Messages

I am sorry, but due to sudden family issues I'll have to shelf this issue for now.
Thanks for both your help sofar, I'm learning a lot about firewalls, and OPNsense specifically. Will continue as soon as that becomes possible

@meyergru:
When I curl from my local LAN
- to LAN IP: curl http://192.168.1.229:8443 I get 'curl: (1) Received HTTP/0.9 when not allowed' and socat shows me:

GET / HTTP/1.1\r
Host: 192.168.1.229:8443\r
User-Agent: curl/7.81.0\r
Accept: */*\r
\r
< 2025/05/19 15:36:24.000068434  length=82 from=0 to=81
GET / HTTP/1.1\r
Host: 192.168.1.229:8443\r
User-Agent: curl/7.81.0\r
Accept: */*\r
\r

- to WAN IP: curl http://<external IP>:8443 nothing happens

Unfortunately I have no clue what the first respons (and the respons from socat) means

@cookiemonster:
Sorry, to much of a newbie to understand what 'could you be missing the traffic in your live firewall somehow (wrong filters maybe, rule not logging, etc.) and be NC the one blocking?' means. I did check Live View under Log Files, filtered for port 8443. Nothing showed up.
As far as reverse proxies and Nextcloud go; I first tried to used a docker version of Nextcloud AIO with the os-caddy plugin. Couldn't get that to work. Then just tried to use traefik (no os-caddy) with the nextcloud AIO docker container. That didnt work either. As I wasn't sure where to look for the cause of the issue, I stopped trying to get Nextcloud to work and focussed on just trying to get the port issue sorted by testing with socat. No reverse proxie or Nextcloud involved.
I'll be happy to include a screenshot of the OPNsense setup if you let me know what I should show you

Thanks for the very fast reply.

1: I started using Socat only after having issues reaching my Nextcloud AIO install. Given that, I'm guessing Socat is working oké.
2: I'm not really a Proxmox expert, but the Proxmox firewall has no rules configured. Maybe more relevant; the VM I'm having the issue with has more services running via docker, Like SearXNG, Vaultwarden and Jellyfin. All are accessible from the outside. Also other services on other VM's like Plex (not in Docker) are working fine.
3: My OPNsense box is connected directly via the PON from my provider. Dashboard → Interfaces → WAN shows me the correct external IP address. Running 'curl ifconfig.me' on the Ubuntu server also shows the correct external IP addres. As far as I understand this means no double NAT. Since I'm really a newbie, I hope thats correct.
4: I have an external VPS running (also an Ubuntu server, UFW disabled) and tried 'curl http://<my external IP>:8443', unfortunately same result as via 5G; nothing.
5: none.

I'm still thinking there is something I'm doing wrong. I also tried using AI to help me diagnose this, but ran into limitations. Appreciate your help!
I was thinking about using Cloudflare tunnels, but as I understand is, that would circumvent OPNsense. Probably not the safest option.

Thanks for the reply. Unfortunately, thats not the issue; ufw is currently disabled on that VM. Still stumped, currently thinking about setting up a new VM to see if that  has the same issue.

I'm running the latest version of OPNsense on a MiniPC, directly connected to a PON from my ISP. It's working fine.

I'm now trying to set up port forwarding to a local Ubuntu 24.04 server at IP 192.168.1.229 (a VM running on Proxmox). I want to run Nextcloud AIO in Docker on that server. Docker is already running, and other services like SearXNG and Vaultwarden are working well. But in this case, I can't get it to work—it seems (I'm not a networking specialist, this is just a hobby) that port forwarding isn't functioning. I'm probably overlooking something or made a silly mistake.

I created a port forwarding rule as shown in the screenshot "Port Forwarding NextcloudAIO.png". The alias NextcloudAIO in the "Redirect target IP" field points to 192.168.1.229. Additionally, a floating rule was created, as shown in "Firewall Floating Nextcloud AIO rule.png".

On the Ubuntu server, to keep testing simple, I installed socat, which is listening for incoming traffic on port 8443 using:

socat -v TCP-LISTEN:8443,fork EXEC:/bin/cat

Then, on an external PC connected via 5G, I run:

curl http://<my external IP>:8443

But nothing happens. Even when I check Firewall > Log Files > Live View in OPNsense and filter by the IP address of the 5G connection or filter on port 8443, I don't see any traffic coming in.
What am I missing or doing wrong? Any help is greatly appreciated!

