Messages

[you need to treat it the same as if you had an ISP providing you internet through dhcp within a subnet with other probably compromised hosts,]

First of all,
1. are you connecting opnsense to edgerouter or directly?
2. have you tried using the same mac address on the opnsense from edgerouter? (useful if landlord gives ip with dhcp)
3. for the "Block private networks" and "Block bogon networks" part, you need to treat it the same as if you had an ISP providing you internet through dhcp within a subnet with other probably compromised hosts, you usually disable these two options if you have internal opnsenses routing between your subnets

1. Right now I have the Sense connected to the Edgerouter, but in the future, the Sense should replace the Edgerouter.

2. The IP I get from my landlord is static, so it's always the same. I didn't try with the same mac address.

3. Since I have the Sense behind my Edgerouter, I think I need these two options, if I understand it correct.

3. If you have your edgerouter in bridge mode (no firewall) you have effectively a beefy switch, all the hosts on the next network can access your subnet, my both isps gave me their devices in bridge mode and i regularly see nmap and other tools trying to scan my network from the isp's subnet. Those options you turned off blocks anything trying to enter your subnet except established connections.

It's less relying on builtin "magic" and in my opinion easier to understand when reviewed. So I would prefer two separate rules with the "XYZ address", too.

Thank you for your response, i changed it to separate rules.

[Destination to This Firewall]

Port forwards are for hosting something on your network and publishing it on the internet.

Example, you have a web server inside your network on your LAN, on IP address say 192.168.1.1

I would make 2 NAT port forwards, one for each WAN, if you wanted HTTP traffic inbound like this and enable sticky connections:


firewall -> NAT -> port forward:
       port forward rule:
              interface - wan1
              Proto - TCP
              Source - any
              Source port - any
              destination - This Firewall
              Destination port - HTTP
              Redirect target IP - IP address of the LAN device you want to forward HTTP traffic to (say 192.168.1.1)
              Redirect target port - HTTP
              NAT reflections - use system default
              Filter rule association - Add associated filter rule


firewall -> NAT -> port forward:
       port forward rule:
              interface - wan2
              Proto - TCP
              Source - any
              Source port - any
              destination - This Firewall
              Destination port - HTTP
              Redirect target IP - IP address of the LAN device you want to forward HTTP traffic to  (say 192.168.1.1)
              Redirect target port - HTTP
              NAT reflections - use system default
              Filter rule association - Add associated filter rule

Thank you for your post, it solved my problem.

The trick was setting the Destination to This Firewall, wan_group net somehow only worked for the pppoe wan AND interface to wan1 + wan2, not wan_group.

I have set up the portforward rule with:
interface -> wan1 wan2
destination -> this firewall
the rest is the same

My question is if having 2 rules for each wan is best practice/more secure than having one rule ?

[wan group net]

2. Only the Destination field is using wan group net,

Destination port range + Redirect target port are using an alias (type -> Port(s)) with ports as values
Redirect target IP is using an alias (type -> Host(s)) with machine's LAN IP

Why would the directed IP be an alias? That port can only be forwarded to one IP.

It's an alias if i ever had to change my machine's IP, the alias only contains 1 IP address

[you need to treat it the same as if you had an ISP providing you internet through dhcp within a subnet with other probably compromised hosts,]

First of all,
1. are you connecting opnsense to edgerouter or directly?
2. have you tried using the same mac address on the opnsense from edgerouter? (useful if landlord gives ip with dhcp)
3. for the "Block private networks" and "Block bogon networks" part, you need to treat it the same as if you had an ISP providing you internet through dhcp within a subnet with other probably compromised hosts, you usually disable these two options if you have internal opnsenses routing between your subnets

[wan group net]

2. Only the Destination field is using wan group net,

Destination port range + Redirect target port are using an alias (type -> Port(s)) with ports as values
Redirect target IP is using an alias (type -> Host(s)) with machine's LAN IP

1. If you go to firewall group you can add a interface by adding multiple interfaces.

2. To my knowledge wan group net is the subnet that is provided by ISPs and the pppoe wan works with this setup.

Yep, i already read that

[turned on]

As sticky connections were on by default, first i was looking around in settings with it turned on and trying to troubleshoot it with no luck, for sake of your question, i turned it back on with same setup as described in first post and it still didn't work

[WAN1 is dhcp]

Hello,

I have a dual wan setup with both of the wans tier 1 for load balancing, i disabled sticky connections as well as websites i use doesn't care which ip is used, with the dual wan setup i used a offical documentation by opnsense.

WAN1 is dhcp and WAN2 is pppoe, port forwarding works like charm on the pppoe (wan2) with setup below.

However on dhcp (wan1) the port forwarding does not work.

My current setup is:
firewall -> group:
      added both wan interfaces into a "wan_group" group
firewall -> settings -> advanced:
       Reflection for port forwards - turned on
       Automatic outbound NAT for Reflection - turned on
       (Sticky connections - turned off as mentioned above)
firewall -> NAT -> port forward:
       port forward rule:
              interface - wan_group
              destination - wan_group net
              pool options - round robin
              NAT reflections - use system default
              filter rule association - rule (can confirm these rules are generated in firewall -> rules -> wan_group)

I also tried making a new port forward rule same as the one above but with:
interface - WAN1
destination - WAN1 address or "Single host or Network" with IP received by ISP's dhcp but it didn't work.
I also tried changing the round robin to default, disabling Reflection for port forwards and Automatic outbound NAT for Reflection and that also didn't help.

I tried enabling logging on said rule in firewall -> rules -> wan_group and tried it with external port test website:
- WAN2 did appear in log and port forwarded successfully
- WAN1 did not appear in log and did not port forward

I did manage to port forward on WAN1 on mikrotik before i switched to opnsense.

If hardware is relevant i use HP EliteDesk 800 G2 SFF (i7-6700 version with 16gb ram, 2x 256gb SSDs in zfs mirror) and LAN + WANs are plugged into IBM Intel I340-T4 NIC (all hardware offloads disabled due to suricata on LAN interface and yes i checked suricata alerts and there are none for the server i am trying to port forward to)

This is my first time using a bsd based router (about 4 days now), previously i used mikrotik where everything worked but there was barely any ways to use ids/ips and opnsense already has ET telemetry version which i am using.
Sorry if i am missing something i am still studying networking (mainly cisco and other platforms i learn by myself + documentation)

Thanks for help :D

Well it appears i had to reset configuration and after applying policy once again it started to work

Hello,

I have enabled et telemetry version, enable all their rules, enabled suricata and ips mode on lan interface only watching the correct subnet.

However the behaviour is kind of strange, i was trying out the p2p ruleset with torrent and some of the traffic got blocked but in "alerts" tab it says action allowed, so i created a policy with these settings:
enabled: yes
rules: all the rules
action: alert
new action: drop
everything else is unchanged in the created policy.

After applying this policy it still says action "allowed" in alerts tab.

Thanks for help.