Port Forwarding configuration works for IPv6 but not IPv4

Started by ipsi, February 20, 2026, 12:41:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 20, 2026, 12:41:33 AM
Hey folks, this is a bit of an odd one. I'm running OPNsense 25.7.11_9-amd64 community edition, and I've run into an issue forwarding HTTP/HTTPS ports to my Caddy server. Environment details:

  • I only have a single WAN interface
  • When attempting to connect externally via cURL & IPv4, I get a timeout error.
  • OPNsense is running on dedicated hardware
  • There are two switches between the OPNsense box and any end devices.
  • I've got a Windows machine running on VLAN 0, which I use for internal testing
  • The Caddy server is on VLAN 20
  • All requests are therefore routed through OPNsense, the only difference being whether port forwarding is involved or not.
  • IPv4 and IPv6 work just fine internally, I only have issues when connecting from the outside, so the server is functioning just fine.
  • I've got Wireguard configured on the OPNsense box, and I can connect to that via IPv4 just fine.
  • External testing is done by tethering my laptop to my phone, no VPN involved.
  • I can connect to the server via IPv6 just fine, both external and internal.
  • I have restarted the box, so it's definitely persistent configuration.

I've attached screenshots of the HTTPS Port Forward configuration, and the alias in use. HTTP is the same, just changed the port.

I did a traffic capture on the IPv4 traffic, and I've attached a screenshot of that as well. It suggests that there's some sort of issue sending the ACK packet back to the client. I've attached the IPv6 version for comparison.

What's driving me up the wall is that the configuration is exactly the same for both IPv6 and IPv4, since I'm using an alias and a single Port Forward configuration!

I suspect this is a result of some dodgy configuration / testing that I've done in the past, but I'm just not sure where to look to figure out what I've done, and what I need to do to fix this. I'm reluctant to wipe my configuration without understanding that in case it comes back with my restored config.

If anyone has any suggestions on what I can do to fix this, I'd very much appreciate that!
February 20, 2026, 08:57:47 AM #1 Last Edit: February 20, 2026, 09:24:00 AM by meyergru
Look at your WAN IPv4. Does it start with 100? Also, start this command from a CLI from your OpnSense box:

Code Select
curl -4 ifconfig.me
If either your WAN IPv4 starts with 100 or the WAN IPv4 differs from what the command shows you (or both), you probably have a CG/NAT aka DS-Lite connection. With that, your ISP does not give you a routeable IPv4, but translates your WAN IPv4 via NAT to a routeable IPv4 that is used outside of the provider network.

Therefore, you share your "outside" IPv4 with many other customers. This is a case of double-NAT, where your ISP would have to create a port-forwarding rule for you, which he doesn't. So, if you find yourself in that situation, you cannot port-forward IPv4 and must find other means for outside-in access, like IPv6-only or create a tunnel connection (e.g. via Cloudflare or a VPN to a cloud instance that provides IPv4). Some ISPs also offer "real" IPv4 for a fee.

This is now also covered here, point 31.


Forget that, it does not apply to you. You cannot port-forward IPv4 and IPv6 at once, because the redirect destinations must be either IPv4 for IPv4 and IPv6 for IPv6. You cannot port-forward IPv6 to an IPv4 address, much less to a set of IP adresses for your firewall via "This Firewall". You must specify one (and just one) specific IP and you normally need two separate rules. That being said, maybe the combined rule would work with "LAN address" as the redirection target.

For IPv4, you can use 127.0.0.1 or any (V)LAN interface IP, for which there are specific aliases as well (like "LAN address"). For IPv6, you cannot use ::1, and you also cannot use the link-local IPv6s. I always use an ULA virtual IP for that or also "LAN address". Matter-of-fact, I never use IPv6 port-forwarding on OpnSense itself , but only open the ports directly with firewall rules.

For HTTPS, I use a reverse proxy, because then you can also use name-based redirection. There are guides on how to do that via Caddy or HAproxy in the tutorial section.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
February 20, 2026, 02:54:54 PM #2
Quote from: meyergru on February 20, 2026, 08:57:47 AMI never use IPv6 port-forwarding on OpnSense itself , but only open the ports directly with firewall rules.
Since IPv6 finally let's us avoid NAT Port Forwarding I kind of expected that everyone with a working IPv6 connection on their WAN does that ?!

Still no IPv6 here so I have no way to test it either...



But when I would need to let's say make sure some kind of Gaming related Server to be available via both IPv4 and IPv6 isn't it a simple matter of :
- Create a NAT Port Forward so it's available via IPv4.
This will also create a Firewall IPv4 Allow Rule automatically or at least it can IIRC.
- Create a Firewall IPv6 Allow Rule so it's available via IPv6.

And that's it ?!
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
February 20, 2026, 07:56:26 PM #3
Quote from: meyergru on February 20, 2026, 08:57:47 AMI always use an ULA virtual IP for that or also "LAN address". Matter-of-fact, I never use IPv6 port-forwarding on OpnSense itself , but only open the ports directly with firewall rules.

Yeah, that's the overall plan, I'm just quite limited in IPv6 subnets unless I purchase my own Fritz!Box (Thanks Vodafone...), so I've experimented with a few different approaches.

Unfortunately, even if I change the configuration to be IPv4-only for both HTTP & HTTPS, I still see the same behaviour where it doesn't work externally. I have no other IPv6 port forwards apart from these two. I've also changed the port for the OPNsense Web UI to 8443 *and* bound it to the LAN address only, but that didn't have any effect. Like I said, it's a bit odd, and I'm pretty stumped at this point!
February 20, 2026, 08:14:54 PM #4
The problem is that you cannot use "This Firewall" as redirection target IP, regardless of IPv4 or IPv6. "This Firewall" is not a SINGLE address.

Imagine you say "192.168.10.1, 192.168.20.1" there. What does that mean? Use ONE single IP there.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
February 20, 2026, 08:49:35 PM #5
FML, I think I've solved it - it was the Fritz!Box, it just needed a restart. First time I've had this specific problem with it, so that's fun. On the plus side, I can now confirm that you can do an IPv4+IPv6 port-forward with a single rule, you just need to use an alias with both IP types as the target.
Print
Go Up Pages1
User actions