Hi.I exactly did what you described, because I think this way is obvious. And it works, so thanks for clarification.But: The packets are forwarded with a SNAT, that is, the source ip will be changed to the OpnSense-IP. That is problematic if you try to analyse the packet source or simply print the source ip adress. How can this behavior be disabled? I did not find any solution or help by searching the internet.Thanks in advance, Philipp-- edit: disabling "NAT reflection" did not help
I am trying to get this to work for my video recorder as well and I have tried all kinds of different configurations with no luck. I am coming from Ubiquiti Gateway and it was working perfectly on my Ubiquiti system. Wondering also if there might be an issue with my Ubiquiti Controller interfering with the traffic? I have disabled all of the original rules but have not changed anything.Thanks in advance,Mark
__ _ _( )_( )_ (_ _ _) Internet (_) (__) | .---'--------------. | Company Firewall | '---.--------------' | | .---'--------------------------. | 192.168.100.0/24 WAN Network | '------.-----------------------' | | WAN (WAN_EXTERNAL) .--------------'------------------------------. | 192.168.100.92 | | OPNsense Firewall | | 192.168.1.1 172.16.0.6 | '----.-----------------------------------.----' | LAN | LAN_ADMIN | (LAN_MGMT) | (opt1).------'---------------------. .---------------------------------.| 192.168.1.0/24 LAN Network | | 172.16.0.0/24 ADMIN-LAN Network |'----------------------------' '---------------------------------'
C:\Users\rocha\Desktop>ssh -vvvv 192.168.100.92OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3debug3: Failed to open file:C:/Users/rocha/.ssh/config error:2debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2debug2: resolve_canonicalize: hostname 192.168.100.92 is addressdebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 'C:\\Users\\rocha/.ssh/known_hosts'debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 'C:\\Users\\rocha/.ssh/known_hosts2'debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disablingdebug3: ssh_connect_direct: enteringdebug1: Connecting to 192.168.100.92 [192.168.100.92] port 22.debug3: finish_connect - ERROR: async io completed with error: 10060, io:0000020C20C216E0debug1: connect to address 192.168.100.92 port 22: Connection timed outssh: connect to host 192.168.100.92 port 22: Connection timed out
Reflection for port forwards : EnabledReflection for 1:1: DisabledAutomatic outbound NAT for Reflection: EnabledDisable reply-to: Enabled
Interface Time Source Destination Proto LabelWAN_EXTERNAL 2024-07-09T13:49:23-07:00 192.168.100.92:123 198.137.202.32:123 udp let out anything from firewall host itself (force gw) LAN_ADMIN 2024-07-09T13:49:14-07:00 192.168.200.44:54263 172.16.0.2:22 tcp let out anything from firewall host itself WAN_EXTERNAL 2024-07-09T13:49:14-07:00 192.168.200.44:54263 172.16.0.2:22 tcp FORWARD SSH TO NODE ON ADMIN LAN WAN_EXTERNAL 2024-07-09T13:49:14-07:00 192.168.200.44:54263 192.168.100.92:22 tcp rdr rule
Step 1: Set up aliasesToo simple explanation: Aliases are friendly names to IP addresses. If you're managing a bunch of IPs to forward, it's best to give the IP address a label.Under firewall > aliases > add a new aliasCode: [Select]- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"- type: Host(s)- Aliases: Input 192.168.1.200
- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"- type: Host(s)- Aliases: Input 192.168.1.200