How to open specific ports?

[Dzioobasek]

Hi
Im about end configuring newest opnsense and its great. Configuring antivirus is so easy atm
I cant handle opening ports for lan or wan. I have 2 java based apps and i need to open 8443 and 8447 ports.
Can you guys help me with that?

[elektroinside]

First, if you need this to be permanent, allocate static IPs for those machines on the LAN side from Services:DHCP Server. Restart the network interface(s) on those machines to make sure the IPs are allocated (verify on local machine).

Then, go to Firewall:NAT:Port Forward and according to your network setup, create a port forwarding rule for your machines.

Also, do not forget to edit your local firewall rules on your machines (eg. Windows Firewall) to allow inbound connections to those ports.

[Dzioobasek]

i have 35 PCs in lan, cant i just open ports for entire lan?

[elektroinside]

You have to allocate IPs and create rules for each machine in your lan. If you need to forward the same destination port, choose different ones for each machines as source ports.

[Dzioobasek]

is is possible to do use aliases? eg CompanyLan and place there all IPs? All PCs have static addresses.

[elektroinside]

You can't create one port forward rule for 35 pcs. You have to tell OPNsense (or any other firewall for that matter) which source IP/port to forward to which destination IP/port. You can't do that by a collection of IPs in one alias as destination, as there will be [source] IP(s)/port(s) to [destination] 35IPs/port(s). You need [source] IPs/port(s) to [destination] 1IP/port(s).

In other words, you can only have 1 IP as your destination IP for the forward to work correctly.

I can't imagine one (and the same) TCP/UDP stream to be forwarded to 35PCs at once at the same time.

[Dzioobasek]

1. I dont know why but its not working. Can i use aliases for ports or its also wrong?
2. On other side, when i was setting proxy in control panel > internet connection Ive checked Dont use proxy for LAN. Shouldnt land apps work then without restrictions?

Anywas can you please show me example setup so i could check what im doing wrong?

[phoenix]

Perhaps it would be useful if you gave a description of what you're actually trying to achieve, and why, with your "port forward" configuration and your 35 pc LAN.

[elektroinside]

As phoenix said, it would be helpful for us to know what are you trying to do.
Nevertheless, for any port forward, you should follow this guideline (take it step by step, and verify each one if possible):

1. Start the process on a PC that you would like to connect to (with the port forward) and verify it's config, make sure you got the port right
2. Create a local firewall rule (e.g. in Windows Firewall / Inbound rule) for that port (allow it) and pay attention to the selected profile (domain, private, public)
3. Verify that you can connect from another PC in the same subnet to that machine and port (easiest is with telnet, install it if not already installed)
4. If it works, move forward, if not, check that the process you are trying to connect to is up and running (not suspended or something) and that it uses the port you configured in the local firewall
5. Go to OPNsense and allocate a static IP for the machine you are trying to connect to (if you would like to make this port forward permanent, you cannot skip this step, you have to make sure that the exact same IP is always allocated to that same machine even when leases expire).
6. Next, make sure the IP you configured is allocated to the machine; if not, go to network settings on your machine and renew your ip (you can do that easily by disabling/enabling the network interface). Re-verify!
7. Next, go to OPNsense Firewall:NAT:Port Forward and set as source IP the WAN address, source port: any, destination IP: your machine IP, destination PORT: the port you are trying top connect to. Apply.
8. Verify, from the internet, that you can connect from the internet to your WAN IP : PORT you configured in your port forward
9. You should harden your firewall rules by various techniques in order to secure your exposed IP:PORT

[Dzioobasek]

Ofcourse sorry. I have application, database is on server 192.168.0.199. Ports needed for this app 8443, 8447, 3050, 8080, 60000-65535. Now i want clients to connect to server with those ports. Ive made alias with those ports.
I dont use dhcp, all pcs have static ip, its LAN with domain

[elektroinside]

1. The clients are all on the same local subnet?
2. Or, would you like to connect from the internet to that database?

Are you absolutely positive, 100% sure that you would like to open ~5500+ ports and expose those ports to the internet (if this is the case)?

[Dzioobasek]

same subnet, i want ports opened in lan only. Everything is working when i connect without opnsense so im sure im doing sth wrong with setup

2. On other side, when i was setting proxy in control panel > internet connection Ive checked Dont use proxy for LAN. Shouldnt lan apps work then without restrictions?

[elektroinside]

Ah, ok.

But if the clients are all on the lan side, you don't have to create port forwards in OPNsense to connect to the other clients.
I think the problem lies elsewhere.
You should verify that you do not block the local subnet / bogon networks on the LAN interface in OPNsense.
You should verify your firewall rules as well.

You are blocking something on the LAN side with OPNsense. By default, you should be able to connect from the LAN to the LAN without any other setting.

[elektroinside]

I don't think proxy has anything to do with the issue. That proxy you are referring to - by default - only works for port 80/443 (and maybe ftp and socks) and it is for browsing only, nothing to do with your db ports.

Actually, this is how it should work, i'm not entirely sure with OPNsense though as I don't use proxy, but i highly doubt it's set up to proxy any other ports.

[Dzioobasek]

Block bogon networks is only checked on WAN interface. Only firewall rules are those from AV config to block proxy bypass