[SOLVED] Port forwarding, internal server to external port

Started by Newbiewifi, October 12, 2017, 08:25:32 PM

Previous topic - Next topic
Hi
I'm confused with port forwarding, I've read up and it worked in the beginning. I've made too many changes and it is a live system, so I can't mess around too much.
It doesn't work now.
I need to access an http server from outside (warn) and also internally as well.
It has fixed IP address on the LAN.

I've tried using alias but it doesn't work.

I would be grateful if someone give some simple instructions.

Thank you

Change: Mark as Solved

October 19, 2017, 04:56:11 PM #1 Last Edit: October 23, 2017, 04:32:54 PM by BertM
Hi Newbiewifi,

If I understand correctly, on your internal LAN you have a web server running a website (for example www.mysite.com).
The webserver has an fixed IP address on the LAN, and you want to access it by it's name, both from the outside and the inside network.

An alias is not going to help you, because these are only used to make your config easier to read for humans.

But here is an example that will work.
I don't know how much experience you have with configuring network things, so I will try to keep this as simple as possible and explain very detailed.

First let's make some assumptions:

  • Your external IP address is 123.45.67.89
  • Your LAN interface is configured as 192.168.10.1/24
  • Your webserver running HTTP (port 80) and HTTPS (port 443) lives at address 192.168.10.30
  • You are the owner of the domain mysite.com and the URL for your webserver is www.mysite.com
  • In external DNS, you have an A record for www.mysite.com pointing to 123.45.67.89 (your external IP address)

Here is what you have to do:

Configure an aliases to make your config more readable.

  • Click Firewall ==> Aliases ==> View
  • Click the "Add a new alias" button
  • Enter the following info:
       Type: Host(s)
       Name: Webserver
       Description: The webserver host
       Host(s): 192.168.10.30
       Description: Webserver IP address
  • Click Save
  • Click the "Add a new alias" button again
  • Enter the following info:
       Type: Port(s)
       Name: Websrv_Ports
       Description: The webserver Ports
       Port(s): 80
       Description: HTTP port
  • Click the plus sign to add another line and enter the following information
       Port(s): 443
       Description: HTTPS port
  • Click Save and Apply Settings

If you are forwarding both port 80 (HTTP) and port 443 (HTTPS), you want to set the port for the web gui of your OPNsens to another port, for example port 440.
In that case you will access the web gui of OPNsense like https://yourIPaddress:440

  • Click System ==> Settings ==> Administration
  • Enter 440 in the TCP port field
  • Click Save
The OPNsense web gui will automatically reconnect in 20 seconds, using the new port.

Add the port forwarding rule to send any incoming HTTP and HTTPS traffic to your webserver.

  • Click Firewall ==> NAT ==> Port Forward
  • Click the Add button to add a new Port Forward rule
  • Select the following information
       Interface: WAN
       TCP/IP version: IPv4
       Protocol: TCP
       Destination: WAN Address
       Port range: From: Websrv_Ports To: Websrv_Ports
      (You can select that from the dropdown because you created the alias)
       Redirect target IP: Webserver (again, you can delect that because you created the alias)
       Redirect target ports: Websrv_Ports
       NAT reflection: Enable (Pure NAT)
       Filter rule association: Add associated filter rule
  • Click Save and Apply Settings.

This will do what you want to achieve.

  • The external DNS server will resolve www.mysite.com to your external IP address.
  • The NAT/PortForward rule will forward this to your webserver.
  • If internally www.mysite.com is also resolved to your external IP address,
    NAT Reflection will send this outgoing traffic back inside towards your webserver.

I hope this info helps.

Kind regards,
Bert


Quote from: BertM on October 19, 2017, 04:56:11 PM
Hi Newbiewifi,

If I understand correctly, on your internal LAN you have a web server running a website (for example www.mysite.com).
The webserver has an fixed IP address on the LAN, and you want to access it by it's name, both from the outside and the inside network.

An alias is not going to help you, because these are only used to make your config easier to read for humans.

But here is an example that will work.
I don't know how much experience you have with configuring network things, so I will try to keep this as simple as possible and explain very detailed.

First let's make some assumptions:

  • Your external IP address is 123.45.67.89
  • Your LAN interface is configured as 192.168.10.1/24
  • Your webserver running HTTP (port 80) and HTTPS (port 443) lives at address 192.168.10.30
  • You are the owner of the domain mysite.com and the URL for your webserver is www.mysite.com
  • In external DNS, you have an A record for www.mysite.com pointing to 123.45.67.89 (your external IP address)

Here is what you have to do:

Configure an aliases to make your config more readable.

  • Click Firewall ==> Aliases ==> View
  • Click the "Add a new alias" button
  • Enter the following info:
       Type: Host(s)
       Name: Webserver
       Description: The webserver host
       Host(s): 192.168.10.30
       Description: Webserver IP address
  • Click Save
  • Click the "Add a new alias" button again
  • Enter the following info:
       Type: Port(s)
       Name: Websrv_Ports
       Description: The webserver Ports
       Port(s): 80
       Description: HTTP port
  • Click the plus sign to add another line and enter the following information
       Port(s): 443
       Description: HTTPS port
  • Click Save and Apply Settings

If you are forwarding both port 80 (HTTP) and port 443 (HTTPS), you want to set the port for the web gui of your OPNsens to another port, for example port 440.
In that case you will access the web gui of OPNsense like https://yourIPaddress:440

  • Click System ==> Settings ==> Administration
  • Enter 440 in the TCP port field
  • Click Save
The OPNsense web gui will automatically reconnect in 20 seconds, using the new port.

