[SOLVED] Can't get port forwarding to work anymore!

alh · August 13, 2020, 09:20:01 AM

Yes I did. Sorry, my reply was not intended for you...

secgeek · August 13, 2020, 09:32:32 AM

Okay alh so I have a Speedport to and have an Router behind it, also a connection through Deutsche Telekom.

I have the server now in an VLAN and where the Firewall is the Default Gateway, and did a static configuration of the server where I have to set the Default Gateway manually as i did it static.
Then I setup a Port Forwarding with the same protocol as the server(UDP for me),
source have to be any,
destination has to be WAN Address and the right Port( the same you setup as Portweiterleitung in the Speedport).
Redirecting to the server IP and the right port.
Selected NAT = enabled and did all this for the WAN Interface.

I did not check your details mentioned above, please check your settings by yourself and youse a different Network for your VLANs.

If your LAN is on
192.168.50.0/24
Your VLAN should be an a different Subnet like:
VLAN 250
192.168.250.0/24

It doesn't need to be a 24 Subnet(Class C) it could be another as well but it makes things easier because most people use these standards.

You don't need any additional rules they are only security risks.

Greetings
Looking forward to hear from you.

alh · August 13, 2020, 10:02:15 AM

Gateway, VLAN config etc. is fine. Everything works from the LAN/VLANs as intended. The only issue I have is that the port forward does not work. It actually does work in the sense that requests are forwarded to the server but the reply of the server is not travelling back through the Firewall. So the client just times out. If a client from LAN connects to the server in VLANx it works perfectly fine. But then this is simple routing and not DNAT.

secgeek · August 13, 2020, 10:23:51 AM

Quote from: alh on August 13, 2020, 10:02:15 AM
Gateway, VLAN config etc. is fine. Everything works from the LAN/VLANs as intended. The only issue I have is that the port forward does not work. It actually does work in the sense that requests are forwarded to the server but the reply of the server is not travelling back through the Firewall. So the client just times out. If a client from LAN connects to the server in VLANx it works perfectly fine. But then this is simple routing and not DNAT.

This is the exact same Problem I had.
Do you have multiple DHCP-Servers on the Network where the service lives?
It could be that locally you can connect but the configuration of the Server is using just the same Network Gateway as your client but when it the connection comes from the outside the Gateway of your server have to be the Firewall that is getting the connection from the outside.
Did you checked your Port forwarding rules make sure the interface is set to WAN and no source is setup maybe delete the rule and re enter it this could help with settings you did for your system.
You can go to the Outbound NAT and make sure there is the VLAN added automatically to the Outbound NAT Rules.

Greetings
Looking forward to hear from you [emoji112]

alh · August 13, 2020, 11:24:27 AM

I attached the screens of my config. Maybe you spot the problem... 192.168.188.1 is the IP of the Speedport.

alh · August 13, 2020, 10:32:41 PM

Just installed 20.7.1 and that fixed my issue (at least partly). Replies from LAN/VLANs travel now back to WAN.

However, port randomization confuses the Speedport router. I had to add rules to outbound NAT to enable static port on the forwarded ports. Strangely enough, I had to do this with source any instead of only the server... but that is maybe a lack of understanding from myself.

secgeek · August 14, 2020, 07:22:08 AM

Hello alh

Okay so you are Posten in the 20.7 Forum so everybody assumes you have at least 20.7 installed there are some major differences.

Secondly just change your Outbound NAT to Hybrid and delete the Any to any Rule, this way you can do your own rules and do not miss the right rules and the any to any Rule is wrong.

If you have a strong point about not using the Hybrid or automatic mode, just use the hybrid mode for the moment you can rebuild your manual rules afterwards.

After changing the Outbound NAT to Hybrid mode and applying everything do a reboot because opnsense have to rebuild the rules and the reboot makes everything faster.

I think after the reboot and if your Servers/Clients are configured the right way your Problems should be gone.

Greetings
Looking forward to hear from you [emoji112][emoji322]

PS: you have to delete and rebuild your NAT forward rules with NAT reflection and associated rules enabled, after the reboot.

alh · August 14, 2020, 09:19:48 AM

I did have 20.7.0 installed and the mode is set to manual. The upgrade to 20.7.1 fixed the particular issue without me changing/adding any rules. So either the reboot changed it (which I doubt since I did that before as well) or the fixes in 20.7.1... Anyway, issue is solved for me and my rules work now as intended.

[SOLVED] Can't get port forwarding to work anymore!

alh

August 13, 2020, 09:20:01 AM #15

secgeek

August 13, 2020, 09:32:32 AM #16

alh

August 13, 2020, 10:02:15 AM #17

secgeek

August 13, 2020, 10:23:51 AM #18

alh

August 13, 2020, 11:24:27 AM #19

alh

August 13, 2020, 10:32:41 PM #20

secgeek

August 14, 2020, 07:22:08 AM #21 Last Edit: August 14, 2020, 07:24:03 AM by secgeek

alh

August 14, 2020, 09:19:48 AM #22