
[17/54] Extracting glib-2.66.2,1: .......... done
No schema files found: doing nothing.
[18/54] Upgrading curl from 7.71.1 to 7.73.0...
[18/54] Extracting curl-7.73.0: .......... done
[19/54] Upgrading php73-pdo from 7.3.20 to 7.3.23...
[19/54] Extracting php73-pdo-7.3.23: .......... done
[20/54] Upgrading php73-json from 7.3.20 to 7.3.23...
[20/54] Extracting php73-json-7.3.23: .......... done
[21/54] Upgrading php73-hash from 7.3.20 to 7.3.23...
[21/54] Extracting php73-hash-7.3.23: .......... done
[22/54] Upgrading unbound from 1.10.1 to 1.12.0...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[22/54] Extracting unbound-1.12.0: .......... done
[23/54] Upgrading suricata from 5.0.3 to 5.0.4...
[23/54] Extracting suricata-5.0.4: .......... done
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
[24/54] Upgrading sudo from 1.9.2 to 1.9.3p1...
[24/54] Extracting sudo-1.9.3p1: .......... done
[25/54] Upgrading squid from 4.11_2 to 4.13...
===> Creating groups.
Using existing group 'squid'.
===> Creating users
Using existing user 'squid'.
===> Creating homedir(s)
===> Pre-installation configuration for squid-4.13
[25/54] Extracting squid-4.13: .......... done
You may need to manually remove /usr/local/etc/squid/squid.conf if it is no longer needed.
[26/54] Reinstalling rrdtool-1.7.2_4...
[26/54] Extracting rrdtool-1.7.2_4: .......... done
[27/54] Upgrading rate from 0.9_1 to 0.9_2...
[27/54] Extracting rate-0.9_2: ..... done
[28/54] Upgrading radvd from 2.18_1 to 2.18_2...
[28/54] Extracting radvd-2.18_2: .......... done
[29/54] Upgrading py37-sqlite3 from 3.7.8_7 to 3.7.9_7...
[29/54] Extracting py37-sqlite3-3.7.9_7: ........ done
[30/54] Upgrading py37-requests from 2.22.0 to 2.22.0_2...
[30/54] Extracting py37-requests-2.22.0_2: .......... done
[31/54] Upgrading py37-Jinja2 from 2.10.1 to 2.11.2...
[31/54] Extracting py37-Jinja2-2.11.2: .......... done
[32/54] Upgrading php73-zlib from 7.3.20 to 7.3.23...
[32/54] Extracting php73-zlib-7.3.23: ....... done
[33/54] Upgrading php73-xml from 7.3.20 to 7.3.23...
[33/54] Extracting php73-xml-7.3.23: ........ done
[34/54] Upgrading php73-sqlite3 from 7.3.20 to 7.3.23...
[34/54] Extracting php73-sqlite3-7.3.23: ........ done
[35/54] Upgrading php73-sockets from 7.3.20 to 7.3.23...
[35/54] Extracting php73-sockets-7.3.23: .......... done
[36/54] Upgrading php73-simplexml from 7.3.20 to 7.3.23...
[36/54] Extracting php73-simplexml-7.3.23: ......... done
[37/54] Upgrading php73-session from 7.3.20 to 7.3.23...
[37/54] Extracting php73-session-7.3.23: .......... done
[38/54] Upgrading php73-openssl from 7.3.20 to 7.3.23...
[38/54] Extracting php73-openssl-7.3.23: ....... done
[39/54] Upgrading php73-ldap from 7.3.20 to 7.3.23...
[39/54] Extracting php73-ldap-7.3.23: ....... done
[40/54] Upgrading php73-gettext from 7.3.20 to 7.3.23...
[40/54] Extracting php73-gettext-7.3.23: ....... done
[41/54] Upgrading php73-filter from 7.3.20 to 7.3.23...
[41/54] Extracting php73-filter-7.3.23: ........ done
[42/54] Upgrading php73-dom from 7.3.20 to 7.3.23...
[42/54] Extracting php73-dom-7.3.23: .......... done
[43/54] Upgrading php73-curl from 7.3.20 to 7.3.23...
[43/54] Extracting php73-curl-7.3.23: ....... done
[44/54] Upgrading php73-ctype from 7.3.20 to 7.3.23...
[44/54] Extracting php73-ctype-7.3.23: ....... done
[45/54] Upgrading opnsense-update from 20.7 to 20.7.4...
[45/54] Extracting opnsense-update-20.7.4: .......... done
[46/54] Reinstalling ntp-4.2.8p15...
[46/54] Extracting ntp-4.2.8p15: .......... done
[47/54] Upgrading mpd5 from 5.8_10 to 5.9...
[47/54] Extracting mpd5-5.9: ......... done
[48/54] Upgrading isc-dhcp44-server from 4.4.2 to 4.4.2_1...
===> Creating groups.
Using existing group 'dhcpd'.
===> Creating users
Using existing user 'dhcpd'.
[48/54] Extracting isc-dhcp44-server-4.4.2_1: .......... done
[49/54] Upgrading isc-dhcp44-relay from 4.4.2 to 4.4.2_1...
[49/54] Extracting isc-dhcp44-relay-4.4.2_1: ....... done
[50/54] Upgrading json-c from 0.14 to 0.15_1...
[50/54] Extracting json-c-0.15_1: .......... done
[51/54] Deinstalling syslog-ng327-3.27.1_1...
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
[51/54] Deleting files for syslog-ng327-3.27.1_1: .......... done
[52/54] Installing syslog-ng329-3.29.1_2...
[52/54] Extracting syslog-ng329-3.29.1_2: .......... done
[53/54] Upgrading os-dyndns from 1.22 to 1.23...
[53/54] Extracting os-dyndns-1.23: .......... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Configuring system logging...done.


