Why is port forwarding not easier?

[theiceman]

I've spent...more hours in the last 2 days than I'd like to admit trying to get port forwarding to work, specifically for games as an example game I've been trying to get the ports forwarded for Destiny 2 as these ports are well documented by bungie on what needs to be forwarded.  I have a simple setup with one dynamic public ip on fiber to the home, a 24 port switch and a couple of wifi access points.
I spent hours and hours creating nat port forwarding rules and then opening the game and watching the firewall live view block every port I need under the "Default deny / state violation rule".  I even installed os-upnp thinking this might work even though I truly believed this shouldn't have to be on and I don't like it.  But at this point I was willing to try anything. 
Then I found what I think might have worked here: https://forum.opnsense.org/index.php?topic=8812.0 where a guy called "the forum troll" advised to set nat mode to hybrid and then add an outbound rule with a provided screenshot.
After I did this everything just magically worked.  The source address field asks for single host or network, I entered the IP I've been creating nat rules for and it seems to have applied this outbound rule to the entire subnet.
I now open Destiny 2 and I have "open" nat type, I open my wife's stupid tablet games and everything in there loads up like it should as well (last night the game would load but some things within the games wouldn't load).
So currently I'm still running upnp, I still have all of my port forward rules created for destiny 2, and I have that outbound rule setup.
So can I turn off upnp now?  Do I even need the nat rules in the screenshot attached, or is the outbound rule enough?
Also shouldn't the default allow all from lan be enough to have overcome this issue, why is the outbound nat rule needed?  And if it's needed with nat why isn't the default subnet added as an automatic rule?
Also is there anything wrong with the nat rules I've created here?  I've included the rule set and opened one as an example.

[theiceman]

adding outbound rule screenshot for reference

[Supermule]

Make sure the rules are above the default deny rule.

[theiceman]

is the default deny rule even movable?

[Patrick M. Hausen]

For inbound port forwarding you don't need anything in Firewall > Rules. Just add an entry in Firewall > NAT > Port Forwarding like this:

Interface: WAN
Source: any
Destination: WAN address
TCP/UDP and ports: as needed for application
Redirect server: your internal host, ports as needed for application

And then, a couple of lines below:

Associated firewall rule: Pass

And that's it!


HTH,
Patrick

[theiceman]

For inbound port forwarding you don't need anything in Firewall > Rules. Just add an entry in Firewall > NAT > Port Forwarding like this:

Interface: WAN
Source: any
Destination: WAN address
TCP/UDP and ports: as needed for application
Redirect server: your internal host, ports as needed for application

And then, a couple of lines below:

Associated firewall rule: Pass

And that's it!


HTH,
Patrick

Thank you, the port forwarding is working, it just wasn't working in my specific case.  I can open rdp and connect no problem over lte so it's not that.  Thank you for the reply.

[flac_rules]

I do agree that port forwarding is somewhat confusing in opnSense, I think the instructions on the setup-page should have been a bot more verbose, and the defaults have been changed.

[Patrick M. Hausen]

I don't get what's confusing about NAT > Port Forwarding ... can you explain in a bit more detail?

[Demusman]

I can give you my opinion on it.
It's not NAT> Port Forwarding that's the issue, it's the whole interface. It's just a mess. Very sloppy and confusing.

I currently use pfSense and have been since it was released, and used M0n0wall before that.
With all the uncertainty about pfSense CE, I've been thinking about making a switch.
Three times I've tried to make OPNsense my permanent firewall and I just can't make the switch to it because of the interface.
Now, this you may say this is because I'm so used to pfSense and I'm not giving this a chance but I do. I know there are differences and I'm trying to adapt the way OPNsense does things but there doesn't seem to be any real thought in the appearance.

With that said, yes, port forwarding is not hard at all, but if some common sense was put into the interface it would be easier.

Feel free to bash away!

[Supermule]

I use pfsense for the exact reason. Control over the processes and configuration.

