Archive > 17.7 Legacy Series

[SOLVED] Port forwarding, internal server to external port

(1/3) > >>

Newbiewifi:
Hi
I'm confused with port forwarding, I've read up and it worked in the beginning. I've made too many changes and it is a live system, so I can't mess around too much.
It doesn't work now.
I need to access an http server from outside (warn) and also internally as well.
It has fixed IP address on the LAN.

I've tried using alias but it doesn't work.

I would be grateful if someone give some simple instructions.

Thank you

Change: Mark as Solved

BertM:
Hi Newbiewifi,

If I understand correctly, on your internal LAN you have a web server running a website (for example www.mysite.com).
The webserver has an fixed IP address on the LAN, and you want to access it by it's name, both from the outside and the inside network.

An alias is not going to help you, because these are only used to make your config easier to read for humans.

But here is an example that will work.
I don't know how much experience you have with configuring network things, so I will try to keep this as simple as possible and explain very detailed.

First let's make some assumptions:

* Your external IP address is 123.45.67.89
* Your LAN interface is configured as 192.168.10.1/24
* Your webserver running HTTP (port 80) and HTTPS (port 443) lives at address 192.168.10.30
* You are the owner of the domain mysite.com and the URL for your webserver is www.mysite.com
* In external DNS, you have an A record for www.mysite.com pointing to 123.45.67.89 (your external IP address)
Here is what you have to do:

Configure an aliases to make your config more readable.

* Click Firewall ==> Aliases ==> View
* Click the "Add a new alias" button
* Enter the following info:
   Type: Host(s)
   Name: Webserver
   Description: The webserver host
   Host(s): 192.168.10.30
   Description: Webserver IP address
* Click Save
* Click the "Add a new alias" button again
* Enter the following info:
   Type: Port(s)
   Name: Websrv_Ports
   Description: The webserver Ports
   Port(s): 80
   Description: HTTP port
* Click the plus sign to add another line and enter the following information
   Port(s): 443
   Description: HTTPS port
* Click Save and Apply Settings
If you are forwarding both port 80 (HTTP) and port 443 (HTTPS), you want to set the port for the web gui of your OPNsens to another port, for example port 440.
In that case you will access the web gui of OPNsense like https://yourIPaddress:440

* Click System ==> Settings ==> Administration
* Enter 440 in the TCP port field
* Click SaveThe OPNsense web gui will automatically reconnect in 20 seconds, using the new port.

Add the port forwarding rule to send any incoming HTTP and HTTPS traffic to your webserver.

* Click Firewall ==> NAT ==> Port Forward
* Click the Add button to add a new Port Forward rule
* Select the following information
   Interface: WAN
   TCP/IP version: IPv4
   Protocol: TCP
   Destination: WAN Address
   Port range: From: Websrv_Ports To: Websrv_Ports
  (You can select that from the dropdown because you created the alias)
   Redirect target IP: Webserver (again, you can delect that because you created the alias)
   Redirect target ports: Websrv_Ports
   NAT reflection: Enable (Pure NAT)
   Filter rule association: Add associated filter rule
* Click Save and Apply Settings.
This will do what you want to achieve.

* The external DNS server will resolve www.mysite.com to your external IP address.
* The NAT/PortForward rule will forward this to your webserver.
* If internally www.mysite.com is also resolved to your external IP address,
NAT Reflection will send this outgoing traffic back inside towards your webserver.
I hope this info helps.

Kind regards,
Bert

Newbiewifi:
Thank you.

Its working now.

Ciprian:

--- Quote from: BertM on October 19, 2017, 04:56:11 pm ---Hi Newbiewifi,

If I understand correctly, on your internal LAN you have a web server running a website (for example www.mysite.com).
The webserver has an fixed IP address on the LAN, and you want to access it by it's name, both from the outside and the inside network.

An alias is not going to help you, because these are only used to make your config easier to read for humans.

But here is an example that will work.
I don't know how much experience you have with configuring network things, so I will try to keep this as simple as possible and explain very detailed.

First let's make some assumptions:

* Your external IP address is 123.45.67.89
* Your LAN interface is configured as 192.168.10.1/24
* Your webserver running HTTP (port 80) and HTTPS (port 443) lives at address 192.168.10.30
* You are the owner of the domain mysite.com and the URL for your webserver is www.mysite.com
* In external DNS, you have an A record for www.mysite.com pointing to 123.45.67.89 (your external IP address)
Here is what you have to do:

Configure an aliases to make your config more readable.

* Click Firewall ==> Aliases ==> View
* Click the "Add a new alias" button
* Enter the following info:
   Type: Host(s)
   Name: Webserver
   Description: The webserver host
   Host(s): 192.168.10.30
   Description: Webserver IP address
* Click Save
* Click the "Add a new alias" button again
* Enter the following info:
   Type: Port(s)
   Name: Websrv_Ports
   Description: The webserver Ports
   Port(s): 80
   Description: HTTP port
* Click the plus sign to add another line and enter the following information
   Port(s): 443
   Description: HTTPS port
* Click Save and Apply Settings
If you are forwarding both port 80 (HTTP) and port 443 (HTTPS), you want to set the port for the web gui of your OPNsens to another port, for example port 440.
In that case you will access the web gui of OPNsense like https://yourIPaddress:440

* Click System ==> Settings ==> Administration
* Enter 440 in the TCP port field
* Click SaveThe OPNsense web gui will automatically reconnect in 20 seconds, using the new port.

Add the port forwarding rule to send any incoming HTTP and HTTPS traffic to your webserver.

* Click Firewall ==> NAT ==> Port Forward
* Click the Add button to add a new Port Forward rule
* Select the following information
   Interface: WAN
   TCP/IP version: IPv4
   Protocol: TCP
   Destination: WAN Address
   Port range: From: Websrv_Ports To: Websrv_Ports
  (You can select that from the dropdown because you created the alias)
   Redirect target IP: Webserver (again, you can delect that because you created the alias)
   Redirect target ports: Websrv_Ports
   NAT reflection: Enable (Pure NAT)
   Filter rule association: Add associated filter rule
* Click Save and Apply Settings.
This will do what you want to achieve.

* The external DNS server will resolve www.mysite.com to your external IP address.
* The NAT/PortForward rule will forward this to your webserver.
* If internally www.mysite.com is also resolved to your external IP address,
NAT Reflection will send this outgoing traffic back inside towards your webserver.
I hope this info helps.

Kind regards,
Bert

--- End quote ---

Very nice and helpful writing, you have my ”applaud”! :)

jl_678:
Update: I solved this using a DNS override.  It worked very well and so am not worried about the fact that this one did not.  My solution is in this thread.

Hi,

Unfortunately, this solution does not work for me.  I followed the instructions exactly and find that the browser times out accessing the public URL while inside the firewall. I am not sure what I am doing wrong since I followed the directions exactly.

Quick update: the external rule works as I can access the web server externally without a problem.

Navigation

[0] Message Index

[#] Next page

Go to full version