Open ports on network interfaces

[Robertomcat]

All seems as it should.
As viragomann said, see in the live logs of the firewall that they are blocked or allowed. Then be sure the receiving server is not blocking the traffic.
Last resort is to recreate the NAT rule, and verifying the setting from Firewall: Settings: Advanced that you have automatic reflection for port forwards (which I think you have).

Hello, good morning. You're referring to the first checkbox in this setting, and in my case, it's disabled by default. I haven't touched anything in this section. Should I enable it then?

[cookiemonster]

Some folks really prefer full control of their rules and that means having these disabled as you have. These are the defaults: https://docs.opnsense.org/manual/firewall_settings.html#network-address-translation

The "best" course of action would be to use that document to identify the problem.
Alternatively you could consider recreating them but with the first checkbox enabled.

I suggest if you do, to make a note of exactly how you have them setup, both NAT and pass/block rules.
Then enable (tick) the first one of this list. Then recreate the NAT rules, which will create the required associated rules, unless you specifically disable it when recreating the port forward rule.

p.s. What do you have in your port forward rule for association?
NAT reflection and  Filter rule association - note please I might not understand what it says if in another language.
Mine are "Use system default" which in my case is "Reflection for port forwards" = ticked; "Automatic outbound NAT for Reflection" = ticked.
These are not what you have at the moment. Yours are disabled as per your screenshot.

[Robertomcat]

Some folks really prefer full control of their rules and that means having these disabled as you have. These are the defaults: https://docs.opnsense.org/manual/firewall_settings.html#network-address-translation

The "best" course of action would be to use that document to identify the problem.
Alternatively you could consider recreating them but with the first checkbox enabled.

I suggest if you do, to make a note of exactly how you have them setup, both NAT and pass/block rules.
Then enable (tick) the first one of this list. Then recreate the NAT rules, which will create the required associated rules, unless you specifically disable it when recreating the port forward rule.

p.s. What do you have in your port forward rule for association?
NAT reflection and  Filter rule association - note please I might not understand what it says if in another language.
Mine are "Use system default" which in my case is "Reflection for port forwards" = ticked; "Automatic outbound NAT for Reflection" = ticked.
These are not what you have at the moment. Yours are disabled as per your screenshot.

Hello, good afternoon. I've checked the two boxes you mentioned in Advanced, and I've deleted and recreated the rule. Then, within the diagnostics, there's a section I can't understand when I open the drop-down menu. Several options appear that I'm not familiar with, and I don't know if they indicate whether the rule is working or not. Although I think it's still not working.

[cookiemonster]

Ok, a couple of things for this diagnostic.
First, the general logging of rules, including NAT:

You cannot view this attachment.

Second, these settings can be overriden on a per-rule basis. So you need to check if your NAT rule has enabled or disabled logging:

You cannot view this attachment.

With logging enabled for these NAT rules, you can see the Live view if they appear and are blocked/dropped/allowed. That is Firewall > Log files > Live View.

[Robertomcat]

Ok, a couple of things for this diagnostic.
First, the general logging of rules, including NAT:

Second, these settings can be overriden on a per-rule basis. So you need to check if your NAT rule has enabled or disabled logging:

With logging enabled for these NAT rules, you can see the Live view if they appear and are blocked/dropped/allowed. That is Firewall > Log files > Live View.

In the live view, everything seems to be fine, although I don't know how to apply the block or pass filters. The problem is that the Qbittorrent software keeps showing me the orange symbol, indicating that there are no open ports.

[cookiemonster]

These seem internal when you say seem fine. You said WAN so far when taking about port forwarding "from outside". I'm beginning to wonder:
1) is your WAN on a public IP, routable on the internet, or is your WAN on an RFC1918 ip?
2) are you trying to port forward between internal networks i.e from LAN1 to LAN2 ?

[Robertomcat]

These seem internal when you say seem fine. You said WAN so far when taking about port forwarding "from outside". I'm beginning to wonder:
1) is your WAN on a public IP, routable on the internet, or is your WAN on an RFC1918 ip?
2) are you trying to port forward between internal networks i.e from LAN1 to LAN2 ?

My IP address is public, provided by my Internet Service Provider. And regarding the port forwarding you mentioned, I only want to open the ports to the outside, not between internal networks.

[cookiemonster]

ok that clears that. Right back where we were then. Is good.
So, are the rules now working correctly and the traffic hitting your server?
Edit: if you aren't sure about this question, how about you create a separate port-forward rule to a different port that you can verify. Say ssh for instance so you can hit it with a laptop from a mobile phone connection. Something like that. The idea being to verify the port forward rules "work" when setup, and the problem gets to focus on the application side.

[Robertomcat]

ok that clears that. Right back where we were then. Is good.
So, are the rules now working correctly and the traffic hitting your server?

I can see it's not working because qbittorrent keeps telling me the ports aren't open, and I've restarted the software and the server. Like PLEX, it still tells me there's no external access. I don't know where the real solution is.

[cookiemonster]

See my edit. You want to see where the problem is along the network path. Elimination process.

