Messages

Understood. But how does the cable (there must be one) from the street connect to the "router + ont Huawei" ?

Yes, a fiber optic cable runs from the street to the Huawei router+ont Huawei (it is an all-in-one device), and then I have to run a 15 cm cable from the Huawei router to the OPNsense device.

That clear now.
OPN then on the DMZ is one way of doing things. I think fritboxes force this setup too but I am not certain.
One thing to check however. If your ISP leaves an electrical terminating device on the wall and it is an Ethernet cable from it to the current Huawei, you could in theory plug it instead onto the WAN of your OPN device directly. No Huawei in the chain.
Electrically is the same. The difference is whether your ISP requires authenticating details to establish a connection and those are hard set on the Huawei.
If that is the case and you can get them and transfer them to OPN WAN settings, you're set.

My ISP provides the fiber optic cable from the street to the router + ont Huawei, then I have to connect from a RJ45 port Huawei to OPNsense.

pesky ISP updates. I'm glad you got to the bottom of it.
Out of interest though. You say your ISP gives you a device running OPNSense as your ONT. Are you sure about that?

My ISP provided me with a very basic Huawei router which is an all in one, ONT + Router, and I had to activate the DMZ and then put another device for the OPNsense. Tomorrow I will contact my ISP to see if they can provide me with a dedicated ONT, or provide me with the communication data between OLT and ONT and buy a configurable ONT myself.

@viragomann @cookiemonster
I was able to fix the problem. The problem was that the ISP router had a factory reset for some reason, and the DMZ had disappeared. Once activated, everything worked, although in opnsense the internal IP address provided by the ISP router still appears. I will have to look for a universal ONT to solve this "problem". Thank you very much for your patience with your troubleshooting ideas.

Yes, but your public IP is assigned to the ONT, while OPNsense behind it has a private IP as your screenshots show.
So your ONT is a router in fact.
This is an essential information.

So first of all you have to forward the traffic on the outer router (ONT) to OPNsense. Have you even done this?

The router/ONT It has a specific configuration to put it in bridge mode which is how it currently is, and all traffic is redirected to opnsense. It will be a year or so now that it has been running like this.

Unless I read this wrong, you seem to be in a double NAT scenario AND you have two OPN routers in series i.e. one behind another.
I'm going to let someone else chime in but in short, you need to then read up on double NAT, see if your second OPN has blocked private networks on the WAN interface settings at the minimum. Is it possible to have only one OPN in place?
p.s. I'm not going to be able to help much in a OPN behind OPN scenario

Oh no, I only have an opnsense and the ONT. And yes, it has been a lack of information on my part, because at no time had I reported that I had an ONT AND OPNsens, I had automatically deduced that it was something unimportant. Sorry for all this time.

Respectfully, this makes no sense yet. Your ISP can not give you an ip of 192.168.1.200; that is an internal ip address, one in your network(s). You will be able to see this in Interfaces > Overview. There you'll have the actual ip issued by your ISP assigned to WAN.
Can you share those assignments with a screenshot? Mask your WAN ip if you're uncomfortable showing it.
To reiterate: port forward from WAN to an internal LAN (regardless of its name) can only be tested from outside.
What I am trying to do is to help you not verify why your torrenting or whatever is not working, but to first verify that your port forward nat and associated rule works. When that happens, you can concentrate in the torrent or whatever.
Why? Because it can be your seeding thing can block your client, can block your ip address, etc.
To this end, I am suggesting to test the port forwards by putting some traffic across the rules to see where they stop. Makes sense?
So if you test NOT from the outside, you haven't proven the rules are the problem.

Hello, good morning.
The IP address 192.168.1.200 is the fixed IP address I assigned to my personal computer, and my ISP provides public IP addresses via DHCP, and I currently have 85.XXX.XX.86. The same company that provides internet also provided me with an OPNsense ONT in front of OPNsense, so OPNsense has an internal IP address on the WAN. But I've always had an ONT regardless of which router I've been using.

Your goal: to reach ports 55432 and plex(plex_port) from the WAN through OPN to the LAN server hosting those ports. That part I get.

The goal is to be able to access an HP ML110 server from the outside, which has the IP address 192.168.10.55, within the internal network called MQL5 (I have other internal networks called LAN and Wifi). And to open the specific port 55432 for qbittorrent and 46837 for plex. These two rules are created in the NAT and automatically on the WAN.

Screenshot above. You seem to have tested from 192.168.1.200. Your target is 192.168.10.55 so that is not a test _through_ the WAN, so it won't test the NAT port forward. So unless you are trying to test another intra-interface flow, I'm not sure it helps.

