Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
How to apply rules to NAT Port Forward
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to apply rules to NAT Port Forward (Read 2231 times)
gdur
Full Member
Posts: 124
Karma: 2
How to apply rules to NAT Port Forward
«
on:
October 14, 2020, 11:04:15 am »
It appears that NAT Port Forward (WAN to LAN) is executed before any rule, as a rule on WAN to block unwanted traffic to this forward has no effect and therefor need to use the local firewall of the receiving machine to block this traffic which I find not an elegant way to do, I'd rather stop this traffic at WAN level. There are 3 options which may cater this but the documentation doesn't provide a clear enough (at least to me) explanation. The 3 options I'm looking at are;
Set local tag: Set a tag that other NAT rules and filters can check for.
Match local tag: Check for a tag set by another rule.
and
Filter rule association: Associate this with a regular firewall rule.
Where the last one only provides 2 options; None or Pass(
).
What I want to achieve:
I'm making use of an external antispam mail service. This service forwards checked e-mail to my firewall WAN on a specific port and reaches the internal mail server on the SMTP port. Having all the possible source IP addresses I'd like to filter on these to allow access while rejecting all others.
How can this be done?
Thanks for all possible help!!!
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: How to apply rules to NAT Port Forward
«
Reply #1 on:
October 14, 2020, 12:38:39 pm »
Why don´t you just set the source to the list of known IPs in your port forward rule?
You can create an alias for that list of IPs
Logged
„The S in IoT stands for Security!“
gdur
Full Member
Posts: 124
Karma: 2
[SOLVED] Re: How to apply rules to NAT Port Forward
«
Reply #2 on:
October 14, 2020, 03:05:25 pm »
Aha, missed this one. Works like charm. Is the associated rule somewhere visible? The log live view uses the label WAN: default block IPv4 (last block all rule in WAN) and rule 101 in my case and it appears that unwanted visitors trying to access the specific Port Forward rule are blocked because of this last block rule. Here I'm loosing track on what is happening behind the scenes as there are other circumstances using the same rule to block other unwanted traffic. What mechanics are behind this?
I would suggest to display a little more (and not misleading) information along this option as default it shows an advanced button along with the text "Show source address and port range". The word "Show" is misleading in this case, better leave it out. "Source addres(ses) and/or port range, may use Aliases" should be a better fit. Also the button "Advanced" is something one rather stays away from to start with, so better remove this button what makes it more in line with the rules page, I think this would be more consistent.
Anyway, thanks a lot for your help, much appreciated!!!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
How to apply rules to NAT Port Forward