Forward local port to WAN Bridge

[teclab]

Dear community,

my fiber bridge does have a second IP for local configuration web interface: 192.168.33.1
For this I configured a virtual IP (IP alias) on the WAN interface. Ok - this works.

From the LAN side I can only reach it when doing a port forwarding using ssh (ssh -L 88:192.168.33.1:80 root@opnsense).
When configuring a Firewall-NAT-Port forwarding I am failing:

Code Select Expand

LAN1 TCP * * This Firewall 88 192.168.33.1 80 (HTTP)
Also tried a firewall rule:

Code Select Expand

IPv4 TCP LAN1 net * * 88 * * Glasfaser Modem
But nothing helps.

Any ideas welcome. Thx!

[viragomann]

You only need an outbound NAT rule on the WAN interface:
destination: 192.168.33.1/32
translation: virtual WAN IP

[teclab]

Configured it:

Code Select Expand

Interface Source      Source Port Destination Destination Port NAT Address NAT Port Static Port Description    
WAN         LAN1 net     tcp/ *         This Firewall tcp/ 88                 192.168.33.1/32 80         NO

But getting a timeout when opening http://opensense:88

[viragomann]

This is not, what I suggested.
Your rule translates the source address to the modems IP (192.168.33.1) and the source port to 80?

But getting a timeout when opening http://opensense:88

So this is expected.

Just obey the suggestion and access the device by its IP then.

[teclab]

... and access the device by its IP then.

I am not accessing the modem by its IP. I need to http to OpenSense on port 88, and from there forward to the modem 192.168.33.1 on port 80.
That's why I gave this example:

From my desktop PC I do:

Code Select Expand

ssh -L 88:192.168.33.1:80 root@opnsense
And then doing http://opnsense:88 I get forwarded to the modem.

Sorry, but I did not want to "disobey" you *lol* ... I might not understood it better ...

[Patrick M. Hausen]

But if you correctly NAT on the interface you can just use http://<ip of modem> without SSH or anything.

[viragomann]

from there forward to the modem 192.168.33.1 on port 80.

And what's the sense of forwarding the traffic?

[teclab]

But if you correctly NAT ...

Yes that's what I was trying, but failing (as written in my initial post).

[teclab]

And what's the sense of forwarding the traffic?

As posted in my first message, my fiber bridge does have a local IP for maintenance - on the same physical port.
This is on the WAN side:

FiberBridge  <->  WAN  <->  OpenSense  <->  LAN

So from LAN I wanted to NAT to the Fiber Bridge.

[viragomann]

From my desktop PC I do:
Code Select Expand

Code Select Expand

ssh -L 88:192.168.33.1:80 root@opnsense
And then doing http://opnsense:88 I get forwarded to the modem.

I see. So you want to tunnel the traffic through SSH for security reasons or whatever.

But I don't think that this will be doable. I don't think that OPNsense gets the tunneld traffic in on any interface, which can be used for port forwarding. I assume, it enters the machine on localhost, but this is not available in a port forwarding rule.

You investigate this by running packet capture on the LAN and on loopback.

[teclab]

... you want to tunnel the traffic through SSH for security reasons or whatever.

No, this is only the workaround.

I don't think that OPNsense gets the tunneld traffic in on any interface, which can be used for port forwarding. I assume, it enters the machine on localhost, but this is not available in a port forwarding rule.

Not quite sure if we are on the same page? Every connection enters on the localhost, that's what port forwarding is for.

I already setup NAT from WAN to a local machine behind. This works OK.
But now I thought about setting up NAT from LAN to WAN (but on the IP alias).

[viragomann]

... you want to tunnel the traffic through SSH for security reasons or whatever.

No, this is only the workaround.

Not quite sure if we are on the same page?

No. Then I don't get why you want to forward the traffic to the modem.
Just access it using its IP. OPNsense is a router and will route the traffic properly.

[teclab]

Just access it using its IP. OPNsense is a router and will route the traffic properly.

This does not work. No it does not.
LAN and IP Bridge are on different network.

I made a drawing to help make things more clear.

[viragomann]

If you did the suggested configuration it should work, presupposed OPNsense is the default gateway on the PC.

Again the steps.

Virtual IP:
You added a virtual IP (IP alias) to the OPNsense WAN, say 192.168.33.10.

Outbound NAT rule:
Firewall: NAT: Outbound > "Hybrid outbound NAT rule generation" enabled
Add a rule:
Interface: WAN
Source: LAN net
destination: 192.168.33.1 (modem)
translation: virtual IP

This changes the outbound NAT behavior only for the stated destination. All other traffic will be natted to the primary WAN IP.

Access the modem by http:192.168.33.1 or whatever protocol it supports.

OPNsense will normally route the traffic to the modem. Due to the outbound NAT, the modem sees access coming from the virtual IP and responses to it properly.

[teclab]

I tried two versions, both failing.
(I am having difficutly understanding translation/destination).