Can't seem to get Port Forwarding working

[russoj88]

I've been having a lot of trouble getting a port forward working.  My goal is to forward SSH to a desktop.

Related to the SSH connection, I'm using keys, and it works within the LAN.  I've changed the port to 10022 just to rule out any issues related to the default 22.

igb0 is my LAN, igb1 is my WAN.

Attached is a screenshot of my Port Forward page.

I've tried "catching" the connection as I try to SSH in, but I don't see it in the Normal View of the Log Files.  Not sure how to continue to debug this as I'm just getting a connection timeout.  Any help is appreciated.

EDIT 1: canyouseeme.org is reporting 10022 open.  It was reporting 22 was open as I was trying that port (and is now closed).

(desktop) ssh -vvv user@184.9.150.155
OpenSSH_7.5p1, LibreSSL 2.6.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "184.9.150.155" port 10022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 184.9.150.155 [184.9.150.155] port 10022.
debug1: connect to address 184.9.150.155 port 10022: Operation timed out

root@OPNsense:/tmp # cat rules.debug
set ruleset-optimization basic
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 814000
set limit src-nodes 814000

# System aliases
loopback = "{ lo0 }"
lan = "{ igb0 }"
wan = "{ igb1 }"

# SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
# Other tables
table <virusprot>
table <bogons> persist file "/usr/local/etc/bogons"
table <bogonsv6> persist file "/usr/local/etc/bogonsv6"

# User Aliases

# Plugins tables
 
set loginterface igb0

set skip on pfsync0

scrub on $lan all   
scrub on $wan all   

no nat proto carp
no rdr proto carp

# Outbound NAT rules (automatic)

# Subnets to NAT
tonatsubnets  = "{ 127.0.0.0/8 192.168.1.0/24 }"
nat  on $wan from $tonatsubnets to any port 500 -> 184.9.150.155/32  static-port
nat  on $wan from $tonatsubnets to any -> 184.9.150.155/32 port 1024:65535 

# Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on igb0 proto tcp from any to ( igb0 ) port { 443 80 }

# NAT Inbound Redirects
rdr on igb1 inet proto tcp from any to (igb1) port 10022 -> 192.168.1.102
# Reflection redirect
rdr on igb0 inet proto tcp from any to (igb1) port 10022 -> 192.168.1.102

antispoof log for igb0
antispoof log for igb1
#pass in  log quick on lo0 inet6 from {any} to {any} label "Pass all loopback IPv6"
#block in  log quick inet6 from {any} to {any} label "Block all IPv6"
block in  log inet from {any} to {any} label "Default deny rule"
block in  log inet6 from {any} to {any} label "Default deny rule"
pass in  log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "IPv6 requirements (ICMP)"
pass out log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {129,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
block in  log quick inet proto {tcp udp}  from {any}  port {0} to {any}
block in  log quick inet6 proto {tcp udp}  from {any}  port {0} to {any}
block in  log quick inet proto {tcp udp}  from {any} to {any}  port {0}
block in  log quick inet6 proto {tcp udp}  from {any} to {any}  port {0}
block in log quick proto carp from {(self)} to {any}
pass in  log quick proto carp from {any} to {any}
block in log quick proto tcp from {<sshlockout>} to {(self)}  port {22} label "sshlockout"
block in log quick proto tcp from {<webConfiguratorlockout>} to {(self)}  port {443} label "webConfiguratorlockout"
block in  log quick from {<virusprot>} to {any} label "virusprot overload table"
#block in log quick on lo0 from {<bogons>} to {any} label "block bogon IPv4 networks from loopback"
#block in log quick on lo0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from loopback"
#block in log quick on lo0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from loopback"
#block in log quick on igb0 from {<bogons>} to {any} label "block bogon IPv4 networks from LAN"
#block in log quick on igb0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from LAN"
#block in log quick on igb0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from LAN"
block in log quick on igb1 from {<bogons>} to {any} label "block bogon IPv4 networks from WAN"
block in log quick on igb1 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from WAN"
block in log quick on igb1 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from WAN"
pass in log quick on igb0 proto udp from {any}  port {68} to {255.255.255.255}  port {67} label "allow access to DHCP server"
pass in log quick on igb0 proto udp from {any}  port {68} to {(self)}  port {67} label "allow access to DHCP server"
pass out log quick on igb0 proto udp from {(self)}  port {67} to {any}  port {68} label "allow access to DHCP server"
pass in  log quick on igb0 inet6 proto udp from {fe80::/10} to {fe80::/10,ff02::/16}  port {546} label "allow access to DHCPv6 server on LAN"
pass in  log quick on igb0 inet6 proto udp from {fe80::/10} to {ff02::/16}  port {547} label "allow access to DHCPv6 server on LAN"
pass in  log quick on igb0 inet6 proto udp from {ff02::/16} to {fe80::/10}  port {547} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {(self)}  port {546} label "allow access to DHCPv6 server on LAN"
pass out log quick on igb0 inet6 proto udp from {(self)}  port {547} to {fe80::/10} label "allow access to DHCPv6 server on LAN"
pass in log on igb1 proto udp from {any}  port {67} to {any}  port {68} label "allow DHCP client on WAN"
pass out log on igb1 proto udp from {any}  port {68} to {any}  port {67} label "allow DHCP client on WAN"
pass in  log quick on lo0 from {any} to {any} label "pass loopback"
pass out log from {any} to {any} keep state allow-opts label "let out anything from firewall host itself"
pass in log quick on igb0 proto tcp from {any} to {(self)}  port {443 80} keep state label "anti-lockout rule"
pass out log  route-to ( igb1 184.9.144.1 ) from {igb1} to {!(igb1:network)} keep state allow-opts label "let out anything from firewall host itself"
pass in  quick on igb0 inet from {(igb0:network)} to {any} label "USER_RULE: Default allow LAN to any rule"
pass in  quick on igb0 inet6 from {(igb0:network)} to {any} label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in  quick on igb1 reply-to ( igb1 184.9.144.1 )  inet proto tcp from {any} to {192.168.1.102}  port {10022} label "USER_RULE: NAT "