Ik heb de laatste versie van OPNsense draaien op een MiniPC, direct aangesloten op een PON van mijn provider. Werkt prima.
Ik probeer nu port forwarding op te zetten naar een lokale Ubuntu 2404 server op IP 192.168.1.229 (een VM op Proxmox). Ik wil daar Nextcloud AIO in een docker draaien. Docker loopt al op die server en andere services zoals SearXNG en Vaultwarden werken goed. Ik krijg in dit geval het niet voor elkaar en 't lijkt (ik ben geen netwerkspecialist, dit is een hobby) erop dat de port forwarding niet werkt. Waarschijnlijk zie ik iets over het hoofd, of heb ik iets stoms gedaan.

Ik heb een port forwarding aangemaakt zoals getoond in screenshot 'Port Forwarding NextcloudAIO.png'(het alias NextcloudAIO bij 'Redirect target IP' verwijst naar 192.168.1.229.
Daarbij is een Floating Rule gecreëerd zoals te zien is in screenshot 'Firewall Floating Nextcloud AIO rule.png'

Op de Ubuntu server heb ik, om het testen simpel te maken, socat geinstalleerd, die met

Code Select Expand

socat -v TCP-LISTEN:8443,fork EXEC:/bin/cat luistert naar binnenkomend verkeer op poort 8443

Op een externe PC, verbonden via 5G, draai ik vervolgens

Code Select Expand

curl http://<mijn externe IP>:8443
En dan gebeurt er niets. Ook als ik in OPNsense onder Firewall - Log Files - Live View filter op het IP adres van die 5G verbinding of op poort 8443 zie ik geen verkeer.
Wat zie ik over het hoofd of heb ik verkeerd ingesteld? Alle hulp zeer welkom!

Hi Monviech,
Thanks for the blazing fast reply (under 6 minutes, must be a record  ;D)

The only change I can think of is that before that release, tls_insecure_skip_verify was falsely attached to Handlers set to "http". Since the current release, you must choose "https" and then you can check that checkbox (if you need it).

This was it! For some reason I had set the Handlers to use http. Mea culpa. Changed them to https and now everything works again.

I' ve been running OPNsense for a couple of monthes now an have been using Caddy for a while. Thanks to help from Monviech, Caddy ran fine, but since my update to 24.7.10 Caddy seems to be out of order.

The widget itself shows no errors, but going to the configured URL's now shows error 400 for the domains accessible from the outside and error 502 for the OPNsense URL.

While searching this forum I found: https://forum.opnsense.org/index.php?topic=44440.0.
However, I'm not sure this applies to me as I have no wildcard domains configured

In var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory I have several folders

Configured domain: name1.domain.nl
Folder: name1.domain.nl

Configured domain: name2.domain.nl
Folder: name2.domain.nl

etc.

Am I overlooking something?
If I need to post more details; please advise.

That worked brilliantly! Thanks again for the help!
I'll close this thread as my issue with port forwarding has been fully resolved.

I'll either ask any of the other questions about OPNsense that are sure to follow either in Dutch in this forum or in de English forum where traffic is heavier.

[Interface]

My apologies, first I made the mistake of writing in English in a Dutch subforum, and then I assumed that you must be Dutch, although you replied in English.

Again thanks for the help and the excellent documentation. When I set up port forwarding I looked at hairpin NAT, but couldn't get it to work, and then forgot about it  ::)

I still cannot get it to work though. Since I do not have a DMZ I set it up like this

Interface: LAN (as I don't have a DMZ and the Plex server is of course on the LAN)

Protocol: TCP

Source Address: 192.168.1.0/24

Source port: Any

Destination Address: Plex (an alias for 192.168.1.14. However, when I don't use the alias and type the IP address, that address is changed into 192.168.1.0/24 after saving.)

Destination Port: 32400

Translation / Target: 192.168.1.254 (As a gateway on the LAN seemed to be needed, I created a LAN gateway in System - Gateways - Configuration. See screenshot for details

I'm sorry for the newbie questions. I was reminded by this post https://forum.opnsense.org/index.php?topic=39556.0 (sorry, In German) that a basic knowledge of networking should be present before starting out with OPNsense. However, for me this is a hobby, and I do learn a lot from answers by people like you.

Oké, ik ben officieel een sukkel.
Port forwarding werkt wél. Ik heb er bij het testen geen moment aan gedacht om te testen buiten mijn eigen netwerk. Ik opende een browser en ging naar https://<URL van Plex server>:32400 en kreeg een time-out. Het is niet bij me opgekomen dat dit niet de juiste manier van testen was, omdat dit bij de vorige firewall (Arista) gewoon werkte.