Okay, I increased the logging level for the tunnel up to 7, but still it won't show me which cipher the SmartFlex router is trying to use...

Okay, a couple of things, I scrapped the X.509 stuff and went for pre-shared key only. Then I noticed that I had forgotten to open the new port in the FW (doh!). After fixing all that, now I get these new, but essentially worthless log messages in the OpenVPN log.

openvpn[42379]: Authenticate/Decrypt packet error: cipher final failed

After some googling I've managed to find out that it's probably a cipher mismatch somewhere, but now I have the fun task of trying to find that. The 4G router doesn't seem to offer much better logging than a combined syslog, and it doesn't show any errors. And OPNsense doesn't tell me more than the error above.

Okay, this is a bit noob from my side on so many levels, I'm clearly a bit too unfamiliar with OpenVPN to figure this out on my own, but here goes;

I have a 4G router (B+B SmartFlex to be exact) that I would like to tunnel site to site back to my home OPNSense FW.
I have the following limitations;
- 4G Router only gets a private IP from the carrier, aka. I can't use IPsec
- My ISP only gives me dynamic IP so I'm using DynDNS on the OPNSense side

These limitations forces me into OpenVPN, and this is where it gets a bit hairy

I've managed to get the TLS side working (I think). The router only supports 4 different auth modes for OpenVPN,  pre-shared secret, username/pass, X.509 client and multiclient, and the OPNSense wizard mode (TLS+username/pass) is not one of them.

The network setup so far;

OPNSense LAN 192.168.1.0/24
4GRouter LAN 192.168.2.0/24

Both the OPNsense and the router are at .1 in their respective subnets

The idea is to make everything in subnet 192.168.2.0/24 accessible from any IP in subnet 192.168.1.0/24 and vice versa.

In OPNsense I've configured a functioning VPN using the wizard, and now I've created a second server using the same CA but on port 1195 and Peer-to-Peer

I've set the following settings;

OPNsense:
Peer-to-Peer
UDP
tun
WAN
1195

IPv4 Tunnel Network: 192.168.6.0/24
Local Network: 192.168.1.0/24
IPv4 Remote Network: 192.168.2.0/24
Redirect gateway: no

On the 4G router I have the following settings;

Protocol: UDP
Port: 1195
Remote IP Address: <dnsname of OPNsense WAN>

Remote Subnet: 192.168.1.0
Remote Subnet Mask: 255.255.255.0
Redirect gateway: no
Local Interface IP Address: 192.168.6.2
Remote Interface IP Address: 192.168.6.1

Auth Mode: X.509 client
Pre-shared secret: <OpenVPN 2048-bit TLS Key for the Server>
CA Cert: <Cert for OPNsense CA>
Local Cert: <User Cert>
Local Private Key: <User Private Key>


Now, I've gotten it so far that I don't a) get any errors in the TLS part, but now I get this on the router side;
2016-11-14 22:07:00 openvpn[4706]: SIGUSR1[soft,tls-error] received, process restarting
2016-11-14 22:07:10 openvpn[4706]: Control Channel Authentication: using '/var/openvpn/secret1.pem' as a OpenVPN static key file
2016-11-14 22:07:12 openvpn[4706]: TUN/TAP device tun0 opened
2016-11-14 22:07:12 openvpn[4706]: /sbin/ifconfig tun0 192.168.6.2 pointopoint 192.168.6.1 mtu 1500
2016-11-14 22:07:12 openvpn[4706]: UDPv4 link local (bound): [undef]
2016-11-14 22:07:12 openvpn[4706]: UDPv4 link remote: [AF_INET]<OPNsense Public IP>:1195
2016-11-14 22:09:12 openvpn[4706]: TLS Error: TLS key negotiation failed to occur within 120 seconds (check your network connectivity)
2016-11-14 22:09:12 openvpn[4706]: TLS Error: TLS handshake failed
2016-11-14 22:09:12 openvpn[4706]: /sbin/ifconfig tun0 0.0.0.0

I've tried almost everything by now and I'm all out of ideas!

Cheers Mate!

Also, this was in firmware 16.7

When trying to configure a DynDNS client for Namecheap the config page won't accept an empty username even though the help hints at NameCheap not requiring a username. Functioning workaround is to just write something random as the username, for me a single a worked just fine.

I'm trying to set up a rule to NAT traffic on port 32400 to an internal IP that runs the Plex Media Server. For some reason I seem to get the port open but the Plex cloud service refuses to accept that it can access the Plex server on that port, leading me to believe that something is wrong with my NAT. That I'm unfamiliar with OPNsense (just switched from pfSense) and that the Plex "port forwarding guide" isn't very well written might have something to do with it.

So far I've figured out the following;
Plex seems to use TCP and UDP, since they vaguely hint at making two NAT rules, one for UDP and one for TCP. As there is only one port I gather they both use the same port number, and as such a NAT rule with the protocol set to tcp/udp should work?

On the NAT rule page I've set the following options;
Disabled: No
No RDR: No
Interface: WAN
TCPIP: IPv4
Protocol: TCP/UDP

I left the advanced source settings alone

Destination / Invert: No
Destination: Any
Destination Port: From: Other 32400 To: Other 32400
Redirect target IP: <local IP of Plex Box>
Redirect target port: 32400

NAT reflection: Use system default
Filter Rule: Add associated rule

What have I messed up?