English Forums > Tutorials and FAQs

Trying but failing to port forward

(1/1)

seithan:
Hi and thanx in advance for any help you provide!

Small preface, I'm new to OPNsense and how it works but its fortunately part of my job and besides being supposed to manage it and expand it, I'm also pretty eager and enthusiast to learn!

I've installed OPNsense on VMware on an old netbook (fast ethernet, usb2.0, dualcore AMD C50 but using one core, 512MB ram allocated) and the second machine im working with is a Pi4 with 8Gb ram.


Topology is everything connected to a 1Gb ports u-switch, the switched connected with the modem router.

Using the same subnet for both OPN-wan and OPN-lan, that is "Bridged Automatic" on the Netbook.
---------------

One of the things I'm trying to achieve is get VNC calls from the web, through router->OPN->clients.

Successfully port forwarded my DDNS calls from the router, with port ranges from 5900-5904 to OPNsense.

As far as I understood, by default, OPN will auto-redirect calls from its WAN-side (wan-address=192.168.1.253) to the LAN-side (lan-address=192.168.1.1), so I went ahead and created a "floating" rule as follows:

LAN, IN, IPv4, TCP/UDP,
Source:Any, Source port-range:5900-5904
Destination:192.168.1.1, Destination port-range:5900-5904
...
...

..and a NAT port forwarding:

LAN, IN, IPv4, TCP/UDP,
Source:LAN Address (im assuming that's the OPN-Lan interface id, "192.168.1.1" for my case)
Port: 5901
Destination: 192.168.1.91, Destination port: 5900 (VNC)

So what I'm trying to achieve is accept any incoming calls on Port ranges 5900-5904 on the OPN-LAN address, then hold a specific port and redirect it to a specific client (on client's default VNC port, 5900).

What I get on the firewall log is Defauly Deny Rule.


--- Code: ---ack
action [block]
anchorname
datalen 0
dir [in]
dst 192.168.1.1
dstport 5901
ecn
id 37084
interface em0
interface_name lan
ipflags DF
ipversion 4
label Default deny rule
length 60
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 8
seq 3720540683
src 62.74.8.122
srcport 22350
subrulenr
tcpflags S
tcpopts
tos 0x0
ttl 52
urp 65535
--- End code ---

I tried a few things here and there like NAT reflection or allow bogons but i ended up reverting to a last good, known configuration and getting nowhere closer to make it work.

What am I doing wrong please?

seithan:
Hello again!

Sadly, haven't solved the conundrum yet. And I guess it can't be an easy one, since nobody chimed in with a solution. Still if there is anyone other there to provide a hint or two, I would greatly appreciate it!

I always get "default deny rule" whether i port forward from router to LANaddress or WANaddress and then use PASS rules to NAT rules. Nothing seems to work.

sorano:
Well, I hate to be that guy but your setup is just too far from what anyone would run in a real life scenario:

WAN & LAN in the same subnet and bridged on top of that?
Virtualized on a crappy netbook with vmware workstation?  :o

Meanwhile your issue is something very basic that almost everyone manages to solve:

Port forwarding

So to answer your question, what are you doing wrong?
Your entire setup is wrong.

Start over and do it properly. Use separate subnets and non bridged interfaces and I'm positive you will have a much better outcome.

Greelan:

--- Quote from: sorano on September 11, 2021, 08:28:18 pm ---WAN & LAN in the same subnet and bridged on top of that?
Virtualized on a crappy netbook with vmware workstation?  :o

--- End quote ---

sorano:

--- Quote from: Greelan on September 11, 2021, 11:50:58 pm ---
--- Quote from: sorano on September 11, 2021, 08:28:18 pm ---WAN & LAN in the same subnet and bridged on top of that?
Virtualized on a crappy netbook with vmware workstation?  :o

--- End quote ---


--- End quote ---

Yeah, IKR... SMH

Saddest part of it all is that it's part of his job to manage it. ???
Unlike most other people that first learn the ropes then start working with it.

Can you imagine being the guy that gets hired as his replacement and the first thing you see when you login on your first day on your new job is WAN & LAN bridged and in the same subnet? That's when you know you're in for a big surprise.

Navigation

[0] Message Index