Port Forwarding Not Working

[TriumphTruth]

Hello Everyone,
I am new to OPNSense and has been trying to do port forwarding. I have followed several instructions and is struggling with it. I will describe the details of my setup below and would appreciate any help community can provide me on this issue.

PC Specifications:
Intel N100 based Mini PC
16GB RAM
128GB SSD
Intel I266V 2.5 GBit NICs

Proxmox 8.3 Community with the following network configuration is attached.

OPNSense Configuration is also attached.

I have assigned a dynamic dns and it is working fine. Now I want to access proxmox Command center by doing port forwarding, however it is not working fine.

I am attaching how I did the Port Forwarding as well to this thread, please let me know if I am doing anything wrong.

Thanks in advance.

[dseven]

Destination should be "WAN address", not LAN

[dseven]

BTW, exposing your proxmox to the internet with no security is not recommended - it'd be better to use a reverse proxy with TLS, at least... VPN (e.g. WireGuard) better....

[TriumphTruth]

Destination should be "WAN address", not LAN

I did this as well but still the same results. It keeps on loading. Doesn't connect to the Proxmox. It keeps on loading and then throws couldn't establish the connection as it took too long to respond.

See the updated picture below.

[TriumphTruth]

BTW, exposing your proxmox to the internet with no security is not recommended - it'd be better to use a reverse proxy with TLS, at least... VPN (e.g. WireGuard) better....

Yes I understand your point, and I am currently working on this. But just wanted to get familiar with my new router and understand things. In my old Dlink router this was really a breeze.

Thanks.

[dseven]

I just noticed you have source port of 8006 - change that to "any" - also should be just TCP, not UDP

[TriumphTruth]

I just noticed you have source port of 8006 - change that to "any" - also should be just TCP, not UDP

Brother this also didn't work. Would you like any logs from the firewall?

[dseven]

What do you get when you try now? It appears that proxmox's web server enforces HSTS, so you'll probably need a real certificate for the hostname that you're connecting to.

[TriumphTruth]

What do you get when you try now? It appears that proxmox's web server enforces HSTS, so you'll probably need a real certificate for the hostname that you're connecting to.

It keeps loading and then throws the below error:

The connection has timed out

An error occurred during a connection to ****.duckdns.org:8006.

Yeah but that should show a certificate warning. I was already using it with the same domain and port with my DLink router. There was no problem in it.

[dseven]

Make sure that you "Apply changes" after fixing the port forward - it's easy to forget (ask how I know:). If it's still not working, you could enable logging for your port-forward (and give it a description), and check the Firewall Live Log while/after attempting to connect....

[TriumphTruth]

Make sure that you "Apply changes" after fixing the port forward - it's easy to forget (ask how I know:). If it's still not working, you could enable logging for your port-forward (and give it a description), and check the Firewall Live Log while/after attempting to connect....

Hehehehe... I also learned it the hard-way, few days back. But rest assured now I click it always.

How to enable logging for port forwarding? I have already given it a category and description.

Secondly, I went into the settings of firewall and there is an option. Do you think I should enable it?

Network Address Translation    
Reflection for port forwards    
When enabled, this automatically creates additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks. Individual rules may be configured to override this system setting on a per-rule basis.

[dseven]

In the port forward settings, check the box next to "Log" ;)

If you're trying to access your port-forward from your LAN, you will (probably) need reflection and maybe also "Automatic outbound NAT for Reflection". I assumed you were trying to access it from the internet....

[TriumphTruth]

In the port forward settings, check the box next to "Log" ;)

If you're trying to access your port-forward from your LAN, you will (probably) need reflection and maybe also "Automatic outbound NAT for Reflection". I assumed you were trying to access it from the internet....

I did checked that box, but can't find anything in the logs. Should I apply any specific filters? I doesn't seem to find any filter related to providing description.

Yes I am trying to access it over the internet. That is the whole point of trying to do the port forwarding. :)

[dseven]

Reflection isn't pertinent, then. If you don't see it in the Live Log, maybe try a packet capture on your WAN interface for port 8006 and see if you see it there.

Maybe post a screenshot of your current port forwards too.

[TriumphTruth]

Reflection isn't pertinent, then. If you don't see it in the Live Log, maybe try a packet capture on your WAN interface for port 8006 and see if you see it there.

Maybe post a screenshot of your current port forwards too.

Let me know if you want to see an in-depth full port forwarding rule snapshot. I will take a full screen snapshot and share it with you.

If the image doesn't load, take a look at it here: https://drive.google.com/file/d/1vqm8I7Bp_gF7deq5XKZKLqHlI_zMH3QU/view?usp=sharing