Messages

OPNSense v25.7.2 with OpenVPN server v2.6.14. Full tunnel (Internet trough OPNSense) is configured with Google TOTP and works OK. OpenVPN TUN instance on UDP port 443 with float and persist-remote-ip options is pushing block-outside-dns, register-dns and explicit-exit-notify to clients. Redirect Gateway on instance is set to default. Firewall rules control access to internal resources and Internet correctly.

For some users I would like to set up split tunnel on same OpenVPN instance, so I created client specific overrides with their own network and adequate firewall rules. For those users, access to internal resources works, but Internet is still going trough OPNSense, I cannot get split tunnel for them no matter what option on Redirect Gateway I activate.

Any chance to get split tunnel for specific users trough client specific overrides?

Thanks, the branch is pretty far now implementation wise. Its quite simple, and also optional with an additional button that can toggle that view.
Im sure it will soon be ready to try in a development version.

Excellent. I showed it to the responsible guys in those 2 companies I mentioned before, they loved it, no more objections for the implementation od OPNSense with support as their edge firewall. I guess they will wait until this feature is in official release, but that's it. Great work.

Sorry to revive this topic after so long time, just to give you one example - currently two companies are in the process of choosing new edge firewall (with paid support) and usability is very important to them. I am pushing them towards opnsense, but rule separators are the thing they want because their firewalls have hundreds of rules and, in their opinion, visibility is so much better with separators in pfsense than categories in opnsense. Their 2 cents, not mine :)

Mistery has been solved.

For testing purposes, I was connecting from one of our fixed public IP address, filtering incoming port forwards on OPNSense and other firewalls only for that public IP.

I really started to bang my head when from that public IP, port forward did not work on Fortinet and Mikrotik, same port. Totally different architectures, yet all have the same problem with that damn 57777 port. Impossible.

It turned out that very same public IP I was connecting from and using for testing, already had 57777 forwarded from outside. It prevented outgoing connections for that port.

As soon as I opened briefly NAT on all firewalls for the entire Internet, and tested from few different IPs, everything worked.

Thanks to everyone for help, you are excellent community, OPNSense is still in the run for our new firewall cluster.

Rules are OK.

TCP WAN 52222 ---> LAN 22 work.
TCP WAN 57777 ---> LAN 7777 does not work.
Same rules, different ports.

Must be something stupid and trivial, just can't figure out what.

Show those NAT and firewall rules and we will see if they are 100% correct. Simple as that.

Here they are.

Same thing with pfsense v2.8.0, clean install - TCP port 57777 cannot be forwarded from WAN to LAN test server port 7777.
NAT and firewall rules are 100% correct, multiple checks.
Go figure.

Looks to me as well that those ports are in use, but how can I confirm?

I tried the following:
net.inet.ip.portrange.hifirst: 40000
net.inet.ip.portrange.hilast: 50992
reboot
That gives almost 11.000 ephemeral ports for system to use.

Port 57777 is stil not accessible.

Thanks for the quick answer. For testing purposes, in Tunables I have set up net.inet.ip.portrange.hifirst: 59999, port 57777 is still not accessible from outside.
"sockstat -l | fgrep 5777" shows nothing.

On my OPNSense v25.1.11, ports 57776 and 57777 can't be forwarded to internal ports. NAT and related firewall rules are OK, ISP is not blocking them. Netstat did not show anything listening on those ports. Any idea why?