Port Forwad fails

Started by Tripple_Delta, May 30, 2023, 08:23:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 30, 2023, 08:23:35 PM
OPNsense 22.7.11_1-amd64

I have a simple NAT forward rule so my son can make an offsite backup to my NAS.
Never had any problem with

Untill now, after his IP has changed. Changed the settings in OPNSense and all I get is this error:
Default deny / state violation rule

What am I doing wrong?
May 30, 2023, 08:29:19 PM #1
If you do not show us the details of your port forward rule, it's impossible to tell.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 30, 2023, 08:36:53 PM #2
Agree.
Here is a screenshot.
May 30, 2023, 08:46:20 PM #3
You need to navigate to Firewall > Aliases and change the IP address for Bert_Home to the one you son is using. The default deny rule log should give you the information which one is actually active.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 30, 2023, 08:48:02 PM #4
The IP was already changed.
Actually, this is the only setting I changed.
May 30, 2023, 08:49:32 PM #5
Double check if the IP you configured matches the one reported in the live view and the default deny entry. Same for the destination port range.

Apart from that: no more ideas over the forum, sorry.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 30, 2023, 08:52:07 PM #6
Where do I find the defaul deny rule entry?
May 30, 2023, 09:00:17 PM #7
Go to Firewall > Log Files > Live View

I assumed that's where you got the info that the connection hits the default deny rule. Find a denied packet to that specific port(s) and click on the (i) to the right.

This will give you all details about the connection attempt. There should be a mismatch somewhere. Possibly your son is now using a connection with carrier grade NAT and the IP address his router is showing him as "external" in reality isn't?

You might want to read into setting up a VPN connection. Just a suggestion.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 30, 2023, 09:22:58 PM #8
This is the info from live view.
No idea what's wrong.
May 30, 2023, 09:26:30 PM #9
So 192.168.1.2 is your WAN address? That's odd to say the least.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 30, 2023, 09:31:08 PM #10
The network behind the modem is 192.168.1.x/24.
I setup a DMZ to 192.168.1.2, which is the WAN port of the OPNSense Box.

There is nothing else on the 192.168.1.x network.
May 30, 2023, 09:59:48 PM #11
What I don't understand is there are more forward rules. All working well. Only that single rule, where the external IP changed, refuse to work.
May 30, 2023, 10:15:52 PM #12
Try to put the IP address into the rule verbatim instead of an alias.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 30, 2023, 10:22:02 PM #13
I already tried this.
Also allow any on that port. No succes.
May 31, 2023, 09:32:37 PM #14
Fixed. Don't ask me how.

First I changed the source by any. Works.
Next I changed source by network. Still working.
Narrowed it down to one IP. The settings I started with. Still working.

I don't get it.  ::)
Print
Go Up Pages1
User actions