Suricata is one of them. Lots more options in the interface in pfsense and I dont trust that OS actually works since I havent been caught in Suricata like I have in pfsense when I test it.

Currently using OS to toy around and to see how mature it is becoming.

And yes... M0n0Wall was great. Sorry to see it go back in the days. Manuel was awesome....

[Demusman]

And yes... M0n0Wall was great. Sorry to see it go back in the days. Manuel was awesome....

Couldn't agree more on M0n0wall and Manuel!
In fact, the only reason I switched to pfSense was NAT redirection (called it NAT Reflection at the time).
M0n0wall was, and probably still is, the most secure firewall on the planet! And Manuel refused to add any features that would compromise that. Good for him, but I needed NAT redirection so I switched.

Also, I agree on the options... even OpenVPN, probably has half the options pfSense has. (I didn't count, just an estimate.)

[Patrick M. Hausen]

@Demusman I feel exactly the other way round. I never find things in pfSense. I run OPNsense because to me the interface is a huge improvement.

Still puzzled about the port forwarding issue. You need a Source address or network, a destination address, a port or port range, and the an internal redirect host. I don't see how that dialog could be improved. But then I manage firewalls for 30 years, now ...

[flac_rules]

I don't get what's confusing about NAT > Port Forwarding ... can you explain in a bit more detail?

This is what is confusing to me, the most normal port forwarding task I think (at least for me) is to forward a port directly from "the outside" to a machine on you LAN. The 3 most important settings is thus the incoming port(s) the ports they are to be sent to and which ip to send it.

First option - disable the rule why is this first? Why isn't this at the bottom?
Second option - NO RDR - another option that should be at the bottom, the helt even says it is rarely needed and shouldn't be used unless you really know what you are doing.
Interface: Fair enough
TCP-IPverson fair enough
Protocol - fair enough.
Source Advanced - seems to me like this should be moved down, what if you press advanced, and want to go back to "basic"? Impossible?
Destination-invert, should be moved down but up for debate.
Destination: Help says nothing, destination for what? The destination machine on my LAN perhaps? No, but not very clear, and why isn' WAN the default, and why is there no help-text?
Destination port range: This seems to be useful, but what does it say HTTP? Is this some kind of weird protocol-choice? What does HTTP have to do with port-forwarding? Ah, they mean port 80, why isn' the default to input the port number? And why doesn't it at least say HTTP (Port 80) or something so it is actually clear that this is the input of the ports?
- Redirect target ip: Why can't i choose from a pulldown-list of the leases here?

The rest is fine enough, but I really think the interface makes a simple task like "forward port 42101 to port 42101 on machine X" more confusing than it needs to be.

[Patrick M. Hausen]

Partly agree to the ordering issue and the help texts csn definitely be improved. Destination ... well ... systems outside can't talk to your internal private address hosts. That's why you need a port forwarding NAT in the first place. So drom the point of view of the systems outside they talk to one WAN address of the firewall. And there might be a couple of them, so the admin needs to pick one.

Every firewall product I used in the last decades worked exactly this way.

Pick from leases ..  well, that's a matter that has the potential to lead to heated debate. Common consumer routers like the ubiquitous (in Germany) Fritzbox do this. I for one don't want any of that. Neither do I want any DHCP lease leading to an automatic DNS entry. I hate it when random devices connected to my network create artefacts in my carefully curated DNS zone or firewall policy.
Worst of all theses products create port forwards to deviced with dynamic leases and are completely intransparent about how they address and track those devices. Device gets new IP address - does the port forward follow? New device gets old IP address - what now?

I really want the thought process

- ok so my son wants to run Minecraft and open it up for his friends
- that means static IP address internally
- that means DNS entry for bookkeeping
- that means firewall object (alias in OPNsense) with that IP address
- and finally port forwarding rule

That's exactly how it should be in my book. Magic automatic things like assigning a firewall rule to a dynamic lease tend to explode and make a mess at some time in the future.

Thanks for the feedback!

Patrick

[Demusman]

It should be this easy.