Web server port forwarding problems.

[lmester]

Hello,

I've been running the IPCop Linux based firewall for many years. Unfortunately that project has quietly died. I decided to use OPNsense as a replacement.

I have the basic configuration working. The local LAN is able to access the WAN connected through my cable modem. I'm having no luck getting port forwarding working. I have a lot of port forwarding entries in IPCop. I decided to work with the most critical one first. My web server. I can't get external access to it. Also, when I try to hit it from the LAN side I'm getting redirected to the OPNsense web GUI instead of my WWW server.

It looks like OPNsense is redirecting port 80 and 443 to it's GUI. This is even though i've added a port forward to direct this traffic to my WWW server.

When I do an nslookup while running OPNsense, I see that DNS info is being modified by OPNsense. It's pointing my hostname (mesterhome.com) to 192.168.1.1 (the OPNsense WWW GUI) instead of 192.168.1.25 (the WWW server address). See the two command prompt screen captures. One is using IPCop and the other with OPNsense.

Also attached is my OPNsense config file and screen captures of the working IPCop port forwards and the non functional OPNsense forwarding.

I must have some basic problem with my setup. I hope that someone here can help me fix what I'm doing wrong.

Looks like this forum won't allow me to attach pictures. You can view them here: https://mesterhome.com/OPNsense/

[stefanpf]

Goto System: Settings: Administration
and Change your Port to 444 for example.
And Check "Disable web GUI redirect rule".

I guess your config contains private Data so I recommend to remove it from the Forum.

[lmester]

Goto System: Settings: Administration
and Change your Port to 444 for example.
And Check "Disable web GUI redirect rule".

I changed the web GUI port to 444. and disabled the web GUI redirect rule.

I no longer see the OPNsense GUI when I access my web server from the LAN. I now just get a timeout. Port forwarding to my web server is still not working. Also,  It looks like OPNsense is still modifying LAN DNS lookups.

Below are command prompt sessions showing the different name lokkup results using OPNsense and my old IPCop firewall. I assume that I must have some problems with the OPNsense DNS settings. Using OPNsense, my hostname "mesterhome.com" is being redirected from WAN addresses of 129.250.35.250 and 198.252.121.79 to the local LAN address 192.168.1.1 and 198.252.121.79.

The address 198.252.121.79 is the actual ip address assigned to my hostname.

Code: [Select]



Microsoft Windows [Version 10.0.18363.778]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Users\Luke-AMD6>REM nslookup results using OPNsense

C:\Users\Luke-AMD6>nslookup mesterhome.com
Server:  OPNsense.localdomain
Address:  192.168.1.1

Non-authoritative answer:
Name:    mesterhome.com
Address:  198.252.121.79


C:\Users\Luke-AMD6>



Microsoft Windows [Version 10.0.18363.778]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Users\Luke-AMD6>REM nslookup using IPCop

C:\Users\Luke-AMD6>nslookup mesterhome.com
Server:  x.ns.gin.ntt.net
Address:  129.250.35.250

Non-authoritative answer:
Name:    mesterhome.com
Address:  198.252.121.79


C:\Users\Luke-AMD6>

Screen captures of my current OPNsense settings can be viewed here:  https://mesterhome.com/OPNsense/

I must be making a stupid mistake! Port forwarding is not hard to do. Just assign the WAN port  to a LAN address and port.

[stefanpf]

Dns:
First IP shown at nslookup is the resolving DNS server.
The DHCP in your ipfire was configured to push an external DNS server to the Clients.
Your opnsense DHCP pushes itself as DNS resolver to the Clients.
In my opinion it's okay and the better choice as for example it's allowing you to resolver local hostnames.


Portforward: the destination address should be your wan address instead of LAN address.
That should so the job from the outside.

From inside you need either
- split-dns (Host overwriting in unbound): your local DNS resolver gives back the local IP of your webserver
or enable NAT Reflection:
https://docs.opnsense.org/manual/nat.html

[lmester]

Dns:
First IP shown at nslookup is the resolving DNS server.
The DHCP in your ipfire was configured to push an external DNS server to the Clients.
Your opnsense DHCP pushes itself as DNS resolver to the Clients.
In my opinion it's okay and the better choice as for example it's allowing you to resolver local hostnames.


Portforward: the destination address should be your wan address instead of LAN address.
That should so the job from the outside.

From inside you need either
- split-dns (Host overwriting in unbound): your local DNS resolver gives back the local IP of your webserver
or enable NAT Reflection:
https://docs.opnsense.org/manual/nat.html

Turning on NAT reflection and correcting the port forwarding solved the problems. Everything is working now. Thank you for your help!

[Tubs]

You solved your problem. But is port forwarding really what you want to do?

Why not take advantage of using OPNsense as reverse proxy by HAproxy or nginx plugin for your webserver instead?