Forward local port to WAN Bridge

[Patrick M. Hausen]

You need an OUTBOUND NAT rule on your WAN interface not a port forward. No destination port, no translation port, just NAT all outbound traffic towards the modem to the alias address.

[teclab]

Guys, I appreciate your support. But searching for 'outbound' I find:

Outbound NAT (Network Address Translation) changes the source IP address of traffic leaving a private local network (like your home or business network) to a public IP address as it goes out to the internet, allowing multiple devices to share one public IP and enabling internet access.

Why do I want to change (hide) the source IP?

I only wanted to reach a single IP on a single port on the WAN side. What's wrong with port mapping?

[Patrick M. Hausen]

Why do I want to change (hide) the source IP?

Because your modem does not know how to reach your source  IP. So you NAT to an IP in the same network.

What's wrong with port mapping?

It doesn't work the way you think it works. With outbound NAT you can reach your modem.

Or spend more pointless hours. You do you.

[viragomann]

Why do I want to change (hide) the source IP?

The origin source IP is from your PC in the LAN. So it'S something in 10.x.x.x.

When you access the modem from this IP, it will send responses back to it.
However, as Patrick mentioned, your modem doesn't know, that this is behind the OPNsense and therefore it will send the respond to its default gateway, which might be somewhere on your ISPs site.

With the suggested outbound NAT rule, OPNsense translates the source IP of the respective traffic into its own virtual IP, which is in the same subnet as the modem and hence it can send back responses properly.

[teclab]

deleted

[teclab]

I did what Patrick suggested and could reach my modem. Unfort. there are two side effects:

• The WAN network 192.168.33.x was exposed to my private local 10.10.x.x network.
• Internet did not work any more!!

That's not what I was trying to achive. I do not want to expose 192.168.x.x in my 10.10.x.x network.

[viragomann]

The WAN network 192.168.33.x was exposed to my private local 10.10.x.x network.

You want to access it from 10.x.x.. So yes, it's accessible.
However, you can ever limit the access to certain LANs or IP addresses by firewall rules.
Just add a rule on the respective internal interface to allow the desired access, followed by a block rule for destination of modem subnet.

Internet did not work any more!!

So you might have done something wrong.
Is the outbound NAT in hybrid mode?
Did you limit the destination in the NAT rule to the modem IP or subnet?

[teclab]

Did you limit the destination in the NAT rule to the modem IP or subnet?

I did it as Patrick suggested without destination and translation.
But now I tried 192.168.33.1/32 as Destination and have both working! Hurray!

Thank you All for your help and patience!!

[viragomann]

I did it as Patrick suggested without destination and translation.

You didn't read his post carefully. He just suggested to not state ports.

[teclab]

Indeed, I am sorry Patrick.
Today I learned a lot!