Open ports on network interfaces

Started by Robertomcat, June 11, 2025, 07:10:11 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
June 19, 2025, 10:40:18 AM #30
Quote from: cookiemonster on June 18, 2025, 11:44:29 PMRespectfully, this makes no sense yet. Your ISP can not give you an ip of 192.168.1.200; that is an internal ip address, one in your network(s). You will be able to see this in Interfaces > Overview. There you'll have the actual ip issued by your ISP assigned to WAN.
Can you share those assignments with a screenshot? Mask your WAN ip if you're uncomfortable showing it.
To reiterate: port forward from WAN to an internal LAN (regardless of its name) can only be tested from outside.
What I am trying to do is to help you not verify why your torrenting or whatever is not working, but to first verify that your port forward nat and associated rule works. When that happens, you can concentrate in the torrent or whatever.
Why? Because it can be your seeding thing can block your client, can block your ip address, etc.
To this end, I am suggesting to test the port forwards by putting some traffic across the rules to see where they stop. Makes sense?
So if you test NOT from the outside, you haven't proven the rules are the problem.
Hello, good morning.
The IP address 192.168.1.200 is the fixed IP address I assigned to my personal computer, and my ISP provides public IP addresses via DHCP, and I currently have 85.XXX.XX.86. The same company that provides internet also provided me with an OPNsense ONT in front of OPNsense, so OPNsense has an internal IP address on the WAN. But I've always had an ONT regardless of which router I've been using.
June 19, 2025, 11:54:10 AM #31
Good morning.
Quote from: Robertomcat on June 19, 2025, 10:40:18 AM
Quote from: cookiemonster on June 18, 2025, 11:44:29 PMRespectfully, this makes no sense yet. Your ISP can not give you an ip of 192.168.1.200; that is an internal ip address, one in your network(s). You will be able to see this in Interfaces > Overview. There you'll have the actual ip issued by your ISP assigned to WAN.
Can you share those assignments with a screenshot? Mask your WAN ip if you're uncomfortable showing it.
To reiterate: port forward from WAN to an internal LAN (regardless of its name) can only be tested from outside.
What I am trying to do is to help you not verify why your torrenting or whatever is not working, but to first verify that your port forward nat and associated rule works. When that happens, you can concentrate in the torrent or whatever.
Why? Because it can be your seeding thing can block your client, can block your ip address, etc.
To this end, I am suggesting to test the port forwards by putting some traffic across the rules to see where they stop. Makes sense?
So if you test NOT from the outside, you haven't proven the rules are the problem.
Hello, good morning.
The IP address 192.168.1.200 is the fixed IP address I assigned to my personal computer, and my ISP provides public IP addresses via DHCP, and I currently have 85.XXX.XX.86. The same company that provides internet also provided me with an OPNsense ONT in front of OPNsense, so OPNsense has an internal IP address on the WAN. But I've always had an ONT regardless of which router I've been using.
Oh wow, you left this very important part out. I've been suspecting and asking you and you gave incorrect and/or incomplete information.

QuoteJune 18, 2025, 12:49:00 PM #20
These seem internal when you say seem fine. You said WAN so far when taking about port forwarding "from outside". I'm beginning to wonder:
1) is your WAN on a public IP, routable on the internet, or is your WAN on an RFC1918 ip?
2) are you trying to port forward between internal networks i.e from LAN1 to LAN2 ?

QuoteJune 18, 2025, 12:55:26 PM #21

    Quote from: cookiemonster on June 18, 2025, 12:49:00 PM
    These seem internal when you say seem fine. You said WAN so far when taking about port forwarding "from outside". I'm beginning to wonder:
    1) is your WAN on a public IP, routable on the internet, or is your WAN on an RFC1918 ip?
    2) are you trying to port forward between internal networks i.e from LAN1 to LAN2 ?

My IP address is public, provided by my Internet Service Provider. And regarding the port forwarding you mentioned, I only want to open the ports to the outside, not between internal networks.

Unless I read this wrong, you seem to be in a double NAT scenario AND you have two OPN routers in series i.e. one behind another.
I'm going to let someone else chime in but in short, you need to then read up on double NAT, see if your second OPN has blocked private networks on the WAN interface settings at the minimum. Is it possible to have only one OPN in place?
p.s. I'm not going to be able to help much in a OPN behind OPN scenario.
June 19, 2025, 12:49:28 PM #32
Quote from: cookiemonster on June 19, 2025, 11:54:10 AMUnless I read this wrong, you seem to be in a double NAT scenario AND you have two OPN routers in series i.e. one behind another.
I'm going to let someone else chime in but in short, you need to then read up on double NAT, see if your second OPN has blocked private networks on the WAN interface settings at the minimum. Is it possible to have only one OPN in place?
p.s. I'm not going to be able to help much in a OPN behind OPN scenario
Oh no, I only have an opnsense and the ONT. And yes, it has been a lack of information on my part, because at no time had I reported that I had an ONT AND OPNsens, I had automatically deduced that it was something unimportant. Sorry for all this time.
June 19, 2025, 07:28:33 PM #33
Quote from: Robertomcat on June 18, 2025, 12:55:26 PMMy IP address is public, provided by my Internet Service Provider.
Yes, but your public IP is assigned to the ONT, while OPNsense behind it has a private IP as your screenshots show.
So your ONT is a router in fact.
This is an essential information.

So first of all you have to forward the traffic on the outer router (ONT) to OPNsense. Have you even done this?
June 19, 2025, 07:44:49 PM #34
Quote from: viragomann on June 19, 2025, 07:28:33 PMYes, but your public IP is assigned to the ONT, while OPNsense behind it has a private IP as your screenshots show.
So your ONT is a router in fact.
This is an essential information.

