Apache (in DMZ) is reachable from LAN, but not from WAN

[WhiteTiger]

I am new to OPNSense and I am doing the first tests.
I have configured an Apache server in DMZ and from the LAN I can see the Home Page.
Instead I can't see it from the Internet despite having created a rule that has left everything open: protocols, addresses, ports, ...
Even with a NAT for port 80 I can't reach the server.
I attach screenshots of the three networks and Alias.

When it works I will rely on this rule to enable Let's Encrypt and manage an FTP server and a DNS Slave with BIND.

Thanks in advance for the help and advice.

[WhiteTiger]

I did a check with https://www.yougetsignal.com/tools/open-ports/ and the ports are closed.

However, the ISP says it is not blocking their router.
How can I verify that there are no locks on the OPNSense WAN port?
What rule can I apply, if the one I entered isn't good?
So I can check if it's not really an ISP problem.

[marjohn56]

In the WAN rules the source port should be ANY, only the destination port should be 80.

[WhiteTiger]

In the WAN rules the source port should be ANY, only the destination port should be 80.

I'm probably confusing some rules, I just don't understand which one.
In the initial post I published the active rules, but they don't work.

I have directly connected the server to the router and it can also be reached from the Internet, so I am sure that apache works.
With those rules and the server in DMZ, this can only be reached from the LAN.

On the router there is a simple rule that directs port 80 to the OPNSense WAN address.
So, in OPNSense should the rule in the WAN be from "WAN net" or from "WAN address"?
And the to is towards "ul-ht-ls1" (is the server alias)?

I've tried both ways and it doesn't work, so I wonder if a rule is missing in DMZ as well.

[marjohn56]

In the WAN rules you have a rule which is set to source port 80, it should be set to Any. You do not know what port the client is using to connect to your server, it could be anything. You only know the port it wants to connect to, hence the destination port should be set to 80.

[WhiteTiger]

In the WAN rules you have a rule which is set to source port 80, it should be set to Any. You do not know what port the client is using to connect to your server, it could be anything. You only know the port it wants to connect to, hence the destination port should be set to 80.

What you see is the NAT rule, but it's turned off.
I bring the three current screenshots back to aatach, including the rules created automatically

[marjohn56]

So you only want clients that exist within the WAN network that you are connected to to have access?


With a NET type setting, if you're WAN address was 32.32.32.32 with a mask of 24 that would only allow clients in the range 32.32.32.0 to 32.32.32.254 to talk to your webserver. Just change the rule to ANY, that will allow any address to connect to your server. Have you set up the port forward in NAT? If so you do not need to create a WAN rule, it should do it for you.

[WhiteTiger]

So you only want clients that exist within the WAN network that you are connected to to have access?


With a NET type setting, if you're WAN address was 32.32.32.32 with a mask of 24 that would only allow clients in the range 32.32.32.0 to 32.32.32.254 to talk to your webserver. Just change the rule to ANY, that will allow any address to connect to your server. Have you set up the port forward in NAT? If so you do not need to create a WAN rule, it should do it for you.

I'm sorry, maybe I didn't explain myself well.
Let me explain from the beginning.

In the office there is a LAN with 3 PCs, more obviously other devices, smartphones, etc.
In the DMZ there is only one server with only Apache installed (currently there is only its default page)
Later I will install another server and a NAS.
Obviously other services will be available: FTP, HTTPS and above all BIND for a "Slave" DNS Server.
On the server I will activate applications such as Nextcloud, SuiteCRM, etc.
These are normally accessible with URL:Port
Currently there is only Webmin active with port 10000

The WAN part is obviously composed only of a router with 5 rules for routing ports 80, 443, 22, 53, 10000 on the OPNSense 192.168.1.2 WAN Network card.

The configuration is therefore as follows:

Router
|| (192.168.1.1)
||
|| (WAN) 192.168.1.2
==========
OPNSense     === (DMZ) 192.168.3.1
==========
|| (LAN) 192.168.2.1


PCs In the LAN have the address from OPNSense LAN DHCP
The server in DMZ has a static address (192.169.3.11)

All the mask are 24.

In the Firewall there are no other rules except the ones I showed in the previous post.
I have created an alias for the server (ul-hq-ls1) and aliases for the ports that I am going to use (indicated above).

What I want to do is create a situation that I consider normal:
1) PCs in the LAN see the server (and this is already happening)
2) Anyone on the Internet can access the server through URL: Port
Once at the server there will be a check on the credentials plus 2FA and these will be the only protections at the moment.

BIND manages a Slave Server so it will have to replicate the information from the DNS Master.
Later I will create OpenVPN logins.

At the moment I just need to configure access to HTTP / HTTPS and possibly HTTPS + Port 10000
I will create the other services by referring to these first rules.

Up to now I have worked with IpFire, firewall appliances as Netgear, UFW into Debian and firewalls provided by ISP.

I didn't think of encountering all these difficulties with OPNSense and I can't find a help guide.
The technical documentation explains each individual option very well, but does not provide examples for their use.
I was able to connect the LAN to the DMZ, but I am unable to connect the DMZ to the Internet.

If you can help me to create these first rules I would be very grateful to you.
Or direct me to guides or tutorials.
Can pfsense rules also work well for OPNSense?

Many thanks again in advance.