Vanochtend had ik een brainwave en teste via een 4G hotspot. Werkte meteen. Pfff.. Ik heb geen idee waarom de URL op mijn eigen netwerk een time-out geeft, maar da's iets voor een andere thread

@Monviech Dank voor de uitgebreide hulp en de uitstekende handleiding!

Allereerst excuses; ik ben zo gewend dat op fora Engels wordt gebruikt, dat ik dat op dit Nederlandse deel van het forum ook deed. Vanaf nu Nederlands.

Dank voor de link naar de instructies!

Wat bij mij afwijkt van de 'norm' is dat ik internet heb via Odido. Odido verlangt bij het gebruik van z'n diensten het inzetten van VLAN's: https://community.odido.nl/thuisnetwerk-539/eigen-modem-wat-zijn-de-vereisten-339306. Wat ik heb gedaan is een VLAN gemaakt, zie bijlage vlan.png, en die toegewezen aan [WAN] bij Interfaces - Assignments. Zie assignments.png. Daarna had ik prima internet verbinding.

Dan de instructies.
Ik heb alle al gemaakte firewall rules en port forward's verwijderd en heb methode 1 geprobeerd. Ik ben daarbij uitgegaan van het bereikbaar maken van de Plex Media Server. Deze draait op 192.168.1.14 op mijn netwerk. Als ik in een browser naar 192.168.1.14:32400 ga kom ik keurig op de Plex server uit.

Bij Firewall - Settings - Advanced
Hier stonden alle genoemde opties al uit.

Bij Firewall - NAT - Port Forward
Ik heb geen DMZ, dus ik heb de regels als volgt ingevoerd

Interface: LAN, WAN
Protocol: TCP
Source: Any
Source port range: Any
Destination: <externe IPadres> zoals dat wordt weergegeven in het dasboard bij WAN (en in bij ipchicken.com)
Destination port range: 32400
Redirect target IP: 192.168.1.14
Redirect target port: 32400
Description: Reflection NAT Rule Plex 32400
NAT Reflection: Use system default
Filter Rule Association: Add associated filter rule

Nadat ik op Save heb geklikt en op Apply zie ik bij Firewall - NAT - Port Forward en bij Firewall Rules- Floating de situatie zoals in de bijlages.

Helaas: Als ik nu in de browser naar <extern IPadres>:32400 ga krijg ik nog steeds een time-out

Zie ik nog iets over het hoofd? Gooit de manier waarop ik een VLAN heb ingezet roet in het eten?
Alvast weer dank voor alle hulp!

Thanks fo the reply!
I changed the Source and Soure Port range. Unfortunately, this did not change anything. I still do not get to the Plex server.
Is there anything else that could cause this issue?

I've tried to follow different tutorials/explanations I found online. They do differ, though. This one https://www.wundertech.net/how-to-port-forward-in-opnsense/ and this one https://www.youtube.com/watch?v=i546YF91dHk tell me to use 'WAN address' as Destination.
This one https://www.youtube.com/watch?v=UI5tO1hP2q8&t=1496s tells me to use LAN address as Destination. All for port forwarding to an internal IP address as far as I can tell

Is there any definitive guide for portforwarding in OPNsense 24, aimed at newbies such as myself?

I'm completely new to OPNsense, just came from Arista NG, who are throwing their Home-users out.
So, apologies if this is a very newbie question

I've installed OPNsense on a miniPC, internet is running fine. I would like to make my Plex Media Server, running on a VM, available to the outside.
I've tried to follow tutorials / YT videos, but I think I'm still missing something.

- Ping to <URL of Plex server> points my external IP address

- Online port check shows that port 32400 is open

- <internal IP addres>:32400 shows PMS is running fine

- Firewall - NAT - Port forward
   Interface: WAN
   TCP/IP Version: IPv4
   Protocol: TCP
   Source: Advanced
   Destination: WAN address
   Destination port range: from 32400 to 32400
   Redirect target IP: Single host or network; <internal IP address>
   Redirect target Port: 32400
   Pool options: Default
   NAT Reflection: Use system default
   Filter rule association: Pass

- Firewall - Rules - WAN
   Action: Pass
   Interface: WAN
   Direction: in
   TCP/IP version: IPv4
   Source: WAN address
   Source port range: from 32400 to 32400
   Schedule: none
   Gateway: default

This does not seem to work; <URL of Plex server>:32400 leads to a time out. Am I overlooking something or doing something stupid?
To quote my robot vacuum; 'I'm stuck, please help'.