Port forwarding seemingly not working for project, but working for others?

Started by Bert-Jan, May 18, 2025, 07:28:35 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 18, 2025, 07:28:35 AM
I'm running the latest version of OPNsense on a MiniPC, directly connected to a PON from my ISP. It's working fine.

I'm now trying to set up port forwarding to a local Ubuntu 24.04 server at IP 192.168.1.229 (a VM running on Proxmox). I want to run Nextcloud AIO in Docker on that server. Docker is already running, and other services like SearXNG and Vaultwarden are working well. But in this case, I can't get it to work—it seems (I'm not a networking specialist, this is just a hobby) that port forwarding isn't functioning. I'm probably overlooking something or made a silly mistake.

I created a port forwarding rule as shown in the screenshot "Port Forwarding NextcloudAIO.png". The alias NextcloudAIO in the "Redirect target IP" field points to 192.168.1.229. Additionally, a floating rule was created, as shown in "Firewall Floating Nextcloud AIO rule.png".

On the Ubuntu server, to keep testing simple, I installed socat, which is listening for incoming traffic on port 8443 using:

socat -v TCP-LISTEN:8443,fork EXEC:/bin/cat

Then, on an external PC connected via 5G, I run:

curl http://<my external IP>:8443

But nothing happens. Even when I check Firewall > Log Files > Live View in OPNsense and filter by the IP address of the 5G connection or filter on port 8443, I don't see any traffic coming in.
What am I missing or doing wrong? Any help is greatly appreciated!

May 18, 2025, 10:53:33 AM #1 Last Edit: May 18, 2025, 10:55:39 AM by meyergru
Did you open the port 8443 on your Ubuntu host (ufw)? When I tried the same, I could not connect from outside, either. I pulled my hair out as to why, because locally, everything worked and also, accessing port 80 was fine. Then it dawned on me: ufw was active on the target machine.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 07:39:53 AM #2
Thanks for the reply. Unfortunately, thats not the issue; ufw is currently disabled on that VM. Still stumped, currently thinking about setting up a new VM to see if that  has the same issue.
Today at 07:50:06 AM #3 Last Edit: Today at 08:54:24 AM by meyergru
I used your exact setup, but did not follow through after I detected the ufw issue. This leaves (at least) these options:

1. socat does not work as expected for external connections (however, unlikely).
2. some other firewall blocks the traffic (like Proxmox).
3. other setup errors, like wrong gateway or double NAT issues, leaving the impression that it works locally, but breaks from outside.
4. 5G filtering the port (can be ruled out by using tcpdump on OpnSense).
5. any kind of add-on firewall, like ufw, Suricata, Crowdsec, Zenarmor.

You use WAN and LAN on the port-forwarding rule. I usually use WAN only. I understand why you use LAN as well. Did you try from within your LAN by addressing the WAN IP?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 10:00:04 AM #4
Thanks for the very fast reply.

1: I started using Socat only after having issues reaching my Nextcloud AIO install. Given that, I'm guessing Socat is working oké.
2: I'm not really a Proxmox expert, but the Proxmox firewall has no rules configured. Maybe more relevant; the VM I'm having the issue with has more services running via docker, Like SearXNG, Vaultwarden and Jellyfin. All are accessible from the outside. Also other services on other VM's like Plex (not in Docker) are working fine.
3: My OPNsense box is connected directly via the PON from my provider. Dashboard → Interfaces → WAN shows me the correct external IP address. Running 'curl ifconfig.me' on the Ubuntu server also shows the correct external IP addres. As far as I understand this means no double NAT. Since I'm really a newbie, I hope thats correct.
4: I have an external VPS running (also an Ubuntu server, UFW disabled) and tried 'curl http://<my external IP>:8443', unfortunately same result as via 5G; nothing.
5: none.

I'm still thinking there is something I'm doing wrong. I also tried using AI to help me diagnose this, but ran into limitations. Appreciate your help!
I was thinking about using Cloudflare tunnels, but as I understand is, that would circumvent OPNsense. Probably not the safest option.

Today at 11:17:45 AM #5
Does it work when you try the curl from your local LAN to: a. your LAN IP and b. your WAN IP?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 01:43:08 PM #6
I lost a bit of text with the browser forcing an update.
Long story short, could you be missing the traffic in your live firewall somehow (wrong filters maybe, rule not logging, etc.) and be NC the one blocking?
NC is a bit of a self-hardening thing (good thing). For instance reverse proxies need to be allow-listed.
I use NC in a freeBSD jail and learned a few config in its php.ini were needed. It took me a while.
I don't use docker though (I have an aversion to it).
Print
Go Up Pages1
User actions