[Denis Raigorodski]

Hi, russoj88

I´m novice with OPNsense, but i believe you cannot use "WAN adress" for "Destination", instead you should use "Local adress"

How is Port Forward panel under NAT ? take a screenshoot

[russoj88]

Hi Denis,

I attached a screenshot of the Port Forward page in my first post.

Can you explain further why it should be the Local Address and not the WAN?  My thinking was the packet was coming from the internet, so the destination when it hits the router should be the WAN Address.

[franco]

Are you testing from a network attached to WAN or from the Internet?

Because "reply-to" will not reroute the traffic to your test client in WAN. The traffic goes to your upstream WAN gateway, and if that one doesn't route it back it looks like it doesn't work. This is a safeguard for multi-wan. You can disable it in the firewall advanced settings.

pass in  quick on igb1 reply-to ( igb1 184.9.144.1 )  inet proto tcp from {any} to {192.168.1.102}  port {10022} label "USER_RULE: NAT "



Cheers,
Franco

[russoj88]

Are you testing from a network attached to WAN or from the Internet?

Because "reply-to" will not reroute the traffic to your test client in WAN. The traffic goes to your upstream WAN gateway, and if that one doesn't route it back it looks like it doesn't work. This is a safeguard for multi-wan. You can disable it in the firewall advanced settings.

pass in  quick on igb1 reply-to ( igb1 184.9.144.1 )  inet proto tcp from {any} to {192.168.1.102}  port {10022} label "USER_RULE: NAT "



Cheers,
Franco

Hi Franco,

I am testing from a machine on my LAN.

Playing around in the settings, I noticed the Gateway with an IP different from the WAN.  I wasn't sure what it was or its purpose.  Later today, I'll try disabling it and retesting.

I don't have a multi-WAN.  Is the Gateway something that gets added by default in an install?  I'm curious if maybe I misconfigured something on the install.  I've installed once about 15 months ago and have been doing all the updates.  After a long time trying to get this to work, I "reset to factory settings" in an effort to remove variables.

Thanks in advance.

[franco]

You're testing the WAN port forward from LAN? Would have to test if this even works.

I don't think the factory reset will help. It may just be a configuration quirk or testing setup.


Cheers,
Franco

[russoj88]

The port forward seems to be working now.

I went into Firewall -> Settings -> Advanced and changed the settings highlighted in the attached screenshot.  I still don't understand the gateway concept, but will do some research.  Disabling reply-to didn't work (not sure if that was the option you were referring to Franco).

Thanks for the help!  I wouldn't have thought to look for NAT settings under Advanced.

EDIT 1: I will reinstall from scratch when 18.1 comes out and try again.

Code: [Select]

root@OPNsense:~ # cat /tmp/rules.debug
set ruleset-optimization basic
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 814000
set limit src-nodes 814000

# System aliases
loopback = "{ lo0 }"
lan = "{ igb0 }"
wan = "{ igb1 }"

# SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
# Other tables
table <virusprot>
table <bogons> persist file "/usr/local/etc/bogons"
table <bogonsv6> persist file "/usr/local/etc/bogonsv6"

# User Aliases

# Plugins tables
 
set loginterface igb0

set skip on pfsync0

scrub on $lan all   
scrub on $wan all   

no nat proto carp
no rdr proto carp

# Outbound NAT rules (automatic)

# Subnets to NAT
tonatsubnets  = "{ 127.0.0.0/8 192.168.1.0/24 }"
nat  on $wan from $tonatsubnets to any port 500 -> 184.9.150.155/32  static-port
nat  on $wan from $tonatsubnets to any -> 184.9.150.155/32 port 1024:65535 

# Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on igb0 proto tcp from any to ( igb0 ) port { 443 80 22 }

# NAT Inbound Redirects
rdr on igb1 inet proto tcp from any to (igb1) port 10022 -> 192.168.1.102
# Reflection redirect
rdr on igb0 inet proto tcp from any to (igb1) port 10022 -> 192.168.1.102
no nat on igb0 proto tcp from igb0 to 192.168.1.102 port 10022
nat on igb0 proto tcp from 192.168.1.0/24 to 192.168.1.102 port 10022 -> 192.168.1.1 port 1024:65535


antispoof log for igb0
antispoof log for igb1
#pass in  log quick on lo0 inet6 from {any} to {any} label "Pass all loopback IPv6"
#block in  log quick inet6 from {any} to {any} label "Block all IPv6"
block in  log inet from {any} to {any} label "Default deny rule"
block in  log inet6 from {any} to {any} label "Default deny rule"
pass in  log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "IPv6 requirements (ICMP)"
pass out log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {129,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
block in  log quick inet proto {tcp udp}  from {any}  port {0} to {any}
block in  log quick inet6 proto {tcp udp}  from {any}  port {0} to {any}
block in  log quick inet proto {tcp udp}  from {any} to {any}  port {0}
block in  log quick inet6 proto {tcp udp}  from {any} to {any}  port {0}
block in log quick proto carp from {(self)} to {any}
pass in  log quick proto carp from {any} to {any}
block in log quick proto tcp from {<sshlockout>} to {(self)}  port {22} label "sshlockout"
block in log quick proto tcp from {<webConfiguratorlockout>} to {(self)}  port {443} label "webConfiguratorlockout"
block in  log quick from {<virusprot>} to {any} label "virusprot overload table"
#block in log quick on lo0 from {<bogons>} to {any} label "block bogon IPv4 networks from loopback"
#block in log quick on lo0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from loopback"
#block in log quick on lo0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from loopback"
#block in log quick on igb0 from {<bogons>} to {any} label "block bogon IPv4 networks from LAN"
#block in log quick on igb0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from LAN"
#block in log quick on igb0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from LAN"
block in log quick on igb1 from {<bogons>} to {any} label "block bogon IPv4 networks from WAN"
block in log quick on igb1 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from WAN"
block in log quick on igb1 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from WAN"
pass in log quick on igb0 proto udp from {any}  port {68} to {255.255.255.255}  port {67} label "allow access to DHCP server"
pass in log quick on igb0 proto udp from {any}  port {68} to {(self)}  port {67} label "allow access to DHCP server"
pass out log quick on igb0 proto udp from {(self)}  port {67} to {any}  port {68} label "allow access to DHCP server"
pass in  log quick on igb0 inet6 proto udp from {fe80::/10} to {fe80::/10,ff02::/16}  port {546} label "allow access to DHCPv6 server on LAN"
pass in  log quick on igb0 inet6 proto udp from {fe80::/10} to {ff02::/16}  port {547} label "allow access to DHCPv6 server on LAN"
pass in  log quick on igb0 inet6 proto udp from {ff02::/16} to {fe80::/10}  port {547} label "allow access to DHCPv6 server on LAN"
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {(self)}  port {546} label "allow access to DHCPv6 server on LAN"
pass out log quick on igb0 inet6 proto udp from {(self)}  port {547} to {fe80::/10} label "allow access to DHCPv6 server on LAN"
pass in log on igb1 proto udp from {any}  port {67} to {any}  port {68} label "allow DHCP client on WAN"
pass out log on igb1 proto udp from {any}  port {68} to {any}  port {67} label "allow DHCP client on WAN"
pass in  log quick on lo0 from {any} to {any} label "pass loopback"
pass out log from {any} to {any} keep state allow-opts label "let out anything from firewall host itself"
pass in log quick on igb0 proto tcp from {any} to {(self)}  port {443 80 22} keep state label "anti-lockout rule"
pass out log  route-to ( igb1 184.9.144.1 ) from {igb1} to {!(igb1:network)} keep state allow-opts label "let out anything from firewall host itself"
pass in  quick on igb0 inet from {(igb0:network)} to {any} label "USER_RULE: Default allow LAN to any rule"
pass in  quick on igb0 inet6 from {(igb0:network)} to {any} label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in  quick on igb1 inet proto tcp from {any} to {192.168.1.102}  port {10022} label "USER_RULE: NAT "

[franco]

Hmm, yes, if you enable NAT reflection that should do the job since it makes your internal LAN appear to work with external addresses (or DNS).


Cheers,
Franco