NAT Rule Help

[Cipher]

Hi Everyone,

I created a NAT rule to allow access to our internal camera system from outside the network. The rule is applied on the NAT and is automatically reflected on the WAN interface of the firewall.

However, when I try to access the cameras from an external location, I get the following error message: "Default Deny / State Violation." I've attached a screenshot showing the error.

Could someone please advise on what I might need to do to resolve this issue? Any guidance would be greatly appreciated.

Thanks in advance!

[Cipher]

Does anyone have any suggestions? I would appreciate the help—I can't seem to resolve this issue. I've tried every tutorial and solution I could find online.

[Patrick M. Hausen]

For that NAT port forward - did you set the "Associated firewall rule" to "Pass"?

[sja1440]

As an alternative to setting "Associated firewall rule" to "Pass" you could set it to "None" and then create your own explicit filter rule.

[Cipher]

For that NAT port forward - did you set the "Associated firewall rule" to "Pass"?

I have tried those but it didn't works.
I understand it's a double NAT.
There is a isp router draytek in front of it and the opnsense is a dmz.
Could the double nat be the cause ?

[Cipher]

As an alternative to setting "Associated firewall rule" to "Pass" you could set it to "None" and then create your own explicit filter rule.

Can you explain what you exactly mean ?

[Patrick M. Hausen]

If there is another router in front you need a port forward rule on that other router, too.

[Cipher]

If there is another router in front you need a port forward rule on that other router, too.

There is a router in front of the OPNsense. We're dealing with double NAT. Are you asking if I should still forward the port on the ISP router even if there's a DMZ set up for the OPNsense?

[Patrick M. Hausen]

I don't know what a DMZ in terms of your router is, actually.

In my terms a DMZ is a separate network that is neither WAN nor LAN and hosts publicly accessible services without opening LAN to the world.

If that means "everything hitting the external IP address of $ROUTER goes to OPNsense" then I would use tcpdump on OPNsense to verify that is actually the case. If yes, then check if your NAT rule forwards the packets to the internal system - also tcpdump, this time on LAN. Interface for interface - check what does happen and if it matches your expectation of what should happen.

[sja1440]

As an alternative to setting "Associated firewall rule" to "Pass" you could set it to "None" and then create your own explicit filter rule.

Can you explain what you exactly mean ?

Sure. If you create a port forward translation rule without specifying the "pass" keyword then the incoming connection will also be subject to any incoming filter rules defined for the interface. These rules could be defined in any of "Floating", your defined Group or explicitly for the interface.

The log text you quote sounds like the first rule of the  Automatically generated Floating rule. Which suggests that you need to create an explicit pass filter rule somewhere (maybe on the interface to the outside network?)

[Cipher]

Sorry guys for my late reaction due to some health issues.

In some situations, when I have a DMZ, it forwards every port to OPNsense. Do you mean that even if OPNsense is behind a DMZ, it still needs port forwarding? I've noticed that OPNsense doesn't handle double NAT well.

[sja1440]

Do you mean that even if OPNsense is behind a DMZ, it still needs port forwarding?

Yes. You still need to have port forwarding rules on OPNsense when it is in a DMZ behind another router.