NAT - Port Forward not working from Windows PC's

[WJScott]

Odd situation...

I have setup a NAT/PF that redirects port 4433 to 443 for the dashboard UI so that I can access it externally (This is a personal setup). The odd thing is that from my phone Android/Chrome I can access it.
Trying from 2 different laptops (One Corporate controlled and the other personal) I am not. I have tried IE, Chrome, Opera and Firefox browsers to no avail.

What is going on?
Any help would be appreciated!

[WJScott]

and for clarity, I have also tried to the do this for RDP using an alternate port inbound and redirect it to 3389 to no avail.

[WJScott]

This is baffling!

I've inserted a NAT to redirect 3389:

-Interface:                                WAN
-TCP/IP Version:                      IPv4   
-Protocol:                               TCP
-Source:                                 Any
-Source port range   
                     from:                MS RDP
                     to:                MS RDP
-Destination:                          WAN Address
-Destination port range   
                     from:                MS RDP
                     to:                MS RDP
-Redirect target IP:                 192.168.0.240
-Redirect target port:              MS RDP
-NAT Reflection:                      Enabled (Have tried disabled also)
-Filter rule association:            Yes

Automatic Rule Created:
-Proto:                                    IPv4 TCP
-Source:                                  *(Any)
-Port:                                      3389(MS RDP)
-Destination:                           192.168.0.240
-Port:                                      3389(MS RDP)
-Gateway:                               *(Any)
-Schedule:
-Description:                           NAT

With the above F/W rule the attempt is denied:

__timestamp__   Jul 3 15:30:53
ack   
action    [block]
anchorname   
datalen   0
dir    [in]
dst   192.168.0.250
dstport   3389
ecn   
id   53827
interface   em0
ipflags   DF
label   Default deny rule
length   52
offset   0
proto   6
protoname   tcp
reason   match
ridentifier   0
rulenr   3
seq   2596550757
src   174.228.133.87
srcport   1240
subrulenr   
tcpflags   S
tcpopts   
tos   0x20
ttl   110
urp   64240
version   4

Create a manual rule:
-Proto:                                    IPv4 TCP/UDP
-Source:                                  *(Any)
-Port:                                      *(Any)
-Destination:                           192.168.0.250
-Port:                                      3389(MS RDP)
-Gateway:                               *(Any)
-Schedule:
-Description:                           

Nothing gets entered into the log with the manual rule enabled, disable it and the deny continues?
I dont see how this could be expected behavior, help?

[WJScott]

WOW!

Not sure what else to say!
Its been multiple months and over 100 have read the thread but not one contributor to help me resolve the issue.

[tong2x]

you are redirecting to itself?
whats whit the 4433 and 433?
based on the rules you created it was never used?

to open a port goto
Firewall: NAT: Port Forward
disabled: unchecked
interface: {your wan interface}
TCP: ipv4 or 6
Protocol: TCP
Destination: {This firewall}
destination port range: what ever ports you want to open ex. external ports 4433
redirect target ip: {internal IP, ex 192.168.0.240}
redirect port: {it not the same with external... ex http or 80 if an internal webserver)


Firewall: NAT: Port Forward EXAMPLE a webserver
disabled: unchecked
interface: {WAN1; your wan interface}
TCP: ipv4 or 6
Protocol: TCP
Destination: {This firewall, or ip of firewall}
destination port range: 99 (what ever ports you want to open)
redirect target ip: 192.168.0.240 {your target internal IP or internal server ip}
redirect port: 80 {becuase it is a webserver)

[tong2x]

do not answer the "source"

your destination is the firewall, since it is the one blocking your internal network

[petrus]

Hi,

if the source port is defined for most protocols, it's randomly chosen, from a pool of high ports . In 99,99% of the cases you do not restrict the source port in a firewall/NAT rule. Your rule will never match because the source port will never be TCP 3389 for RDP or 443 for https, It's the destination port you choose.

BR P

[WJScott]

All,

I appreciate the reply, but there are no  4433 and 433 in any of the data I provided.
This was a simple Port Forward, not even a redirect so the inbound port is looking to be redirected from my external router VIA the DMZ redirect (Any/Any) to the OPNSense appliance and it is failing.

Being that I could not wait any longer I have established the rule on the external router and it is working fine, and to be able to support multiple I have refocused on port redirection 8080 --> 3389 (Yes, MS RDP).
I have monitored all the logs and see the traffic being passed to the target but no session is established but a direct rdp session works fine bypassing the OPNSense Appliance.

Using 8080 as I know it is an open port at my location.

Below is my configuration of the NAT:

Disabled:                Unchecked
No RDR:                 Unchecked
Interface:               WAN
TCP/IP Version:       IPV4
Protocol:                TCP
Source:                  Any/Any/Any
Dest/Invert:           Unchecked
Destination:           WAN Address
Destination Port:    From: 8080 - To: 8080
Redirect Target IP:  RDP (Alias)
Redirect Port:         MS RDP [3389]
Pool Options:         Default
Log:                      Checked
Description:           Port Redirect 33389 --> 3389
NAT Reflection:      Enabled
Filter Rule assoc:   None (Manually Created)

Firewall Rule 01:
Action:                  Allow
Disabled:               Unchecked
Quick:                   Checked
Interface:              WAN
Direction:              IN
TCP/IP Ver:           IPv4
Protocol:               TCP
Source/Invert:       Unchecked
Source:                 Any/Any/Any
Destination:           RDP (Alias)
Dest Port Range:    From: MS RDP [3389] to: MS RDP [3389]
Log:                      Checked

Firewall Rule 02:
Action:                 Allow
Disabled:              Unchecked
Quick:                  Checked
Interface:             WAN
Direction:             IN
TCP/IP Ver:           IPv4
Protocol:              TCP
Source/Invert:      Unchecked
Source:                Any/Any/Any
Destination:          WAN Address
Dest Port Range:   From: 8080 to: 8080
Log:                     Checked


I see the traffic being allowed in the F/W log but no session is established with the redirect.
OPNSense just does not seem to work any longer for this function. Or I am doing some really wrong and I am blind.

[tong2x]

destination should be "this firewall" not wanaddress if you want to port forward

yes, writing wanaddress sound correct but the destination is "thisfirewall"
you already indicated that you have tap the "wan" port

(modem)---dmz opnsense/or port forward---(opnsense server)---nat port forward---(clients)
maybe you could write a network diagram

[WJScott]

Changing the Destination to "This Firewall" made no change.
Diagram Below:
http://www.greenscott.com:8383/LABNet.png

[tong2x]

does your  opnsense have a public IP?
how is the WAN configure in your opensense?

[WJScott]

It does not have a public IP, only an internal, that the xFinity router forwards (DMZ Port) all traffic to 192.168.0.250/24.