Messages

FML, I think I've solved it - it was the Fritz!Box, it just needed a restart. First time I've had this specific problem with it, so that's fun. On the plus side, I can now confirm that you can do an IPv4+IPv6 port-forward with a single rule, you just need to use an alias with both IP types as the target.

I always use an ULA virtual IP for that or also "LAN address". Matter-of-fact, I never use IPv6 port-forwarding on OpnSense itself , but only open the ports directly with firewall rules.

Yeah, that's the overall plan, I'm just quite limited in IPv6 subnets unless I purchase my own Fritz!Box (Thanks Vodafone...), so I've experimented with a few different approaches.

Unfortunately, even if I change the configuration to be IPv4-only for both HTTP & HTTPS, I still see the same behaviour where it doesn't work externally. I have no other IPv6 port forwards apart from these two. I've also changed the port for the OPNsense Web UI to 8443 *and* bound it to the LAN address only, but that didn't have any effect. Like I said, it's a bit odd, and I'm pretty stumped at this point!

[internally]

Hey folks, this is a bit of an odd one. I'm running OPNsense 25.7.11_9-amd64 community edition, and I've run into an issue forwarding HTTP/HTTPS ports to my Caddy server. Environment details:

• I only have a single WAN interface
• When attempting to connect externally via cURL & IPv4, I get a timeout error.
• OPNsense is running on dedicated hardware
• There are two switches between the OPNsense box and any end devices.
• I've got a Windows machine running on VLAN 0, which I use for internal testing
• The Caddy server is on VLAN 20
• All requests are therefore routed through OPNsense, the only difference being whether port forwarding is involved or not.
• IPv4 and IPv6 work just fine internally, I only have issues when connecting from the outside, so the server is functioning just fine.
• I've got Wireguard configured on the OPNsense box, and I can connect to that via IPv4 just fine.
• External testing is done by tethering my laptop to my phone, no VPN involved.
• I can connect to the server via IPv6 just fine, both external and internal.
• I have restarted the box, so it's definitely persistent configuration.

I've attached screenshots of the HTTPS Port Forward configuration, and the alias in use. HTTP is the same, just changed the port.

I did a traffic capture on the IPv4 traffic, and I've attached a screenshot of that as well. It suggests that there's some sort of issue sending the ACK packet back to the client. I've attached the IPv6 version for comparison.

What's driving me up the wall is that the configuration is exactly the same for both IPv6 and IPv4, since I'm using an alias and a single Port Forward configuration!

I suspect this is a result of some dodgy configuration / testing that I've done in the past, but I'm just not sure where to look to figure out what I've done, and what I need to do to fix this. I'm reluctant to wipe my configuration without understanding that in case it comes back with my restored config.

If anyone has any suggestions on what I can do to fix this, I'd very much appreciate that!