Messages

Hi

(Note just updated to 25.1, cross post from 24.7)

Just switched from physical based router and PiHole for my routing/firewall/DNS solution

I have all my routing set up and firewall config ok.

I am now trying to set up port forwards, which on my Asus router was a doddle.

I am currently using Proxmox on a 19" server with 4x Ethernet

1* Opensense wan
1* Opensense lan
1* Private servers
1* Internet facing servers

I am using a managed switch which will be used to Vlan the physical ethernet port.

What I want to ultimately have is my internet facing services (game servers, photo servers, wiki etc) on a VLAN isolating from internal servers.

So to try this out I have created a new VM and used the Private server ethernet device. This works and I can reach the new server from inside the network.

I tag the ethernet device with a different Vlan tag and I can no longer see the server.

Now to the port forwarding part
For all of this I have switched of Vlan and all server are on the same Vlan.

So I have set a new NAT port forwarding

Interface: wan
TCP: Ipv4
Protocol TCP
Destination: wan net
Destination port: from 4444 to 4444
Redirect IP: 192.168.x.y
Redirect port: 88 (listened to by Apache for test)
Nat reflection: enable
Filter rule association: None

And added a new rule
Action: Pass
Quick: True
Interface: wan
Direction: in
TCP: IPv4
Protocol: TCP
Source/Invert: false
Source: Any
Destination/Invert: false
Destination: single host = 192.168.x.y/24
Destination port range: from 88 to 88
No XML: disabled
Gateway: default
Advanced: all default

Now I can see the server from inside network fine, going to 192.168.x.y:88 takes me to the server

However, going to my public IP:4444 causes timeout.

I look in firewall log and can see that my redirect rule has kicked in and that the inbound rule is working (green entry on firewall log) and that the outbound "let out anything from firewall host itself" rule has kicked in (green entry on firewall log)
But my device (mobile phone) does not see the server page!

Any thoughts as I have tried lots of different options!!

Thanks BiG

The situation I encountered is the opposite of what you did.

In NAT port forwarding：
Interface: wan
TCP: Ipv4
Protocol TCP
Destination: wan address
Destination port: from 8888 to 8888
Redirect IP: 192.168.x.y
Redirect port: 8888 (listened to by Apache for test)
Nat reflection: enable
Filter rule association: autocreat a new rule

I can see and visit the server from outside network fine, It looks good but insite network is inaccessible.
Open the Nat-reflection in Opnsense-firewall-setting-adv，still the same as above.



In your settings ，you should change like this
Action: Pass
Quick: True
Interface: wan
Direction: in
TCP: IPv4
Protocol: TCP
Source/Invert: false
Source: Any
Destination/Invert: false
Destination: single host = 192.168.x.y/24  ────> 192.168.x.y this is an ip address for a host not net
Destination port range: from 88 to 88
No XML: disabled
Gateway: default
Advanced: all default

To me it is clear that is not going that far. It's a "connection refused".
What I am not clear is the flow. OP says he has "created the corresponding geoip file for myself and generated the url through the service on my computer, but Opnsense cannot be used." Sounds like he has dowlowaded the file, hosted it internally on his network someplace, and what, trying to download it from opn? Strange use case if OPN can get it already from maxmind, no?

Em. I could download it on any computer or mobilephone except Opnsense. I think should use maxmind，
tks bro.

>? I want to use the geoip integrated by myself and generate urls in my computer for other programs to use
The url for maxmind has a section for developers. By looking at that documentation, you could get to understand how to interact programatically with their database(s). They provide APIs.

Yes. I have created the corresponding geoip file for myself and generated the url through the service on my computer, but Opnsense cannot be used. The error log is：

Code Select Expand

geoip update failed : HTTPSConnectionPool(host='*****', port=****): Max retries exceeded with url: *****/download/geoip.zip (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x2e0a2bfac90>: Failed to establish a new connection: [Errno 61] Connection refused'))

I want to use the geoip integrated by myself and generate urls in my computer for other programs to use
But as you said, Opnsense can only use MaxMind.

Is there any plan to use geoip that is not MaxMind?

OPNsense 25.1.7_4-amd64
Can I use the other geoip's url but not MaxMind?

When I use the other geoip's url, the log show:
geoip update failed : HTTPSConnectionPool(host='*****', port=****): Max retries exceeded with url: *****/download/geoip.zip (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x2e0a2bfac90>: Failed to establish a new connection: [Errno 61] Connection refused'))