[SOLVED] Can't get port forwarding to work anymore!

[alh]

I run a mail server behind OPNsense. I have a simple port forward to the host which worked fine in 20.1.x. Now the clients receive a timeout. I did a packet capture and and the request hits the OPNsense just fine and it forwards it to the correct host. However, the reply (SYN) from the host hits the OPNsense which does not forward it to the client! It does not reach the WAN interface.

I tried deleting all port forwards, rebooting, re-creating them but to no avail. How to fix this?

[secgeek]

Same Problem here.

Have just for testing a TS3 Server Up and running with my other Firewall everything works and with a new install of opnsense with correct Checksum there is no chance. Have outbound NAT and Reflection activated in the settings. Connecting established from outside gets by NAT to the correct IP an Port but nothing goes out. Can connect to the server from my LAN without problems and as I told can connect from outside through my other Firewall without Problems.

Greetings looking forward to hear from you guys.

[Vilhonator]

Did you make sure DNS records are correct?

It is possible that your servers IP has changed.

https://mxtoolbox.com/ <---- run checkup for your domain on there and check what issues it finds, (there usually are few issues there)

[secgeek]

Did you make sure DNS records are correct?

It is possible that your servers IP has changed.

https://mxtoolbox.com/ <---- run checkup for your domain on there and check what issues it finds, (there usually are few issues there)

In my situation, the other services are working fine, only the one I want to route through opnsense is not working.

If I do a Package Capture or look at the states table, the Connection is initialized.

So DNS is working absolutely fine.
It seems to be a problem with opnsense.

[Vilhonator]

Ok could you describe me next:

• Type of setup on your OpnSense. Do you have 1 WAN and 1 LAN interface, 1 WAN, 2 LAN interfaces with separate networks or 2 WAN ports and 1 or more LAN ports?
• Have you setup static local IP to your server on OpnSense, or is it connected to router which is or isn't connected to your opnsense?
• Have you created any static routes on your OpnSense?
• What is the issue? Sending mail from domain mail to gmail or other mail providers, receiving mail from gmail or other providers to your domain mail or both?
• Have you setup DNS records on OpnSense, are they managed by registrar or do you run physical or virtual DNS server?

[alh]

Well my setup is like this:

1. Speedport Router of Deutsche Telekom (so double NAT)

2. OPNsense with 1 WAN port (static) in Subnet of Speedport

3. OPNsense with 1 LAN port (static, several VLANs)

• EVERYTHING from inside LAN/VLAN works perfectly fine.
• Port forwards from Speedport to OPNsense works fine and I can access ALL services hosted on the OPNsense (WireGuard, OpenVPN, IPsec).
• Port forwards from OPNsense to host in a LAN/VLAN does not work (port doesn't matter).

[Vilhonator]

Ah, you need to setup firewall rules for LAN /VLAN on opnsense.

First backup everything.

Then Go to Firewall -> Rules -> and see if there are any interfaces called VLAN 1 etc. Then click WAN, add new rule and set allow all from source VLANX /LANX (name of the interface or VLAN networks belong to) and set destination to WAN net and you are done.

[alh]

Maybe I'm missing something but isn't the reply an established/related connection? Why would I need an extra rule for that? Also the reply is straight to the clients public IP, so I fail to understand why I would need to allow all traffic to WAN net from VLAN net...

It is a simple straightforward port forward. Nothing fancy here. Every 50,- € router can do that...

[Vilhonator]

Why would I need an extra rule for that? Also the reply is straight to the clients public IP, so I fail to understand why I would need to allow all traffic to WAN net from VLAN net..

If you have more than 1 public IP addresses in use, easiest way to do forward connections is to create Firewall rule for WAN network. To forward requests to different public IP, your client needs to be connected to network, which has access to WAN network (not WAN address).

Now if both are using same public IP, then you need to connect both on LAN ports and create Routes, another option is to disable dhcp on either one and connect it to same network.

[Vilhonator]

It's confusing yes.

NAT Port forwarding or network address translation port forwarding will forward all specified connections to addresses on networks, which are routed.

Public IPs don't work on port forwarding.

