Port Forward setup to only allow selective external IP's

Started by cams1303, September 14, 2023, 04:28:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 14, 2023, 04:28:13 PM
Hi

I new to Opnsense and having a hard time trying to correctly work out how to set up port forwards to only allow selective external IP address to access a static IP address LAN device rather than the world eg:

This is for VOIP so port 5060 only.
LAN IP of VOIP hardware is say 192.168.1.10
External SIP servers from my VOIP provider total 18, some are similar like: 103.140.134.2, 103.140.134.3, 103.140.134.32, 103.140.134.33, 103.140.134.44 but others are in a different range.

Thanks for any help.
September 14, 2023, 04:58:45 PM #1 Last Edit: September 14, 2023, 05:01:11 PM by weeßicknich
Firewall -> Aliases -> + (add new) -> Type: Hosts
Then add the external IP addresses that should be allowed and choose a useful name for the alias.

Next, edit the firewall rule that allows incoming traffic from WAN to your local PBX. There you select the alias you just created as allowed source.
September 14, 2023, 05:35:38 PM #2
It looks like you want to use a SIP client behind OPNSense. If so you don't need Portforwarding. Enabling "Static Port" is enough to get proper function of your client.
September 15, 2023, 02:29:28 AM #3
Thank you both for the advice I will test it out in the next few days when I swap in opnsense and turn my existing wifi router into an access point.
September 17, 2023, 03:31:05 AM #4
Quote from: weeßicknich on September 14, 2023, 04:58:45 PM
Firewall -> Aliases -> + (add new) -> Type: Hosts
Then add the external IP addresses that should be allowed and choose a useful name for the alias.

Next, edit the firewall rule that allows incoming traffic from WAN to your local PBX. There you select the alias you just created as allowed source.

Sorry but none of this makes any sense to me.
I go to that location and under TYPE (Hosts/s) I see a Categories & Content field with no way to add external IP addresses, even clicking on the info provides no info.
September 17, 2023, 03:38:52 AM #5
Quote from: schmuessla on September 14, 2023, 05:35:38 PM
It looks like you want to use a SIP client behind OPNSense. If so you don't need Portforwarding. Enabling "Static Port" is enough to get proper function of your client.
Yes its a Fritzbox 4060. Can you explain where I'm Enabling "Static" is done.
If you mean give the Fritzbox 4060 a static lease through Services, DHCPv4, LAN, then yes it and 7 other devices have Static LAN addresses outside the range of that the DHCP server dynamically allocates.
September 17, 2023, 08:30:26 AM #6
In Firewall -> NAT -> Outbound, Hybrid outbound NAT rule generation shall be enabled.
Then add a rule for Interface WAN, Source address (Fritz Box), Enable Static Port.
That's all I needed to make SIP working for inbound calls.
September 17, 2023, 11:18:10 AM #7
Quote from: schmuessla on September 17, 2023, 08:30:26 AM
In Firewall -> NAT -> Outbound, Hybrid outbound NAT rule generation shall be enabled.
Then add a rule for Interface WAN, Source address (Fritz Box), Enable Static Port.
That's all I needed to make SIP working for inbound calls.
Thanks for the help but you can't select the Fritzbox as a Source address. Its is a drop down selection box that I have no idea what to put. eg: is it "Single Host or Network" and then enter the Fritzbox 4060 LAN IP/(? what number, 24)
If I do that it gets changed to 192.168.1.0/24 as source address, how do I enter say 192.168.1.11?

Then leave everything else untouched like: Source & Destination port? don't I enter sip here?
and just tick the static , give it a name and save.
September 17, 2023, 01:25:59 PM #8
Single v4 IP is always /32.
However I'd rather create a firewall alias for that.
Theoretically you could limit it to the needed ports, but since I only have one host with that setting I decided to not do it.
Print
Go Up Pages1
User actions