1
17.7 Legacy Series / Re: Can't seem to get Port Forwarding working
« on: January 24, 2018, 03:08:41 am »
The port forward seems to be working now.
I went into Firewall -> Settings -> Advanced and changed the settings highlighted in the attached screenshot. I still don't understand the gateway concept, but will do some research. Disabling reply-to didn't work (not sure if that was the option you were referring to Franco).
Thanks for the help! I wouldn't have thought to look for NAT settings under Advanced.
EDIT 1: I will reinstall from scratch when 18.1 comes out and try again.
I went into Firewall -> Settings -> Advanced and changed the settings highlighted in the attached screenshot. I still don't understand the gateway concept, but will do some research. Disabling reply-to didn't work (not sure if that was the option you were referring to Franco).
Thanks for the help! I wouldn't have thought to look for NAT settings under Advanced.
EDIT 1: I will reinstall from scratch when 18.1 comes out and try again.
Code: [Select]
root@OPNsense:~ # cat /tmp/rules.debug
set ruleset-optimization basic
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 814000
set limit src-nodes 814000
# System aliases
loopback = "{ lo0 }"
lan = "{ igb0 }"
wan = "{ igb1 }"
# SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
# Other tables
table <virusprot>
table <bogons> persist file "/usr/local/etc/bogons"
table <bogonsv6> persist file "/usr/local/etc/bogonsv6"
# User Aliases
# Plugins tables
set loginterface igb0
set skip on pfsync0
scrub on $lan all
scrub on $wan all
no nat proto carp
no rdr proto carp
# Outbound NAT rules (automatic)
# Subnets to NAT
tonatsubnets = "{ 127.0.0.0/8 192.168.1.0/24 }"
nat on $wan from $tonatsubnets to any port 500 -> 184.9.150.155/32 static-port
nat on $wan from $tonatsubnets to any -> 184.9.150.155/32 port 1024:65535
# Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on igb0 proto tcp from any to ( igb0 ) port { 443 80 22 }
# NAT Inbound Redirects
rdr on igb1 inet proto tcp from any to (igb1) port 10022 -> 192.168.1.102
# Reflection redirect
rdr on igb0 inet proto tcp from any to (igb1) port 10022 -> 192.168.1.102
no nat on igb0 proto tcp from igb0 to 192.168.1.102 port 10022
nat on igb0 proto tcp from 192.168.1.0/24 to 192.168.1.102 port 10022 -> 192.168.1.1 port 1024:65535
antispoof log for igb0
antispoof log for igb1
#pass in log quick on lo0 inet6 from {any} to {any} label "Pass all loopback IPv6"
#block in log quick inet6 from {any} to {any} label "Block all IPv6"
block in log inet from {any} to {any} label "Default deny rule"
block in log inet6 from {any} to {any} label "Default deny rule"
pass in log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "IPv6 requirements (ICMP)"
pass out log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {129,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
block in log quick inet proto {tcp udp} from {any} port {0} to {any}
block in log quick inet6 proto {tcp udp} from {any} port {0} to {any}
block in log quick inet proto {tcp udp} from {any} to {any} port {0}
block in log quick inet6 proto {tcp udp} from {any} to {any} port {0}
block in log quick proto carp from {(self)} to {any}
pass in log quick proto carp from {any} to {any}
block in log quick proto tcp from {<sshlockout>} to {(self)} port {22} label "sshlockout"
block in log quick proto tcp from {<webConfiguratorlockout>} to {(self)} port {443} label "webConfiguratorlockout"
block in log quick from {<virusprot>} to {any} label "virusprot overload table"
#block in log quick on lo0 from {<bogons>} to {any} label "block bogon IPv4 networks from loopback"
#block in log quick on lo0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from loopback"
#block in log quick on lo0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from loopback"
#block in log quick on igb0 from {<bogons>} to {any} label "block bogon IPv4 networks from LAN"
#block in log quick on igb0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from LAN"
#block in log quick on igb0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from LAN"
block in log quick on igb1 from {<bogons>} to {any} label "block bogon IPv4 networks from WAN"
block in log quick on igb1 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from WAN"
block in log quick on igb1 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from WAN"
pass in log quick on igb0 proto udp from {any} port {68} to {255.255.255.255} port {67} label "allow access to DHCP server"
pass in log quick on igb0 proto udp from {any} port {68} to {(self)} port {67} label "allow access to DHCP server"
pass out log quick on igb0 proto udp from {(self)} port {67} to {any} port {68} label "allow access to DHCP server"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {fe80::/10,ff02::/16} port {546} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {ff02::/16} port {547} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {ff02::/16} to {fe80::/10} port {547} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {(self)} port {546} label "allow access to DHCPv6 server on LAN"
pass out log quick on igb0 inet6 proto udp from {(self)} port {547} to {fe80::/10} label "allow access to DHCPv6 server on LAN"
pass in log on igb1 proto udp from {any} port {67} to {any} port {68} label "allow DHCP client on WAN"
pass out log on igb1 proto udp from {any} port {68} to {any} port {67} label "allow DHCP client on WAN"
pass in log quick on lo0 from {any} to {any} label "pass loopback"
pass out log from {any} to {any} keep state allow-opts label "let out anything from firewall host itself"
pass in log quick on igb0 proto tcp from {any} to {(self)} port {443 80 22} keep state label "anti-lockout rule"
pass out log route-to ( igb1 184.9.144.1 ) from {igb1} to {!(igb1:network)} keep state allow-opts label "let out anything from firewall host itself"
pass in quick on igb0 inet from {(igb0:network)} to {any} label "USER_RULE: Default allow LAN to any rule"
pass in quick on igb0 inet6 from {(igb0:network)} to {any} label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in quick on igb1 inet proto tcp from {any} to {192.168.1.102} port {10022} label "USER_RULE: NAT "