So first of all you have to forward the traffic on the outer router (ONT) to OPNsense. Have you even done this?
The router/ONT It has a specific configuration to put it in bridge mode which is how it currently is, and all traffic is redirected to opnsense. It will be a year or so now that it has been running like this.
June 19, 2025, 07:48:17 PM #35
Quote from: Robertomcat on June 19, 2025, 07:44:49 PMThe router/ONT It has a specific configuration to put it in bridge mode which is how it currently is
Bridge mode means, that the device behind it (OPNsense) gets the public IP. But your OPNsense has 192.168.18.2 on the WAN, which is far away from a public IP.

So again, forward the traffic to OPNsense on the ONT or put it really in bridge mode to get further with this.
June 21, 2025, 12:56:36 PM #36
@viragomann @cookiemonster
I was able to fix the problem. The problem was that the ISP router had a factory reset for some reason, and the DMZ had disappeared. Once activated, everything worked, although in opnsense the internal IP address provided by the ISP router still appears. I will have to look for a universal ONT to solve this "problem". Thank you very much for your patience with your troubleshooting ideas.
June 22, 2025, 12:44:59 AM #37
pesky ISP updates. I'm glad you got to the bottom of it.
Out of interest though. You say your ISP gives you a device running OPNSense as your ONT. Are you sure about that?
June 22, 2025, 01:40:21 PM #38
Quote from: cookiemonster on June 22, 2025, 12:44:59 AMpesky ISP updates. I'm glad you got to the bottom of it.
Out of interest though. You say your ISP gives you a device running OPNSense as your ONT. Are you sure about that?


My ISP provided me with a very basic Huawei router which is an all in one, ONT + Router, and I had to activate the DMZ and then put another device for the OPNsense. Tomorrow I will contact my ISP to see if they can provide me with a dedicated ONT, or provide me with the communication data between OLT and ONT and buy a configurable ONT myself.
June 22, 2025, 06:33:10 PM #39
Well that is more what I would expect. A Huawei router would be a pretty normal device to find. That's why I was curious from your previous post:

Quote from: Robertomcat on June 19, 2025, 10:40:18 AM
Quote from: cookiemonster on June 18, 2025, 11:44:29 PMRespectfully, this makes no sense yet. Your ISP can not give you an ip of 192.168.1.200; that is an internal ip address, one in your network(s). You will be able to see this in Interfaces > Overview. There you'll have the actual ip issued by your ISP assigned to WAN.
Can you share those assignments with a screenshot? Mask your WAN ip if you're uncomfortable showing it.
To reiterate: port forward from WAN to an internal LAN (regardless of its name) can only be tested from outside.
What I am trying to do is to help you not verify why your torrenting or whatever is not working, but to first verify that your port forward nat and associated rule works. When that happens, you can concentrate in the torrent or whatever.
Why? Because it can be your seeding thing can block your client, can block your ip address, etc.
To this end, I am suggesting to test the port forwards by putting some traffic across the rules to see where they stop. Makes sense?
So if you test NOT from the outside, you haven't proven the rules are the problem.
Hello, good morning.
The IP address 192.168.1.200 is the fixed IP address I assigned to my personal computer, and my ISP provides public IP addresses via DHCP, and I currently have 85.XXX.XX.86. The same company that provides internet also provided me with an OPNsense ONT in front of OPNsense, so OPNsense has an internal IP address on the WAN. But I've always had an ONT regardless of which router I've been using.

That clear now.
OPN then on the DMZ is one way of doing things. I think fritboxes force this setup too but I am not certain.
One thing to check however. If your ISP leaves an electrical terminating device on the wall and it is an Ethernet cable from it to the current Huawei, you could in theory plug it instead onto the WAN of your OPN device directly. No Huawei in the chain.
Electrically is the same. The difference is whether your ISP requires authenticating details to establish a connection and those are hard set on the Huawei.
If that is the case and you can get them and transfer them to OPN WAN settings, you're set.
June 22, 2025, 06:46:16 PM #40
Quote from: cookiemonster on June 22, 2025, 06:33:10 PMThat clear now.
OPN then on the DMZ is one way of doing things. I think fritboxes force this setup too but I am not certain.
One thing to check however. If your ISP leaves an electrical terminating device on the wall and it is an Ethernet cable from it to the current Huawei, you could in theory plug it instead onto the WAN of your OPN device directly. No Huawei in the chain.
Electrically is the same. The difference is whether your ISP requires authenticating details to establish a connection and those are hard set on the Huawei.
If that is the case and you can get them and transfer them to OPN WAN settings, you're set.
My ISP provides the fiber optic cable from the street to the router + ont Huawei, then I have to connect from a RJ45 port Huawei to OPNsense.
June 22, 2025, 06:50:04 PM #41
Understood. But how does the cable (there must be one) from the street connect to the "router + ont Huawei" ?
June 22, 2025, 06:55:33 PM #42
Quote from: cookiemonster on June 22, 2025, 06:50:04 PMUnderstood. But how does the cable (there must be one) from the street connect to the "router + ont Huawei" ?
Yes, a fiber optic cable runs from the street to the Huawei router+ont Huawei (it is an all-in-one device), and then I have to run a 15 cm cable from the Huawei router to the OPNsense device.
June 22, 2025, 11:40:15 PM #43
I see. That's news to me, that there are fiber-terminating Huawei router+ont. Thanks.
Print
Go Up Pages 1 2 3
User actions