[Robertomcat]

ok that clears that. Right back where we were then. Is good.
So, are the rules now working correctly and the traffic hitting your server?

I can see it's not working because qbittorrent keeps telling me the ports aren't open, and I've restarted the software and the server. Like PLEX, it still tells me there's no external access. I don't know where the real solution is.

Well, I've disabled all the rules I created in the MQL5 network (except the one created by default when the network is created) and I still don't have access. The WAN rules were created correctly when the NATs were created. Something higher up couldn't access them. I've tried it with PowerShell, but it won't let me. I've also used an online service to test the port, but it says it's closed, and I've tried 80 and 8080, and it says they're also closed. I'm not sure I can trust this online test, but hey... It might indicate something.

[cookiemonster]

Ok - you can test with 80 and 8080 on the same destination server then, good.
PLease use that traffic to check logs on your OPN firewall. If you port forward port 80 or 8080 for instance and enable logging in the rule, you must be able to see it on the Live view. The point is to be sure you are able to see it (the traffic), then see if if it gets blocked or passed.

[cookiemonster]

I don't know if I'm the one confused with your tests to be honest.
Your goal: to reach ports 55432 and plex(plex_port) from the WAN through OPN to the LAN server hosting those ports. That part I get.

Screenshot above. You seem to have tested from 192.168.1.200. Your target is 192.168.10.55 so that is not a test _through_ the WAN, so it won't test the NAT port forward. So unless you are trying to test another intra-interface flow, I'm not sure it helps.

The screenshot with the Live view with most blue lines. Those are all OUT flows from 192.168.10.55 and others. They suggest going out to WAN, that's expected. You haven't included or I can't see more than that i.e. destination. However, they seem to be redirected. I was not expecting that. Why would the flow OUT be redirected? Do you have other NAT or outbound rules perhaps?

[Robertomcat]

Your goal: to reach ports 55432 and plex(plex_port) from the WAN through OPN to the LAN server hosting those ports. That part I get.

The goal is to be able to access an HP ML110 server from the outside, which has the IP address 192.168.10.55, within the internal network called MQL5 (I have other internal networks called LAN and Wifi). And to open the specific port 55432 for qbittorrent and 46837 for plex. These two rules are created in the NAT and automatically on the WAN.

Screenshot above. You seem to have tested from 192.168.1.200. Your target is 192.168.10.55 so that is not a test _through_ the WAN, so it won't test the NAT port forward. So unless you are trying to test another intra-interface flow, I'm not sure it helps.

What's shaded in the screenshot is my IP address provided by my ISP, and I've run the command with that IP address along with port 55432, but since I'm no expert, I've probably done it wrong.

The screenshot with the Live view with most blue lines. Those are all OUT flows from 192.168.10.55 and others. They suggest going out to WAN, that's expected. You haven't included or I can't see more than that i.e. destination. However, they seem to be redirected. I was not expecting that. Why would the flow OUT be redirected? Do you have other NAT or outbound rules perhaps?

And regarding this last question, as I indicated in the first answer, there are two NAT rules created; I have no other rules. I've also disabled the DNS Blacklist, but I don't think this affects the problem I'm having. I'm attaching another screenshot of the live view, in case you can glean anything. Thank you.

[cookiemonster]

The goal is to be able to access an HP ML110 server from the outside, which has the IP address 192.168.10.55, within the internal network called MQL5 (I have other internal networks called LAN and Wifi). And to open the specific port 55432 for qbittorrent and 46837 for plex. These two rules are created in the NAT and automatically on the WAN.

Right or wrong, looks a bit like this in my head. If yes, that's OK, all clear.
ISP -- WAN --- MQL5 --- ML110 (192.168.10.55)
                          --- MACHINE 2 (192.168.10.AA - port 55432)
                          --- MACHINE 3 (192.168.10.BB - port 46837)

Quote from: cookiemonster on Today at 06:30:21 PM
Screenshot above. You seem to have tested from 192.168.1.200. Your target is 192.168.10.55 so that is not a test _through_ the WAN, so it won't test the NAT port forward. So unless you are trying to test another intra-interface flow, I'm not sure it helps.

What's shaded in the screenshot is my IP address provided by my ISP, and I've run the command with that IP address along with port 55432, but since I'm no expert, I've probably done it wrong.

Respectfully, this makes no sense yet. Your ISP can not give you an ip of 192.168.1.200; that is an internal ip address, one in your network(s). You will be able to see this in Interfaces > Overview. There you'll have the actual ip issued by your ISP assigned to WAN.
Can you share those assignments with a screenshot? Mask your WAN ip if you're uncomfortable showing it.
To reiterate: port forward from WAN to an internal LAN (regardless of its name) can only be tested from outside.
What I am trying to do is to help you not verify why your torrenting or whatever is not working, but to first verify that your port forward nat and associated rule works. When that happens, you can concentrate in the torrent or whatever.
Why? Because it can be your seeding thing can block your client, can block your ip address, etc.
To this end, I am suggesting to test the port forwards by putting some traffic across the rules to see where they stop. Makes sense?
So if you test NOT from the outside, you haven't proven the rules are the problem.