What's shaded in the screenshot is my IP address provided by my ISP, and I've run the command with that IP address along with port 55432, but since I'm no expert, I've probably done it wrong.

The screenshot with the Live view with most blue lines. Those are all OUT flows from 192.168.10.55 and others. They suggest going out to WAN, that's expected. You haven't included or I can't see more than that i.e. destination. However, they seem to be redirected. I was not expecting that. Why would the flow OUT be redirected? Do you have other NAT or outbound rules perhaps?

And regarding this last question, as I indicated in the first answer, there are two NAT rules created; I have no other rules. I've also disabled the DNS Blacklist, but I don't think this affects the problem I'm having. I'm attaching another screenshot of the live view, in case you can glean anything. Thank you.

ok that clears that. Right back where we were then. Is good.
So, are the rules now working correctly and the traffic hitting your server?

I can see it's not working because qbittorrent keeps telling me the ports aren't open, and I've restarted the software and the server. Like PLEX, it still tells me there's no external access. I don't know where the real solution is.

Well, I've disabled all the rules I created in the MQL5 network (except the one created by default when the network is created) and I still don't have access. The WAN rules were created correctly when the NATs were created. Something higher up couldn't access them. I've tried it with PowerShell, but it won't let me. I've also used an online service to test the port, but it says it's closed, and I've tried 80 and 8080, and it says they're also closed. I'm not sure I can trust this online test, but hey... It might indicate something.

ok that clears that. Right back where we were then. Is good.
So, are the rules now working correctly and the traffic hitting your server?

I can see it's not working because qbittorrent keeps telling me the ports aren't open, and I've restarted the software and the server. Like PLEX, it still tells me there's no external access. I don't know where the real solution is.

These seem internal when you say seem fine. You said WAN so far when taking about port forwarding "from outside". I'm beginning to wonder:
1) is your WAN on a public IP, routable on the internet, or is your WAN on an RFC1918 ip?
2) are you trying to port forward between internal networks i.e from LAN1 to LAN2 ?

My IP address is public, provided by my Internet Service Provider. And regarding the port forwarding you mentioned, I only want to open the ports to the outside, not between internal networks.

Ok, a couple of things for this diagnostic.
First, the general logging of rules, including NAT:

Second, these settings can be overriden on a per-rule basis. So you need to check if your NAT rule has enabled or disabled logging:

With logging enabled for these NAT rules, you can see the Live view if they appear and are blocked/dropped/allowed. That is Firewall > Log files > Live View.

In the live view, everything seems to be fine, although I don't know how to apply the block or pass filters. The problem is that the Qbittorrent software keeps showing me the orange symbol, indicating that there are no open ports.

Some folks really prefer full control of their rules and that means having these disabled as you have. These are the defaults: https://docs.opnsense.org/manual/firewall_settings.html#network-address-translation

The "best" course of action would be to use that document to identify the problem.
Alternatively you could consider recreating them but with the first checkbox enabled.

I suggest if you do, to make a note of exactly how you have them setup, both NAT and pass/block rules.
Then enable (tick) the first one of this list. Then recreate the NAT rules, which will create the required associated rules, unless you specifically disable it when recreating the port forward rule.

p.s. What do you have in your port forward rule for association?
NAT reflection and  Filter rule association - note please I might not understand what it says if in another language.
Mine are "Use system default" which in my case is "Reflection for port forwards" = ticked; "Automatic outbound NAT for Reflection" = ticked.
These are not what you have at the moment. Yours are disabled as per your screenshot.

Hello, good afternoon. I've checked the two boxes you mentioned in Advanced, and I've deleted and recreated the rule. Then, within the diagnostics, there's a section I can't understand when I open the drop-down menu. Several options appear that I'm not familiar with, and I don't know if they indicate whether the rule is working or not. Although I think it's still not working.

All seems as it should.
As viragomann said, see in the live logs of the firewall that they are blocked or allowed. Then be sure the receiving server is not blocking the traffic.
Last resort is to recreate the NAT rule, and verifying the setting from Firewall: Settings: Advanced that you have automatic reflection for port forwards (which I think you have).

Hello, good morning. You're referring to the first checkbox in this setting, and in my case, it's disabled by default. I haven't touched anything in this section. Should I enable it then?

thanks - those attachment are very small, you're killing my eyes! :)
Can you show the Rules on WAN please, those are the linked ones from the port forwards that we need to check.

Hello, good morning. It's probably because I open the screenshots from a 4K monitor and they look fine, but they may appear smaller on other computers. Sorry. I'm attaching the screenshot of the WAN rules.