Reason why instructions STRONGLY advice you, not to delete the fail safe rules, created automatically once you assign first LAN and Wan port on opnsense, is because if you do, you won't be able to manage opnsense via webgui or ssh and LAN interface gets blocked from WAN network (by default, opnsense blocks private network connections to WAN and you won't be able to disable it, unless you have 2 or more WAN ports just like shown on the image below

[alh]

I really appreciate your effort to try and help me with my problem. But I fail to relate your answers to my setup or problem. I have 5 sites running OPNsense. This works on all other sites but the one I upgraded to 20.7. None needs this extra rule you are talking about and which does not make any sense to me.

As I said, the setup is as simple as it gets:

Internet -> TCP 993 -> Speedport (10.0.1.1) -> TCP 993 -> OPNsense (WAN 10.0.1.254) -> TCP 993 -> OPNsense (LAN 10.0.2.254) -> TCP 993 -> Server (10.0.2.10)

There is masquerading towards WAN because this stupid Speedport cannot do anything.

TCP packages arrive on WAN port 993 of the OPNsense, get forwarded to LAN and the Server. The reply from the server arrives at LAN of the OPNsense and is NOT forwarded back to WAN. IMHO this reply is part of an established/related connection of initial connection from outside. There is absolutely no need for me to open all ports from Server to WAN.

As said before this works on all other OPNsense installations I have, running 20.1.x though.

Maybe just wait for 20.7.1 to arrive the next days and see if it is fixed.

[Vilhonator]

You are confusing WAN RULES from PORT FORWARDING.

Port forwarding is something NAT uses and it has nothing to do with Firewall rules (though port forwarding rules are shown on Firewall rules).

Let's just say your webserver (which has to be open to public) is getting DoS attack. Because NAT is only forwarding traffic to that server, it can be exploited. How do you think your firewall is blocking connections from specific sources, without restricting access from others? VIA FIREWALL RULES.

If you create WAN rule allowing all incoming connections from WAN to your PC, people are able to connect to your PC, but your PC won't be able to connect to the internet or any other network, which routes via WAN.

Outgoing rule enables internet access but not incoming connections, so you won't be able to download anything..

You open port 80 to your PC, unless your PC is running program which connects to internet or local area network on tcp port 80 or hosting webserver listening tcp port 80 and OS firewall is allowing incoming connections from TCP 80 port and from any remote source, nothing happens because your PCs IP isn't listening TCP port 80.

How do you block students from accessing facebook but not teachers? By creating an alias, which consists all facebook domains, create WAN rule which blocks connection from student network to alias consisting facebook hosts. That way any computer connected to student network won't be able to connect to facebook, even if they try switching dns servers.

How do you prevent students from manually changing IP address of PC belonging to student network? By creating rule on teacher network that interface beloning to student network has no access to teacher network.

How do you allow student network to gain access to webserver showing time tables hosted on server belonging to teacher networ? By creating rule allowing HTTP and/or HTTPs connections from student network to teacher network and creating portforwarding rule which forwards incoming HTTP and/or HTTPS request from student network IP block(s) to the host server.

How do you forward dns requests to their specified networks, without opening networks to eachother? By creating Rule on each network forwarding dns requests to main gateway which in return forwards traffic based on source address and ports to certain destination on certain ports.

This all is something which ANY router with built in firewall and NAT can do, you don't need high end router which costs 1 000€+ to do this. All you need is a router with firewall which allows you to setup firewall rule from IP -> from port start - from port end -> destination IP -> destination port start -> destination port end. (Yea, terms might be bit different depending on brand, but) In fact you can do that on Windows Firewall if you feel crazy enough wanting to fool around with it.

[secgeek]

Okay so thanks for your input.

I did some research on another site as I figured out did not used opnsense as the default Gateway. So this was my ( little) Problem.

Greetings

[alh]

As I said, I don't think we understand each other. And if it is true what you say/suggest these dropped packets should show up in the firewall log. They don't.

[secgeek]

As I said, I don't think we understand each other. And if it is true what you say/suggest these dropped packets should show up in the firewall log. They don't.

1. Did you noticed we are 3 people in this thread.

2. My Problem was the endpoint configuration. Default Gateway was false. Didn't see anything in the Firewall log but now I can see them and the connection is established. So your suggestions is wrong.