Add the port forwarding rule to send any incoming HTTP and HTTPS traffic to your webserver.

  • Click Firewall ==> NAT ==> Port Forward
  • Click the Add button to add a new Port Forward rule
  • Select the following information
       Interface: WAN
       TCP/IP version: IPv4
       Protocol: TCP
       Destination: WAN Address
       Port range: From: Websrv_Ports To: Websrv_Ports
      (You can select that from the dropdown because you created the alias)
       Redirect target IP: Webserver (again, you can delect that because you created the alias)
       Redirect target ports: Websrv_Ports
       NAT reflection: Enable (Pure NAT)
       Filter rule association: Add associated filter rule
  • Click Save and Apply Settings.

This will do what you want to achieve.

  • The external DNS server will resolve www.mysite.com to your external IP address.
  • The NAT/PortForward rule will forward this to your webserver.
  • If internally www.mysite.com is also resolved to your external IP address,
    NAT Reflection will send this outgoing traffic back inside towards your webserver.

I hope this info helps.

Kind regards,
Bert

Very nice and helpful writing, you have my "applaud"! :)

Update: I solved this using a DNS override.  It worked very well and so am not worried about the fact that this one did not.  My solution is in this thread.

Hi,

Unfortunately, this solution does not work for me.  I followed the instructions exactly and find that the browser times out accessing the public URL while inside the firewall. I am not sure what I am doing wrong since I followed the directions exactly.

Quick update: the external rule works as I can access the web server externally without a problem.

Ditto here. I followed to the letter, while I was thinking that this is now a duplicate rule to what I already have.

No connection. I have an another thread on my issue, but it is the same problem. Some packets transfer thru according to tcpdump, but but no TCP socket connection establishes. Timeout.
 

I would explore the DNS override option.  It worked really well for me and is actually very simple to configure.


At least I am not having any difficulties with DNS, works as charm. My problem is that while *some* packets pass the firewall and NAT, the connection still does not somehow establish.


Seriously wonderful step-by-step walk through. I'm most definitely not a network guy, and configuring this type of firewall is new for me. A HUGE Thank You to BertM!

Quote from: BertM on October 19, 2017, 04:56:11 PM
Hi Newbiewifi,

If I understand correctly, on your internal LAN you have a web server running a website (for example www.mysite.com).
The webserver has an fixed IP address on the LAN, and you want to access it by it's name, both from the outside and the inside network.

An alias is not going to help you, because these are only used to make your config easier to read for humans.

But here is an example that will work.
I don't know how much experience you have with configuring network things, so I will try to keep this as simple as possible and explain very detailed.

First let's make some assumptions:

  • Your external IP address is 123.45.67.89
  • Your LAN interface is configured as 192.168.10.1/24
  • Your webserver running HTTP (port 80) and HTTPS (port 443) lives at address 192.168.10.30
  • You are the owner of the domain mysite.com and the URL for your webserver is www.mysite.com
  • In external DNS, you have an A record for www.mysite.com pointing to 123.45.67.89 (your external IP address)

Here is what you have to do:

Configure an aliases to make your config more readable.

  • Click Firewall ==> Aliases ==> View
  • Click the "Add a new alias" button
  • Enter the following info:
       Type: Host(s)
       Name: Webserver
       Description: The webserver host
       Host(s): 192.168.10.30
       Description: Webserver IP address
  • Click Save
  • Click the "Add a new alias" button again
  • Enter the following info:
       Type: Port(s)
       Name: Websrv_Ports
       Description: The webserver Ports
       Port(s): 80
       Description: HTTP port
  • Click the plus sign to add another line and enter the following information
       Port(s): 443
       Description: HTTPS port
  • Click Save and Apply Settings

If you are forwarding both port 80 (HTTP) and port 443 (HTTPS), you want to set the port for the web gui of your OPNsens to another port, for example port 440.
In that case you will access the web gui of OPNsense like https://yourIPaddress:440

  • Click System ==> Settings ==> Administration
  • Enter 440 in the TCP port field
  • Click Save
The OPNsense web gui will automatically reconnect in 20 seconds, using the new port.

Add the port forwarding rule to send any incoming HTTP and HTTPS traffic to your webserver.

  • Click Firewall ==> NAT ==> Port Forward
  • Click the Add button to add a new Port Forward rule
  • Select the following information
       Interface: WAN
       TCP/IP version: IPv4
       Protocol: TCP
       Destination: WAN Address
       Port range: From: Websrv_Ports To: Websrv_Ports
      (You can select that from the dropdown because you created the alias)
       Redirect target IP: Webserver (again, you can delect that because you created the alias)
       Redirect target ports: Websrv_Ports
       NAT reflection: Enable (Pure NAT)
       Filter rule association: Add associated filter rule
  • Click Save and Apply Settings.

This will do what you want to achieve.

  • The external DNS server will resolve www.mysite.com to your external IP address.
  • The NAT/PortForward rule will forward this to your webserver.
  • If internally www.mysite.com is also resolved to your external IP address,
    NAT Reflection will send this outgoing traffic back inside towards your webserver.

I hope this info helps.

Kind regards,
Bert

Was not able to get this to work for me.  Able to access it from the outside fine.  One difference for me is that I'm trying to do a port redirect.  443 on the outside to 8080 inside.  Tried with and without NAT reflection.  Event tried to create similar rules specifying the LAN source to WAN destination.  No luck :(

For HTTP(S) services, the nginx and the haproxy plugins do a good job for hostname based forwarding. Please note that the nginx plugin is not yet released.